Harden Debian by Hardening VPN
VPN is a common use of connections setup for remote access. However, VPN is known for notorious setup and licensing issues. This section guides you on how to harden Debian by hardening VPN server.
Identified Threats
These are the identified threats related to Debian software.
(T-97) VPN Is Using PPTP Protocol
VPN servers may be configured to use PPTP Protocol.
(T-98) VPN is Using Pure IPSec/L2TP Alone
VPN servers can use IPSec or L2TP alone.
(T-99) VPN Server Can Alters Root System
VPN server can alter root system.
(T-100) VPN Server Uses Outdated Encryption Cipher
VPN server can be configured to use outdated cipher.
(T-101) VLN Server Not Using TLS
VPN server can be configured not to use TLS encryption.
Actions Required
Here are the list if actions to counter the issues.
Use TLS
VPN server must use TLS at all cost.
Avoid PPTP
Avoid Point-to-Point Tunneling Protocol (PPTP) at all cost. Use OpenSwan or OpenVPN instead.
Implement IPSec and L2TP Simultaneously
Those 2 protocols goes in hands-in-hands.
Jail VPN Server
Jail the VPN Server so that it does not have access to actual root system.
Used Proper AEAD Encryption Cipher
Do not roll your own crypto. Use known strong cipher like ChaCha20-Poly1305 or AES-GCM.
That's all for hardening Debian by hardening VPN.