In May 2024, Check Point disclosed that threat actors were actively exploiting a zero-day vulnerability in its VPN products — CVE-2024-24919 — to harvest Active Directory credentials and move laterally through enterprise networks. Attackers didn't need a sophisticated exploit chain. They needed one VPN gateway running a default configuration with local accounts and no multi-factor authentication. That's it. If your organization runs a VPN and you haven't revisited your VPN best practices since the initial rollout, you're likely sitting on a similar exposure right now.

This post gives you the nine specific rules I follow — and recommend to every client — to turn a VPN from a liability into an actual security control. These aren't generic tips. They're drawn from real incidents, real misconfigurations, and the patterns I keep seeing in breach after breach.

Why Most VPN Deployments Are a Breach Waiting to Happen

VPNs were designed to extend a trusted network perimeter to remote users. The problem? That model assumes the endpoint is clean, the credential is valid, and nobody's lurking inside the tunnel. In 2025, none of those assumptions hold.

The 2024 Verizon Data Breach Investigations Report found that stolen credentials were involved in roughly 31% of all breaches over the past decade, and VPN portals are one of the top targets for credential theft campaigns tracked by CISA. Threat actors use phishing, brute force, credential stuffing, and infostealers to compromise VPN accounts — and once they're in, lateral movement is trivial if you haven't segmented anything behind the tunnel.

I've seen organizations with 500-seat VPN deployments running the same shared secret they configured five years ago, split tunneling enabled by default, and zero logging. That's not a VPN. That's an open door with a welcome mat.

The 9 VPN Best Practices Security Pros Actually Follow

1. Enforce Multi-Factor Authentication on Every VPN Connection

This is non-negotiable. If your VPN allows password-only authentication in 2025, you've already lost. MFA blocks the overwhelming majority of credential stuffing and phishing-based attacks because a stolen password alone isn't enough.

Use TOTP, hardware tokens, or push-based authentication tied to a verified device. SMS-based MFA is better than nothing, but it's vulnerable to SIM-swapping. I recommend FIDO2 security keys for any high-privilege users connecting via VPN.

2. Kill Split Tunneling for Corporate Connections

Split tunneling lets a user access the internet directly while simultaneously tunneled into your corporate network. It's convenient. It's also a direct path for malware on a compromised endpoint to reach your internal systems while bypassing your security stack.

For corporate-managed devices accessing sensitive resources, force full tunnel. If bandwidth is a concern, use a split-include model where only specific corporate routes go through the tunnel — but never let the endpoint talk to both the internet and your internal network simultaneously without inspection.

3. Segment What's Behind the VPN

Here's the mistake I see constantly: organizations treat VPN access as equivalent to being on the LAN. A remote user connects, and suddenly they can reach file servers, domain controllers, HR databases, and the CEO's desktop.

Apply the principle of least privilege to VPN-connected sessions. Use firewall rules, VLANs, or a zero trust network access (ZTNA) overlay to restrict VPN users to only the specific resources they need. A sales rep doesn't need access to your backup infrastructure.

4. Patch VPN Appliances Like They're Internet-Facing — Because They Are

Your VPN concentrator is literally the front door to your network. Ivanti, Fortinet, Cisco, Palo Alto, and Check Point all disclosed critical VPN vulnerabilities in 2023 and 2024 that were actively exploited in the wild. CISA's Known Exploited Vulnerabilities catalog is full of VPN-related entries.

Set a 48-hour patching SLA for critical VPN appliance vulnerabilities. Subscribe to your vendor's security advisory feed. If you can't patch fast enough, have a documented process to take the appliance offline and shift to an alternate access method.

5. Rotate and Strengthen Pre-Shared Keys and Certificates

IPsec VPNs often rely on pre-shared keys. If that key was set during initial deployment and hasn't been rotated, every former employee, every former MSP technician, and potentially every attacker who's compromised a single endpoint has it.

Rotate PSKs at least quarterly. Better yet, move to certificate-based authentication tied to your PKI. For SSL/TLS VPNs, ensure certificates are current, use strong cipher suites (TLS 1.3 where supported), and disable legacy protocols like SSLv3 and TLS 1.0.

6. Log Everything and Actually Review It

VPN logs are some of the most valuable telemetry you have. They tell you who connected, from where, when, and for how long. They're also the first thing I ask for during an incident response — and the most common thing that's either not enabled or already rotated off the disk.

Log all authentication attempts (successful and failed), session durations, source IPs, and assigned internal IPs. Forward these logs to your SIEM. Create alerts for impossible travel (a user connecting from New York and Lagos within an hour), brute force patterns, and connections from known-bad IP ranges.

7. Implement Device Posture Checks

A valid credential on a compromised device is worse than no connection at all. Modern VPN solutions support posture assessment — checking that the connecting device has an active endpoint protection agent, current OS patches, disk encryption enabled, and isn't jailbroken or rooted.

