Tell your IT provider, or internal IT team, that you want them to isolate or filter the VPN connections. At least discuss this security step with them.
If any users connect via VPN to your office, be sure your IT team isolates or filters the data that travels from the VPN connections to your primary network. Filter the data going back too. If the VPN data comes directly, or unfiltered, into your network, that facilitates an attacker gaining access to your primary network if they compromise a remote worker’s computer.
(The rest of this message is a bit technical. You can forward this to your IT team if you wish. Please forward this message to fellow executives so they can consider this strong security protection.)
Their router or firewall might already provide an option to filter the traffic. Default settings are usually weak, so ask your IT team to enable the feature. The filtering must happen, not in a computer, but in an infrastructure device such as a firewall, router, or switch.
You can share this example with your IT team: If the IP address for the primary network is 10.10.10.0, then it is dangerous for the VPN connections to connect to the same subnet. It is helpful, for cybersecurity, to use separate filtered subnets. Here is an example of segmenting the VPN connections away from the primary network:
10.1.1.0 – Primary Network
10.1.2.0 – VPN Connections
The addresses might start with 172 or 192.168, and that isn’t important. Your IT team knows the significance of using different classes of numbers.
Your IT team must establish robust filtering rules in the firewall, router, or switch to limit the VPN connections and the internal network traffic. Rules are sometimes called ACLs (Access Control Lists).
When creating the rules, your IT team must only allow traffic essential for remote users. They can filter using parameters including source IP, destination IP, protocol, and ports. Sometimes, the only protocol remote users need is RDP (Remote Desktop Protocol).
If the rules permit, ask your IT team to block connections from countries other than where your remote users will connect.