The Ivanti Breach Changed How I Think About VPNs
In early 2024, CISA issued an emergency directive after threat actors exploited vulnerabilities in Ivanti Connect Secure VPN appliances to infiltrate multiple federal agencies. The attackers didn't brute-force passwords. They didn't trick users with phishing emails. They walked through holes in the VPN infrastructure itself. That incident forced a hard reset across government IT — and if you're still treating your VPN as a set-it-and-forget-it tool, you're operating on borrowed time.
This post covers VPN best practices that actually matter right now — not the generic advice you've already seen recycled a hundred times. I'm talking about configuration decisions, authentication layers, and architectural shifts that separate organizations getting breached from those that aren't. Whether you manage a corporate VPN or just use one to protect yourself on public Wi-Fi, this is the guide that addresses what's changed.
Why Your VPN Alone Isn't Enough Anymore
A VPN encrypts your traffic between two points. That's it. It doesn't scan for malware. It doesn't stop credential theft. It doesn't prevent a compromised endpoint from tunneling straight into your corporate network. I've seen organizations treat their VPN like a force field — and then act surprised when ransomware spreads laterally across every connected device.
The Verizon 2024 Data Breach Investigations Report found that stolen credentials were involved in roughly 31% of all breaches over the past decade. A VPN authenticates users, but if those credentials are already compromised, the VPN becomes the front door for the attacker. That's why VPN best practices in 2026 require layered controls — not just encrypted tunnels.
If your security strategy starts and ends with "turn on the VPN," you're missing the full picture. Pair your VPN knowledge with broader cybersecurity awareness training to understand the complete threat landscape your organization faces.
The 9 VPN Best Practices That Actually Matter
1. Enforce Multi-Factor Authentication — No Exceptions
This isn't optional. Every VPN connection should require multi-factor authentication (MFA). SMS-based codes are better than nothing, but hardware tokens or authenticator apps are the standard. The Ivanti breach I mentioned earlier? CISA's post-incident guidance specifically emphasized MFA as a critical mitigation. If a threat actor steals a password, MFA is what stands between them and your entire network.
I've worked with companies that exempted executives from MFA because it was "inconvenient." Those are exactly the accounts attackers target first through social engineering and spear phishing. No exceptions means no exceptions.
2. Patch Your VPN Appliances Immediately — Not Next Quarter
VPN appliances are internet-facing by definition. When a vulnerability drops, attackers scan for unpatched instances within hours. CISA's Known Exploited Vulnerabilities Catalog (available at cisa.gov) tracks these actively. In my experience, the organizations that get hit aren't the ones who never heard about the patch — they're the ones who scheduled it for the next maintenance window three weeks out.
Automate patch notifications for your VPN vendor. Test patches in a staging environment and deploy within 48 hours for critical vulnerabilities. Treat VPN patches like you'd treat a fire alarm — not something you respond to at your convenience.
3. Use Split Tunneling Carefully — Or Not at All
Split tunneling routes some traffic through the VPN and some directly to the internet. It improves performance, but it also means a compromised endpoint can communicate with a command-and-control server outside the tunnel while simultaneously connected to your internal network.
For high-security environments, I recommend full tunneling. For organizations where split tunneling is operationally necessary, whitelist only specific, verified destinations for direct internet access. Never give users the ability to toggle this themselves.
4. Implement Always-On VPN for Corporate Devices
If your employees use company-managed laptops, configure always-on VPN connections. This eliminates the gap between when a device connects to a network and when the user remembers to launch the VPN client. That gap is where credential theft, DNS hijacking, and man-in-the-middle attacks live.
Always-on VPN also enables your security stack — endpoint detection, DNS filtering, web proxies — to function as intended regardless of where the employee works.
5. Segment VPN Access by Role
When every VPN user lands on the same flat network, one compromised account gives an attacker access to everything. This is the opposite of zero trust. Instead, configure your VPN to assign users to specific network segments based on their role. A marketing coordinator doesn't need access to your database servers. A contractor doesn't need access to your HR system.
Modern VPN solutions support granular access policies. Use them. Map VPN groups to least-privilege network segments and review those mappings quarterly.
6. Monitor VPN Logs Like They're Your Security Camera Footage
Your VPN logs tell a story — if anyone's reading them. Look for connections from unusual geographic locations, multiple simultaneous sessions from the same account, connections at odd hours, and repeated failed authentication attempts.
I've investigated incidents where the attacker's VPN sessions were visible in logs for weeks before anyone noticed. Feed your VPN logs into a SIEM or at minimum review them weekly. Anomalous VPN activity is often the first indicator of a data breach in progress.