If the device fails the posture check, drop it into a quarantine VLAN with access to only remediation resources. This single control would have prevented a significant number of the VPN-based breaches I've investigated.

8. Set Session Timeouts and Re-Authentication Intervals

I've seen VPN sessions stay active for days because nobody configured an idle timeout. That means a stolen laptop with a cached VPN session gives an attacker persistent network access without needing any credentials at all.

Set idle timeouts to 15-30 minutes. Force re-authentication (including MFA) every 8-12 hours for active sessions. This limits the blast radius of a compromised session and aligns with zero trust principles of continuous verification.

9. Train Your Users to Recognize VPN-Targeted Phishing

Threat actors increasingly target VPN login portals with pixel-perfect phishing pages. The Scattered Spider group, responsible for the 2023 MGM Resorts breach, used social engineering and phishing to compromise VPN and identity provider credentials. Your VPN's security is only as strong as your users' ability to spot a fake login page.

Run regular phishing awareness training designed for organizations that includes VPN-specific scenarios. Teach users to verify the URL of their VPN portal, never enter credentials after clicking an emailed link, and report suspicious login prompts immediately.

What Are VPN Best Practices? A Quick-Reference Answer

VPN best practices are the security configurations, policies, and operational habits that prevent a VPN from becoming an attack vector. At minimum, they include enforcing multi-factor authentication, disabling split tunneling for corporate access, patching VPN appliances within 48 hours of critical advisories, segmenting internal resources behind the tunnel, logging all session activity, and training users to resist social engineering attacks that target VPN credentials.

Zero Trust Doesn't Replace Your VPN — It Strengthens It

There's been a lot of buzz about zero trust network access replacing traditional VPNs entirely. In practice, most organizations in 2025 are running hybrid architectures. You still have a VPN. You just need to apply zero trust principles to how it operates.

That means never trusting a connection based solely on network location. It means verifying identity, device health, and context on every access request. It means assuming the tunnel itself could be compromised and limiting what's reachable through it.

NIST Special Publication 800-207 lays out the zero trust architecture framework that maps directly to VPN hardening. If you haven't read it, block out an afternoon. It's the best foundation document for modernizing your remote access strategy.

The Human Layer Is Your Biggest VPN Risk

Every technical control in this post can be defeated if an employee hands their credentials to a threat actor through a phishing email, a vishing call, or a fake IT support message. Security awareness isn't a nice-to-have supplement to your VPN configuration — it's a core control.

I recommend starting with a comprehensive cybersecurity awareness training program that covers credential hygiene, social engineering red flags, and the specific risks of remote access. Your VPN policy document is meaningless if the people using the VPN don't understand why these rules exist.

The Verizon DBIR has consistently shown that the human element is involved in the majority of breaches. When it comes to VPNs, that human element is the user who reuses their VPN password on a compromised third-party site, or the admin who leaves the default management interface exposed to the internet.

A Practical VPN Hardening Checklist for 2025

Here's the checklist I hand to every client after a VPN assessment. Print it. Tape it to your monitor. Work through it this week.

  • MFA enforced on all VPN authentication — no exceptions for executives or contractors.
  • Split tunneling disabled or restricted to a split-include configuration with explicit routes.
  • Network segmentation applied behind the VPN — users reach only what their role requires.
  • VPN appliance firmware current within 48 hours of any critical security advisory.
  • Pre-shared keys rotated quarterly at minimum; certificate-based auth preferred.
  • Logging enabled for all auth events, session data, and source IPs — forwarded to SIEM.
  • Device posture checks active — endpoint protection, patch level, disk encryption verified before tunnel establishment.
  • Session timeouts set to 15-30 minutes idle, 8-12 hours max active before re-auth.
  • Phishing simulations running quarterly that include VPN login portal scenarios.
  • Default admin credentials changed on the VPN management interface — and that interface is not internet-accessible.
  • Legacy protocols disabled — no SSLv3, TLS 1.0, or TLS 1.1.

Stop Treating Your VPN Like Set-and-Forget Infrastructure

The organizations that get breached through their VPN almost always share one trait: they deployed it, configured it once, and never touched it again. The threat landscape shifted. New vulnerabilities were published. Employees came and went. And the VPN sat there, running the same config from 2019, with the same PSK, the same open access policy, and the same password-only authentication.

Following these VPN best practices isn't a one-time project. It's an ongoing operational discipline. Review your VPN configuration quarterly. Audit connected accounts against your current employee roster. Test your alerting by simulating impossible-travel logins. Run phishing simulations that mimic your VPN portal.

Your VPN is either a hardened, monitored, well-managed security control — or it's the easiest path into your network. There's no middle ground. The threat actors exploiting VPN vulnerabilities and stealing VPN credentials right now aren't sophisticated nation-state operators. They're opportunists running automated scanners and buying credentials from infostealer logs for a few dollars. The bar to defend against them isn't high. You just have to actually do the work.