It was 2:00 AM when the SOC analyst noticed 40,000 authentication attempts against the company's SSL VPN gateway—originating from three different continents simultaneously. The VPN had been deployed five years ago with default settings and never revisited. If this scenario sounds familiar, you're not alone. Enterprise VPN infrastructure is one of the most critical—and most neglected—attack surfaces in modern networks.
The Problem With "Set and Forget" VPN Deployments
Remote access VPNs were never designed to be permanent infrastructure. Yet post-2020, they've become the backbone of enterprise connectivity. The consequences of stale configurations are severe: CVE-2023-46805 (Ivanti Connect Secure), CVE-2024-3400 (Palo Alto GlobalProtect), and CVE-2023-20269 (Cisco ASA) all targeted VPN appliances specifically because attackers know organizations rarely harden them after initial deployment.
The attack surface isn't just the appliance itself. It's the authentication model, the tunnel configuration, the network segments exposed post-authentication, and the monitoring (or lack thereof) of established sessions.
Hardening IPsec: Beyond the Defaults
If you're running IPsec site-to-site or remote access tunnels, start by auditing your IKE and ESP proposals. Many production environments still negotiate 3DES or SHA-1 because legacy proposals were never removed.
On a Cisco ASA, enforce strong Phase 1 and Phase 2 parameters:
crypto ikev2 policy 10
encryption aes-256-gcm
integrity sha512
group 21
prf sha512
lifetime seconds 28800
crypto ipsec ikev2 ipsec-proposal STRONG
protocol esp encryption aes-256-gcm
protocol esp integrity nullThe integrity null on ESP is correct here—AES-256-GCM provides authenticated encryption, making a separate integrity algorithm redundant.
Remove any legacy IKEv1 configurations entirely unless you have a documented, risk-accepted business requirement.
WireGuard for Modern Remote Access
For organizations exploring alternatives to traditional IPsec or SSL VPNs, WireGuard offers a dramatically smaller attack surface (~4,000 lines of code vs. hundreds of thousands in OpenVPN or IPsec stacks).
A minimal server configuration enforcing per-peer network isolation:
# /etc/wireguard/wg0.conf
[Interface]
Address = 10.200.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>
PostUp = iptables -A FORWARD -i wg0 -o wg0 -j DROP
[Peer]
# Engineering team member
PublicKey = <peer_public_key>
AllowedIPs = 10.200.0.10/32The critical line is the PostUp iptables rule: it prevents peer-to-peer communication across the VPN, ensuring compromised endpoints can't laterally traverse to other connected clients. Combine this with per-peer AllowedIPs restrictions to enforce micro-segmentation at the tunnel level.
Authentication: The Real Perimeter
A VPN is only as strong as its authentication. Enforce these as non-negotiable requirements:
- Certificate-based authentication with short-lived certificates (via HashiCorp Vault or step-ca) instead of static pre-shared keys
- MFA on every connection—not just initial enrollment
- SAML/OIDC integration to leverage your IdP's conditional access policies
- Session timeouts that force re-authentication every 8-12 hours
# Generate short-lived client certificate with step-ca
step ca certificate "user@corp.com" client.crt client.key \
--not-after=12h \
--provisioner="VPN-Access"Short-lived certificates eliminate the problem of revocation lag entirely. If a certificate is valid for only 12 hours, a stolen credential has a dramatically reduced exploitation window.
Monitoring VPN as a Threat Vector
Forward VPN authentication logs to your SIEM and build detections for:
- Authentication from impossible travel locations
- Connections from residential proxy or VPN-over-VPN IP ranges (check against services like Spur.us)
- Session durations exceeding policy baselines
- Multiple simultaneous sessions for single user identities
Moving Toward Zero Trust
VPNs aren't disappearing tomorrow, but they should be evolving. Layer your VPN with device posture checks, endpoint compliance verification, and application-level access controls. The tunnel should grant network reachability to exactly what's needed—nothing more.
The most secure VPN connection is the one that trusts nothing by default, verifies everything continuously, and expires before an attacker can use it.
Have questions about enterprise vpn and secure remote access? I'm always happy to talk shop — reach out or connect with me on LinkedIn.