In an effort to reduce the vulnerability and attack surface for secure remote access, the Norwegian National Cyber Security Center (NCSC) invites all companies to replace their SSLVPN/WebVPN solutions.
The recommendation is to switch to services that offer Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) or, if this is not possible, use 5G broadband instead. The proposed date to complete the transition is late 2025. The good news is that all the best business VPN services on the market today already include this system as standard (more on this below).
Norway joined countries such as the US and Britain in recommending the use of a VPN with IPsec connections for better security. Now let’s look in more detail at why this matters.
SSL VPNs are useful, but flawed
Let’s first clarify the differences between VPN solutions that use Secure Socket Layer/Transport Layer Security (SSL/TLS) and solutions that deploy Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).
The main difference between the two is where encryption and authentication are performed. IPsec with IKEv2 VPNs do that at the network level. This means that they encrypt data packets sent between systems that can be defined by an IP address, while periodically renewing a set of encryption keys.
SSL VPNs, also known as WebVPN or clientless VPN services, operate on the data in transit by encrypting data sent between devices identified by port numbers on network-connected hosts. Unlike IPsec products, SSL VPNs do not require installation of additional hardware or software. Yet this convenience seems to have a downside.
“NCSC has long observed and advised of critical vulnerabilities in VPN solutions that use Secure Socket Layer/Transport Layer Security (SSL/TLS),” the NCS wrote in its official announcement.
TLS, IPsec and SSH are three prominent security protocols used to secure communications over networks. Each serves different purposes and operates at different layers of the network. Let’s give a quick summary of their differences 😎👇 #infosec #CyberSecurity pic.twitter.com/UmsdLoPLChMarch 6, 2024
The main problem with SSL VPN is that, unlike IPsec, it does not have an open industry standard, meaning different manufacturers create their own implementation on a case-by-case basis. Over the years, this approach has led to numerous security flaws.
For example, two of Fortinet’s SSL VPN credentials were the most exploited security vulnerabilities of 2022. These were also exploited again in 2023 by China’s Volt Typhoon hacking group, Fortinet unveiled in February.
“The severity of the vulnerabilities and the repeated exploitation of these types of vulnerabilities by actors means that the NCSC recommends replacing secure remote access solutions that use SSL/TLS with more secure alternatives. NCSC recommends Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).”
Norway’s recommendations specifically include:
- Reconfigure existing VPN solution to support IPsec IKEv2: If this is not possible, companies should plan a solution and replace with one that does like 5G broadband systems.
- Migrate users and systems: using SSLVPN to IPsec IKEv2.
- To disable SSLVPN functionality: while checking to see if any endpoints are not responding.
- Blocks all incoming TLS traffic to the VPN server.
- Apply certificate-based authentication.
At the same time, the NCSC also emphasizes that VPN products that use IPsec with IKEv2 are certainly not free from vulnerabilities.
Take the Ivanti VPN case for example. In 2023, Ivanti discovered multiple security vulnerabilities in its VPN products, which were exploited by various threat actors to drop infostealers, malware, and ransomware on vulnerable targets. After fixing these defects, the provider discovered even more problems in February this year.
Nevertheless, the NCSC explained: “This technology choice (IPsec) entails a smaller attack surface and a lower degree of fault tolerance in the solution configuration.”
The best VPN for your business
At Ny Breaking, our experts have spent over 3,000 hours testing over 100 VPN services, including a wide range of business VPN services. From the main features ranging from security levels and speeds to their interface and ease of installation, we also take into account other important variables including the number of devices they support, their pricing plans and overall performance, among others.
Below are our top three favorite VPNs for businesses on the market today:
We test and assess VPN services in the context of legal recreational use. For example:
1. Accessing a service from another country (subject to the terms and conditions of that service).
2. Protect your online security and strengthen your online privacy abroad.
We do not support or tolerate the illegal or malicious use of VPN services. Consuming pirated, paid for content is not endorsed or condoned by Future Publishing.