Some of the security controls for Virtual Private Networks are-
- Multi-factor authentication – at least two of the following factors – something you know, something you have, and something you are
- Password authentication should be through Extensible Authentication Protocol-Transport Level Security (EAP-TLS)
- Passwords should be in compliant with the organization’s Password Policy
- All communication and data flow should ensure strong encryption and should be through Layer Two Tunneling Protocol (L2TP) over Internet Protocol security (IPsec)
- All connecting clients should first be routed to the Network Access Control server (NAC or Microsoft NAP) for a health check, and only if found “clean” (no malware and all applications hardened) it should be allowed to proceed with the connection and data transfers
- All access connections and remote activities should be logged with timestamps and usernames
- All connection-end and log-off activities should be logged with timestamps
- All logs should be monitored for anomalies, analyzed, and reports of usage generated
- All logs should be stored in a centralized server (Security Information and Event Management systems)