7. Kill Obsolete VPN Accounts Immediately
When an employee leaves, their VPN credentials should be revoked within the hour — not the next business day, not when HR processes the paperwork. Former employee accounts are a favorite entry point for threat actors, especially when those former employees had privileged access.
Automate this with your identity provider. When an account is disabled in Active Directory or your IdP, VPN access should terminate instantly. Audit your active VPN accounts monthly against your current employee roster.
8. Encrypt DNS Traffic Within the Tunnel
DNS leaks are a well-known VPN weakness. Even with an active VPN connection, DNS queries can sometimes escape the tunnel and resolve through the local ISP — exposing which sites and services your users access. Configure your VPN client to force all DNS queries through encrypted resolvers inside the tunnel.
Test for DNS leaks regularly. Tools exist to verify this, and your IT team should run these checks after any VPN client update or configuration change.
9. Evaluate Whether You Still Need a Traditional VPN
Here's the uncomfortable truth: traditional VPNs were designed for a world where everyone worked in an office and remote access was the exception. In 2026, with distributed workforces as the norm, zero trust network access (ZTNA) solutions are replacing traditional VPNs in many organizations. ZTNA verifies every request — user, device, context — before granting access to a specific resource. No broad network access. No implicit trust.
NIST's zero trust architecture guidelines (NIST SP 800-207) lay the framework for this shift. If your organization is scaling remote work, evaluate ZTNA alongside your VPN strategy. They're not mutually exclusive — many companies run both during transition.
What Are VPN Best Practices? A Quick-Reference Answer
VPN best practices are the configuration, authentication, and monitoring standards that ensure a VPN provides real security — not just encrypted traffic. At minimum, they include: enforcing multi-factor authentication on all connections, patching VPN appliances within 48 hours of critical vulnerability disclosure, segmenting network access by user role, monitoring VPN logs for anomalous activity, revoking access immediately when employees depart, and evaluating zero trust alternatives for long-term architecture. A VPN without these controls is a liability, not a safeguard.
The Human Layer Your VPN Can't Patch
Here's what a decade of incident response has taught me: the most common VPN compromise doesn't start with a software exploit. It starts with a phishing email. An employee clicks a link, enters their credentials on a spoofed login page, and the attacker now has valid VPN credentials. Your beautifully configured VPN can't distinguish between the real employee and the threat actor using their stolen password — unless you've layered in MFA, anomaly detection, and security awareness.
That's why I always pair technical controls with training. Your employees need to recognize phishing attacks, pretexting calls, and social engineering tactics before they hand over the keys. Enroll your team in phishing awareness training for organizations that uses realistic phishing simulations to build those instincts. The best VPN configuration in the world fails when a user willingly gives their credentials away.
Remote Workers: Your Specific VPN Risks
Public Wi-Fi Is Still Dangerous
Coffee shops, airports, hotel lobbies — these networks are hunting grounds. Even with HTTPS everywhere, a VPN adds a critical layer by encrypting all traffic, including metadata that HTTPS doesn't protect. If your remote employees ever connect to networks they don't control, VPN use should be mandatory — enforced by always-on configuration, not by policy alone.
Personal Devices Are a Blind Spot
BYOD policies complicate VPN best practices significantly. A personal device connecting to your corporate VPN might be running outdated software, missing endpoint protection, or already compromised. If you allow personal devices, implement posture checks — verify OS patch level, antivirus status, and disk encryption before granting VPN access. If the device fails the check, deny the connection.
Home Routers Are the Weakest Link You're Ignoring
Most home routers run firmware that hasn't been updated in years. Default credentials are common. The FBI's IC3 has repeatedly warned about compromised home routers being used as launchpads for attacks (ic3.gov). Your VPN protects traffic in transit, but if the endpoint's local network is already compromised, attackers can capture data before it enters the tunnel. Include home network hygiene in your security awareness program.
VPN Best Practices Are a Starting Point, Not a Finish Line
I've audited environments where the VPN was the single most neglected piece of infrastructure — running outdated firmware, using pre-shared keys from 2019, with no logging enabled. I've also seen organizations where the VPN was hardened, monitored, and integrated into a zero trust architecture that actually worked. The difference wasn't budget. It was discipline.
Every practice I've outlined here is actionable this week. You don't need a six-month project plan to enable MFA, revoke stale accounts, or start reviewing logs. Pick the three gaps that are most obvious in your environment and close them now.
Then build toward the bigger shifts: zero trust segmentation, ZTNA evaluation, automated posture checks. Combine those technical controls with consistent cybersecurity awareness training so your people recognize threats before they reach your VPN. Technology and training together — that's what actually protects you in 2026.