In a bid to reduce the vulnerability and attack surface for secure remote access, the Norwegian National Cyber Security Centre (NCSC) invites all businesses to replace their SSLVPN/WebVPN solutions.
The recommendation is to switch to services offering Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) or, when this isn’t possible, using 5G broadband instead. The suggested date to complete the transition is by the end of 2025. The good news is that all the best business VPN services on the market right now already include this system by default (more on this below).
Norway joined the likes of the US and UK to recommend using a VPN with IPsec connections for better security. Let’s now see why this matters in more detail.
SSL VPNs are convenient, but flawed
First of all, let’s clarify the differences between VPN solutions using a Secure Socket Layer/Transport Layer Security (SSL/TLS) and those deploying Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).
The main difference between the two is where encryption and authentication are performed. IPsec with IKEv2 VPNs do that on the network level. This means that they encrypt data packets sent between systems that can be defined by an IP address, while periodically refreshing a set of encryption keys.
SSL VPNs, also known as WebVPN or clientless VPN services, operate on the data in transit by encrypting data sent between any devices identifiable by port numbers on network-connected hosts. Contrary to IPsec products, SSL VPNs don’t require the installation of additional hardware or software. Yet, this ease seems to come with a drawback.
“NCSC has for a long time observed and notified about critical vulnerabilities in VPN solutions that use Secure Socket Layer/Transport Layer Security (SSL/TLS),” the NCS wrote in its official announcement.
TLS, IPsec and SSH are three prominent security protocols used to secure communication over networks. Each serves different purposes and operates at different layers of the network. Let’s have a quick summary on their differences 😎👇 #infosec #CyberSecurity pic.twitter.com/UmsdLoPLChMarch 6, 2024
The biggest issue with SSL VPN is that, contrary to IPsec, it does not have an open industry standard meaning that different manufacturers create their own implementation on a case-by-case basis. Throughout the years, this approach has led to numerous security flaws.
For instance, two of Fortinet’s SSL VPN credential exposures were the most exploited security vulnerabilities of 2022. These were also exploited by the Chinese Volt Typhoon hacking group again in 2023, Fortinet revealed in February.
“The severity of the vulnerabilities and the repeated exploitation of this type of vulnerability by actors means that the NCSC recommends replacing solutions for secure remote access that use SSL/TLS with more secure alternatives. NCSC recommends Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).”
Specifically, Norway’s recommendations include:
- Reconfiguring existing VPN solution to support IPsec IKEv2: in case this isn’t possible, businesses should plan for and replace the solution with one that does like 5G broadband systems.
- Migrating users and systems: using SSLVPN to IPsec IKEv2.
- Turning off SSLVPN functionality: while verifying that any endpoints are not responding.
- Blocking all incoming TLS traffic to the VPN server.
- Adopting certificate-based authentication.
At the same time, the NCSC also emphasizes that VPN products using IPsec with IKEv2 aren’t certainly free of vulnerabilities, either.
Take for example the Ivanti VPN case. In 2023, Ivanti discovered multiple security vulnerabilities in its VPN products, which different threat actors exploited to drop infostealers, malware, and ransomware, on vulnerable targets. After fixing these flaws, the provider found even more problems in February this year.
Nonetheless, the NCSC explained, “This choice of technology [IPsec] entails a smaller attack surface and a lower degree of fault tolerance in the configuration of the solution.”
The best VPN for your business
At TechRadar, our experts have spent over 3,000 hours testing over 100 VPN services—including a wide range of business VPN services. From the most important features spanning from security levels and speeds to their interface and ease of setup, we also consider other important variables including the number of devices they support, their pricing plans, and overall performance, among other things.
Below are our top three favorite VPNs for business on the market right now:
We test and review VPN services in the context of legal recreational uses. For example:
1. Accessing a service from another country (subject to the terms and conditions of that service).
2. Protecting your online security and strengthening your online privacy when abroad.
We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.