Your VPN provides staff with a secure way to remotely access files and internal services. However, without the correct checks in place, a poorly-maintained VPN tunnel can easily become an unwanted backdoor into your company network. For this reason, regular security audits are an important best practise to ensure your VPN security is up to date and no external threats exist for your network via the VPN tunnel.
Want to get started? Our VPN security checklist takes you step-by-step through the 10 most important measures to include during a VPN security audit.
10 Essential Items for Your VPN Security Audit
1. Check VPN gateway settings
First things first, it's a good idea to check your VPN gateway is up to date, as this is where the VPN tunnel to your company network is configured.
Start by double checking you have installed the latest firmware update for your gateway. You can find this information within the user interface of your device (usually in the system overview dashboard.) Being up to date with firmware ensures any security patch updates or similar have been installed, protecting your device from possible threats.
In addition, now is also a good time to check that the firewall is enabled for your device and that any firewall rules have been configured correctly.
2. Review connection encryption
Choosing the highest possible encryption settings for your connection is a straightforward way of ensuring your network is tightly secured.
Depending on your gateway's settings, you can try out some of these encryption best practises:
- If enabled, disable DES and MD5 (these have well-documented issues)
- Enable perfect forward secrecy (PFS) if supported by your gateway
- Choose Diffie Hellman (DH) Group 5 or higher as an encryption setting
Higher encryption settings can affect the performance of your VPN gateway and your tunnel may take a bit longer to connect, so test out some options until you find the right balance for your setup.
VPN Tracker supports highly-secure AES-256 encryption and DH Group up to group 18.
Note that you will need to update these setting on both the VPN gateway as well as your VPN Tracker connection.
3. Ensure VPN users are up to date
A VPN audit is also the perfect opportunity to monitor and review VPN users. Have any team members left since the last audit? Have departments shifted? Use this time to remove any user accounts from your gateway which no longer require VPN access.
Tip: VPN Tracker TeamCloud enables team managers to remotely revoke VPN access in one click and ensure only the right individuals have access at all times.
A note on named user accounts:
Given the sensitive nature of a VPN connection, it's important to know exactly who has access. For this reason, it's also best practise to avoid shared accounts (i.e. one login for multiple users) or generic connections and to instead ensure all VPN users have their own individual accounts.
4. Set up 2FA for connections
Two-factor authentication (2FA) is becoming increasingly important as a measure to rule out external threats caused by hacking, phishing, social engineering, etc. Previously, if a user's VPN password was leaked or compromised, this meant game over for your network's security. However, 2FA adds an extra layer of protection in requiring another form of verification (e.g. by SMS or email) before access is granted.
If you have not done so already, use your audit to explore the 2FA methods provided by your VPN gateway (i.e. Google Authenticator, FortiToken, Duo, etc.) and get this configured for your connection.
5. Check XAUTH password requirements
Generally, best practise for passwords is to opt for a longer password with a mix of upper and lower case letters, as well as numbers and symbols.
Check your VPN gateway settings to see which password requirements are in place and optimize them as necessary. For an extra layer of security, consider requesting a periodic VPN password change from all staff members.
6. Update Pre-Shared Key
Another password which you could review during your audit is the pre-shared key (PSK) or shared secret for your connection. This also takes place on the VPN gateway and is a simple way to freshen up your VPN's overall security scorecard.
Worrying about the knock on effect for the rest of your users? With VPN Tracker TeamCloud, you can update the PSK (as well as any other connection settings) and sync changes to your team in seconds - with no enduser action required.
7. Assess your VPN client
As well as using the security audit to check your VPN gateway is up to date, it's also a great opportunity to assess your VPN client. After all, the VPN client is the software your staff will be using to connect to the company network, so it's extremely important that it's up to date and well maintained.
Here are some key characteristics to look out for when assessing your VPN client:
- Regular updates - how well is the software being maintained?
- OS compatibility - is the software compatible with the latest macOS version / Windows version?
- Customer support - are support engineers readily available?
- Development location - where is the application being developed and which data protection laws are they abiding by?
- User interface - how easy is the application to use? A complicated UI can lead to critical user errors
If you're not satisfied your VPN client is meeting the mark on even one of those points, it may be time to consider a change.
8. Monitor mobile security
The increasing use of mobile devices in the workplace alongside a growing demand for quick-access remote work solutions means administrators now also have a new challenge on their hands in managing mobile device security.
In lieu of a secure remote access solution, many users turn to insecure, third party alternatives such as Dropbox, Google Drive or WhatsApp to perform file sharing tasks and in doing so, potentially expose sensitive company data to hackers or other outside threats. The solution? Use a mobile VPN client like VPN Tracker to provide iOS users the same remote access options on their iPhone & iPad as on their Mac.
Tip: With VPN Tracker for iOS, company connections can be securely synced across Mac, iPhone and iPad - with MDM rollout options also available for large scale deployment.
9. Apply zero trust policies
The zero trust security model has been growing in popularity in recent years - offering organisations an efficient way to prevent sensitive information from falling into the wrong hands.
Your VPN security audit also poses a practical opportunity to review your current VPN policies and see how and where zero trust measures could be applied. Some common zero trust best practises include:
- Role-based connection access (Which connections can be accessed by which team members?)
- Access to connection details (Who in the team needs to know the connection settings?)
VPN Tracker TeamCloud has the infrastructure in place to provide a fully zero trust compliant remote access solution for your organisation. Set up role based user groups to completely control connection access and opt to hide connection settings, giving users access to only the minimum level of information required to perform their tasks.
10. Improve end-user education (bonus)
The more users are made to be aware of security best practises, the easier it will be for you to maintain the security of your network in the long term - i.e. by avoiding potentially harmful activities such as password recycling, falling for phishing emails, and installing unverified apps.
At the end of your audit, consider finding an effective way to share some VPN best practice tips with your team to make them aware of the potential risks involved. For example, you could schedule a team meeting or send a security tips newsletter.
Why choose VPN Tracker for your organization?
VPN Tracker is the best VPN client for Mac, iPhone, and iPad, offering support for major VPN protocols, including IPsec, SonicWall SSL, SonicWall IPsec, Cisco AnyConnect SSL, Fortinet SSL, SSTP, and WireGuard®.
Your benefits with VPN Tracker
- Save time and securely deploy company VPN connections
- Centralized team management with managed connections, groups and notifications, and team audit logs
Compatibility with enterprise-level VPN gateways, including SonicWall, Cisco, Fortinet, and Sophos
- Zero-Trust compliant with role-based access controls
- Single Sign-on (SSO) support
- Unified billing for all users and dedicated "Billing" role for accounting purposes
- See all tech specs