The Pulse Secure Breach Should Have Been Your Wake-Up Call

In April 2021, CISA issued an emergency directive after threat actors exploited vulnerabilities in Pulse Connect Secure VPN appliances to compromise federal agencies and defense contractors. Attackers maintained persistent access for months before anyone noticed. The tool that was supposed to protect these networks became the front door for espionage.

That incident wasn't an anomaly. It was the predictable result of organizations treating VPNs as set-and-forget security tools. If you're relying on a VPN without following real VPN best practices, you're not securing your network — you're giving yourself a dangerous false sense of security.

This post covers what actually matters: the configuration choices, the policies, and the architectural decisions that determine whether your VPN is a shield or a liability. Whether you're securing a remote workforce or locking down a small business, every recommendation here comes from what I've seen work — and what I've seen fail spectacularly.

VPN Best Practices Start With What You're Actually Protecting

Before touching a single configuration, answer one question: what are you trying to protect, and from whom? A journalist in a hostile country has different needs than a 50-person accounting firm with remote employees. Your threat model drives every decision that follows.

For most organizations, the VPN exists to do two things: encrypt data in transit and control access to internal resources. That's it. It doesn't make you anonymous. It doesn't stop phishing. It doesn't prevent credential theft. When you understand the boundaries of what a VPN does, you can build real security around it instead of expecting magic.

Remote Access VPN vs. Site-to-Site: Different Animals, Different Rules

Remote access VPNs connect individual users to a corporate network. Site-to-site VPNs connect entire networks. The best practices overlap, but the attack surfaces are different. Remote access VPNs expose you to every compromised endpoint your employees own. Site-to-site VPNs expose you to the security posture of your partner organizations.

I've seen companies obsess over their site-to-site encryption while ignoring that half their remote workforce connects from unpatched personal laptops. Start with the weakest link.

The Configuration Choices That Actually Matter

Kill Outdated Protocols — No Exceptions

If your VPN still supports PPTP, you have a critical vulnerability, not a VPN. PPTP was broken years ago. L2TP/IPSec without proper certificate validation isn't much better. Here's what you should be running in 2022:

  • WireGuard — fast, modern, minimal attack surface. Increasingly the protocol of choice for organizations that prioritize both performance and security.
  • OpenVPN (with TLS 1.2 or 1.3) — battle-tested, highly configurable, widely supported.
  • IKEv2/IPSec — excellent for mobile devices due to its handling of network changes (MOBIKE).

Disable every protocol you're not actively using. Every legacy protocol you leave enabled is an attack surface a threat actor will eventually find.

Enforce Strong Encryption Standards

Use AES-256-GCM for data encryption. Use SHA-384 or SHA-512 for hashing. For key exchange, use Diffie-Hellman Group 14 at minimum — Group 20 (ECP-384) or higher is better. If your VPN appliance can't support these, it's time for a hardware refresh.

NIST's SP 800-77 Rev. 1 — Guide to IPsec VPNs is the definitive reference here. Read it. Bookmark it. Make your team read it.

Enable the Kill Switch — And Test It Monthly

A kill switch blocks all internet traffic if the VPN connection drops. Without it, your users' traffic silently falls back to their unprotected connection. I've investigated incidents where sensitive data leaked for hours because a VPN disconnected during a conference call and nobody noticed.

Enable the kill switch on every client. Then test it. Simulate a VPN failure and verify that traffic actually stops. Do this monthly — configurations drift, updates reset settings, and people disable things they don't understand.

Multi-Factor Authentication: The Non-Negotiable VPN Best Practice

The Colonial Pipeline ransomware attack in May 2021 was traced to a single compromised VPN credential — an account that didn't use multi-factor authentication. That one missing control contributed to fuel shortages across the U.S. East Coast and a $4.4 million ransom payment.

Every VPN connection must require MFA. No exceptions for executives. No exceptions for IT admins. Especially no exceptions for IT admins — those are the accounts threat actors want most.

Use hardware tokens (FIDO2/U2F) or authenticator apps. SMS-based MFA is better than nothing, but SIM-swapping attacks have made it the weakest option. The FBI's IC3 2021 advisory on business email compromise specifically called out MFA bypass techniques, including SIM swapping and real-time phishing proxies.

Pair MFA With Certificate-Based Authentication

For high-security environments, require client certificates in addition to MFA. This creates a layered authentication model: something you have (the certificate on a managed device), something you know (the password), and something you prove (the MFA token). A stolen password alone becomes useless.

Network Segmentation: Your VPN Shouldn't Be a Master Key

Here's what I see constantly: a user connects to the VPN and suddenly has full network access. Every server, every subnet, every internal application — wide open. That's not security. That's a lateral movement playground for attackers.

