Remote access into your network exposes a secure mechanism, allowing remote users to access internal resources. If this is not handled properly, you could be exposing your internal network to attackers. Adhere to the following principles and guidelines to avoid this:

• Do not allow unapproved VPN access methods:
  • Establish a policy stating that there is only a single mechanism for remote access and stating who administers that method
  • Establish a secured VPN capability and do not allow users to utilize an alternative mechanism
  • Assign users access to the VPN capability based on business need and not personal desire
• Block split tunneling:
  • All network traffic should be required to go through the VPN
  • This means that web requests would go through the VPN and out the corporate network rather than the local Wi-Fi access point.
• Multifactor authentication:
  • Utilize multifactor authentication to protect the user's authentication credentials
  • Second factors that can be utilized include:
    • Smart cards
    • Certificates
    • Physical tokens
    • SMS/text messages