The Norwegian National Cyber Security Centre (NCSC) advocates for the replacement of SSLVPN/WebVPN solutions with IPsec due to recurring vulnerabilities in edge network devices. NCSC recommends this transition to be completed by 2025, with critical infrastructure organizations advised to adopt safer alternatives by the end of 2024. SSL VPN and WebVPN, which secure remote access using SSL/TLS protocols, are deemed vulnerable, prompting NCSC to endorse IPsec with IKEv2 for its enhanced security measures.
NCSC’s recommendation emphasizes the severity of SSLVPN vulnerabilities and the repeated exploitation by threat actors, prompting a shift to more secure alternatives. While IPsec with IKEv2 isn’t devoid of flaws, NCSC believes it significantly reduces the attack surface compared to SSLVPN. The proposed implementation measures include reconfiguring existing VPN solutions, migrating users and systems to the new protocol, and employing certificate-based authentication.
The widespread adoption of SSLVPN without a standardized protocol has led to numerous vulnerabilities, exploited by threat actors to breach networks. Notably, recent incidents like the exploitation of FortiOS SSL VPN flaws by the Chinese Volt Typhoon hacking group highlight the risks associated with SSLVPN. NCSC’s recommendations follow alerts about advanced threat actors exploiting zero-day vulnerabilities in Cisco ASA VPNs, underscoring the urgency for organizations to prioritize security measures and transition to more secure protocols like IPsec.