Implement Least-Privilege Access Controls

Your accounting team doesn't need access to development servers. Your marketing contractors don't need access to your HR database. Segment your network and configure your VPN to grant access only to the specific resources each role requires.

This is where zero trust architecture becomes practical, not theoretical. Zero trust assumes no user or device is inherently trustworthy — even after VPN authentication. Every access request gets verified against policy. CISA's Zero Trust Maturity Model provides a solid framework for moving your organization in this direction.

Split Tunneling: The Risk You Need to Manage

Split tunneling routes only corporate-bound traffic through the VPN while letting everything else go directly to the internet. It improves performance but introduces risk — a compromised website could attack the user's machine while it's connected to your internal network.

My recommendation: disable split tunneling for any user with access to sensitive systems. For users who only need access to a specific internal application, split tunneling with strict DNS controls and endpoint protection can be acceptable. Know the tradeoff you're making.

What Are the Most Important VPN Best Practices for Remote Workers?

For organizations with remote or hybrid workforces, these are the highest-impact VPN best practices to implement immediately:

  • Require MFA on every VPN connection — credential theft is the number-one attack vector.
  • Mandate endpoint security — the VPN client should check for updated antivirus, OS patches, and disk encryption before allowing connection.
  • Use a kill switch — prevent data leaks during connection drops.
  • Apply least-privilege network access — no full network access through VPN.
  • Keep VPN software and appliances patched — threat actors actively scan for known VPN vulnerabilities.
  • Log and monitor all VPN connections — detect anomalies like impossible travel or connections from unexpected geolocations.

The Verizon 2021 Data Breach Investigations Report found that 61% of breaches involved credentials. Your VPN is only as strong as the authentication protecting it and the awareness of the people using it.

Patching Your VPN: The Practice Everyone Agrees With and Nobody Does Fast Enough

In 2021, CISA and the FBI jointly published alerts about state-sponsored actors exploiting VPN vulnerabilities in Fortinet, Pulse Secure, and other appliances. These weren't zero-days — they were known vulnerabilities with available patches that organizations hadn't applied.

Your VPN appliance is internet-facing infrastructure. It is the highest priority for patching in your entire environment. When a CVE drops for your VPN platform, you patch within days, not quarters. Build a process that makes this possible:

  • Subscribe to your vendor's security advisory feed.
  • Maintain a test environment to validate patches quickly.
  • Have a rollback plan so fear of downtime doesn't delay patching.
  • Document your patching timeline and hold your team accountable.

Logging, Monitoring, and Catching the Anomalies

A VPN without logging is a tunnel with no security cameras. You need to capture and analyze: connection timestamps, source IPs, session durations, bandwidth usage, and authentication failures.

What to Watch For

  • Impossible travel: A user authenticates from New York at 2:00 PM and from Moscow at 2:15 PM.
  • Off-hours access: Connections at 3:00 AM from accounts that normally work 9-to-5.
  • Repeated authentication failures: Could indicate a brute-force or credential-stuffing attack.
  • Unusual data volumes: Large data exfiltration often hides in VPN traffic because it's encrypted.

Feed VPN logs into your SIEM. If you don't have a SIEM, at minimum set up automated alerts for the patterns above. Detection speed is the difference between a contained incident and a front-page data breach.

Training Is the Layer Most Organizations Skip

You can configure the most hardened VPN on the planet, and a single employee clicking a phishing link can hand their credentials — and their VPN access — directly to an attacker. Social engineering bypasses technical controls by targeting people.

I've reviewed incidents where attackers sent convincing phishing emails that mimicked VPN login portals. The employee entered their credentials and MFA token into a fake site that proxied the authentication in real time. The attacker was on the corporate network within seconds.

The countermeasure isn't just better technology — it's security awareness training that teaches employees to recognize these attacks before they click. Enroll your team in cybersecurity awareness training at computersecurity.us to build this baseline knowledge across your organization.

For targeted defense against the most common attack vector, phishing awareness training for organizations runs realistic phishing simulations that teach your people to spot credential-harvesting attacks — including the VPN login fakes that lead to full network compromise.

The Bigger Picture: VPN as One Layer, Not the Whole Strategy

A VPN is one control in a layered security architecture. It encrypts your traffic and controls remote access. It does not replace endpoint detection. It does not replace network segmentation. It does not replace patch management, security awareness training, or incident response planning.

The organizations that get breached through their VPNs almost always made the same mistake: they treated the VPN as the security strategy rather than one component of it. VPN best practices matter enormously — but only when they're part of a broader defense that includes zero trust principles, robust authentication, continuous monitoring, and people who know how to recognize a social engineering attack when they see one.

Audit your VPN configuration this week. Check your protocols, verify your MFA enforcement, review your access controls, and confirm your patches are current. Then train your people. Because the best VPN configuration in the world can't protect you from the employee who doesn't know they're being targeted.