CISA, NSA: Here's how to bolster VPN security

A laptop screen displaying a VPN logo
(Image credit: Shutterstock)

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released a joint guidance document to help businesses select and harden virtual private network (VPN) solutions.

“VPN servers are entry points into protected networks, making them attractive targets. Multiple nation-state advanced persistent threat (APT) actors have weaponized common vulnerabilities and exposures (CVEs) to gain access to vulnerable VPN devices,” observed the two agencies in the document. 

The agencies add that threat actors often exploit these unpatched CVEs as a gateway to all sorts of campaigns against corporate networks, for everything from stealing credentials to exfiltrating sensitive data.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The document lists directions for businesses to help them select the VPN solution that adheres to industry standards and follows the best practices to ensure the integrity of its infrastructure.

Gateway to larger attacks

The document suggests using tested and validated VPN products that are listed on the National Information Assurance Partnership (NIAP) Product Compliant List. It also suggests looking for solutions that employ strong authentication methods like multi-factor authentication (MFA).

At the same time, the service shouldn’t exhibit laxity in applying patches and updates, and ensures it reduces the surface area for attacks on VPN servers by disabling non-VPN-related features.

“Exploiting remote access VPNs can become a gateway to large-scale compromise,” said Rob Joyce, Director of Cybersecurity at NSA in an email to BleepingComputer.

Parsing through the document, BleepingComputer notes that the agencies suggest VPN service providers employ strong cryptography and authentication mechanisms on their servers, run the bare minimum number of features, while protecting and monitoring access to and from the VPN.

Via BleepingComputer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
best Secure VPN
Secure VPN providers 2025: safe options for the best security and encryption
VPN encryption explained in infographic
Secure Web Gateway vs VPN vs Proxy vs CASB: What's the difference?
A wall of data on a large screen.
“It's the same doors that the good guys use, that the bad guys can walk through” - former White House tech advisor on data-centric security in the wake of Salt Typhoon
A padlock icon next to a person working on a laptop.
Best business VPN of 2025
VPN
7 VPN predictions to look out for in 2025
Someone using a VPN on a PC.
How to buy a VPN – a jargon-free guide
Latest in VPN Privacy & Security
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Neon blue email symbols on a black background
Why am I suddenly getting so many spam emails?
Latest in News
The Witcher 4
You're probably not playing The Witcher 4 until 2027 at the earliest, per CD Projekt's latest financial update
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Two Android phones on a green and blue background showing Google Messages
Google Messages just added a fun upgrade to one of its best chat features
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year