Norway tells businesses to replace their SSL VPN

Norway joined the likes of the US and UK to recommend using a VPN with IPsec connections for better security. Let's now see why this matters in more detail. 

SSL VPNs are convenient, but flawed

First of all, let's clarify the differences between VPN solutions using a Secure Socket Layer/Transport Layer Security (SSL/TLS) and those deploying Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).

The main difference between the two is where encryption and authentication are performed. IPsec with IKEv2 VPNs do that on the network level. This means that they encrypt data packets sent between systems that can be defined by an IP address, while periodically refreshing a set of encryption keys.

SSL VPNs, also known as WebVPN or clientless VPN services, operate on the data in transit by encrypting data sent between any devices identifiable by port numbers on network-connected hosts. Contrary to IPsec products,  SSL VPNs don't require the installation of additional hardware or software. Yet, this ease seems to come with a drawback.

"NCSC has for a long time observed and notified about critical vulnerabilities in VPN solutions that use Secure Socket Layer/Transport Layer Security (SSL/TLS)," the NCS wrote in its official announcement.

TLS, IPsec and SSH are three prominent security protocols used to secure communication over networks. Each serves different purposes and operates at different layers of the network. Let’s have a quick summary on their differences 😎👇 #infosec #CyberSecurity pic.twitter.com/UmsdLoPLChMarch 6, 2024

The biggest issue with SSL VPN is that, contrary to IPsec, it does not have an open industry standard meaning that different manufacturers create their own implementation on a case-by-case basis. Throughout the years, this approach has led to numerous security flaws. 

For instance, two of Fortinet's SSL VPN credential exposures were the most exploited security vulnerabilities of 2022. These were also exploited by the Chinese Volt Typhoon hacking group again in 2023, Fortinet revealed in February. 

"The severity of the vulnerabilities and the repeated exploitation of this type of vulnerability by actors means that the NCSC recommends replacing solutions for secure remote access that use SSL/TLS with more secure alternatives. NCSC recommends Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2)."

Specifically, Norway's recommendations include:

• Reconfiguring existing VPN solution to support IPsec IKEv2: in case this isn't possible, businesses should plan for and replace the solution with one that does like 5G broadband systems.
• Migrating users and systems: using SSLVPN to IPsec IKEv2.
• Turning off SSLVPN functionality: while verifying that any endpoints are not responding.
• Blocking all incoming TLS traffic to the VPN server.
• Adopting certificate-based authentication.

At the same time, the NCSC also emphasizes that VPN products using IPsec with IKEv2 aren't certainly free of vulnerabilities, either.

Take for example the Ivanti VPN case. In 2023, Ivanti discovered multiple security vulnerabilities in its VPN products, which different threat actors exploited to drop infostealers, malware, and ransomware, on vulnerable targets. After fixing these flaws, the provider found even more problems in February this year.

Nonetheless, the NCSC explained, "This choice of technology [IPsec] entails a smaller attack surface and a lower degree of fault tolerance in the configuration of the solution."

The best VPN for your business

At TechRadar, our experts have spent over 3,000 hours testing over 100 VPN services—including a wide range of business VPN services. From the most important features spanning from security levels and speeds to their interface and ease of setup, we also consider other important variables including the number of devices they support, their pricing plans, and overall performance, among other things.

Below are our top three favorite VPNs for business on the market right now: