Norway tells businesses to replace their SSL VPN

Virtual private network app, smartphone screen, global data protection,Element of the image provided by NASA
(Image credit: Getty Images)

In a bid to reduce the vulnerability and attack surface for secure remote access, the Norwegian National Cyber Security Centre (NCSC) invites all businesses to replace their SSLVPN/WebVPN solutions.

The recommendation is to switch to services offering Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2) or, when this isn't possible, using 5G broadband instead. The suggested date to complete the transition is by the end of 2025. The good news is that all the best business VPN services on the market right now already include this system by default (more on this below). 

Norway joined the likes of the US and UK to recommend using a VPN with IPsec connections for better security. Let's now see why this matters in more detail. 

SSL VPNs are convenient, but flawed

First of all, let's clarify the differences between VPN solutions using a Secure Socket Layer/Transport Layer Security (SSL/TLS) and those deploying Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2).

The main difference between the two is where encryption and authentication are performed. IPsec with IKEv2 VPNs do that on the network level. This means that they encrypt data packets sent between systems that can be defined by an IP address, while periodically refreshing a set of encryption keys.

SSL VPNs, also known as WebVPN or clientless VPN services, operate on the data in transit by encrypting data sent between any devices identifiable by port numbers on network-connected hosts. Contrary to IPsec products,  SSL VPNs don't require the installation of additional hardware or software. Yet, this ease seems to come with a drawback.

"NCSC has for a long time observed and notified about critical vulnerabilities in VPN solutions that use Secure Socket Layer/Transport Layer Security (SSL/TLS)," the NCS wrote in its official announcement.

The biggest issue with SSL VPN is that, contrary to IPsec, it does not have an open industry standard meaning that different manufacturers create their own implementation on a case-by-case basis. Throughout the years, this approach has led to numerous security flaws. 

For instance, two of Fortinet's SSL VPN credential exposures were the most exploited security vulnerabilities of 2022. These were also exploited by the Chinese Volt Typhoon hacking group again in 2023, Fortinet revealed in February. 

"The severity of the vulnerabilities and the repeated exploitation of this type of vulnerability by actors means that the NCSC recommends replacing solutions for secure remote access that use SSL/TLS with more secure alternatives. NCSC recommends Internet Protocol Security (IPsec) with Internet Key Exchange (IKEv2)."

Specifically, Norway's recommendations include:

  • Reconfiguring existing VPN solution to support IPsec IKEv2: in case this isn't possible, businesses should plan for and replace the solution with one that does like 5G broadband systems.
  • Migrating users and systems: using SSLVPN to IPsec IKEv2.
  • Turning off SSLVPN functionality: while verifying that any endpoints are not responding.
  • Blocking all incoming TLS traffic to the VPN server.
  • Adopting certificate-based authentication.

At the same time, the NCSC also emphasizes that VPN products using IPsec with IKEv2 aren't certainly free of vulnerabilities, either.

Take for example the Ivanti VPN case. In 2023, Ivanti discovered multiple security vulnerabilities in its VPN products, which different threat actors exploited to drop infostealers, malware, and ransomware, on vulnerable targets. After fixing these flaws, the provider found even more problems in February this year.

Nonetheless, the NCSC explained, "This choice of technology [IPsec] entails a smaller attack surface and a lower degree of fault tolerance in the configuration of the solution."

The best VPN for your business

At TechRadar, our experts have spent over 3,000 hours testing over 100 VPN services—including a wide range of business VPN services. From the most important features spanning from security levels and speeds to their interface and ease of setup, we also consider other important variables including the number of devices they support, their pricing plans, and overall performance, among other things.

Below are our top three favorite VPNs for business on the market right now: 

1. Perimeter 81: the best business VPN

1. Perimeter 81: the best business VPN
A highly customizable service, Perimeter 81 offers a huge list of valuable tools and features such as leading-edge WireGuard and OpenVPN protocols. Even better, all come at a very fair price. It's also so easy to set up and use, too. Check our detailed Perimeter 81 review to see why it's the best VPN for businesses in 2024.

Image

2. NordLayer: a close second from a huge name
Formerly known as NordVPN Teams, this is the enterprise version of the biggest name in the VPN market. The good news is that it's equally as impressive, boasting tons of servers, double data encryption, fully functioning kill switches, and much more. Head to our NordLayer review to find out more.

3. Twingate: mixing security with usability
Another easy-to-use service,

3. Twingate: mixing security with usability
Another easy-to-use service, Twingate isn't the classic business VPN. However, its zero-trust security network can efficiently secure your organization while running in the background—you'll barely know it's there! Check all the details in our dedicated Twingate review

Disclaimer

We test and review VPN services in the context of legal recreational uses. For example:

1. Accessing a service from another country (subject to the terms and conditions of that service).

2. Protecting your online security and strengthening your online privacy when abroad.

We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com