Are Your Remote Workers Secure? — Why VPN Is Essential
How do remote workers connect to your company network? Exposed access points without VPN, RDP attack statistics, and a 4-step VPN transition plan for SMBs.
How do remote workers connect to your company network? Exposed access points without VPN, RDP attack statistics, and a 4-step VPN transition plan for SMBs.
İçindekiler ▾
- The Problem: What Happens Without VPN
- Scenario 1: Open RDP
- Scenario 2: Public WiFi
- Scenario 3: File Sharing via Email
- The Solution: 4-Step VPN Transition Plan
- Step 1: Choose Your Protocol
- Step 2: Deploy VPN Server
- Step 3: Configure Per-User Access
- Step 4: Close Direct Access
- RDP: The Most Dangerous Default
- Cost Comparison
- Checklist
Remote work isn’t going away. But for many SMBs, “remote access” means RDP exposed to the internet or files shared via email. Both are open invitations for attackers.
According to the Sophos 2024 Active Adversary Report, RDP is the initial access vector in 50% of ransomware attacks. Kaspersky reports 3.4 billion brute-force attacks on RDP per month globally. If your port 3389 is open to the internet right now, you’re in the queue.
The Problem: What Happens Without VPN
Scenario 1: Open RDP
Your accountant connects from home via Remote Desktop. Port 3389 is forwarded directly through your router. Automated scanners find it within hours. Brute-force begins. If the password is weak or default — game over.
Scenario 2: Public WiFi
Your sales rep checks email from a café. No VPN. An attacker on the same network runs a packet sniffer. Credentials, emails, attachments — all visible.
Scenario 3: File Sharing via Email
Sensitive documents sent as email attachments. No encryption, no access control, no audit trail. One compromised email account = full data breach.
The Solution: 4-Step VPN Transition Plan
Step 1: Choose Your Protocol
| Protocol | Setup | Performance | Mobile | Best For |
|---|---|---|---|---|
| WireGuard | Simple | Fastest | Good | Small teams, Linux servers |
| IKEv2/IPSec | Moderate | Fast | Excellent (MOBIKE) | Apple devices, corporate |
| OpenVPN | Complex | Good | Good | Cross-platform, legacy |
| L2TP/IPSec | Simple | Slow | Built-in | Not recommended (outdated) |
Our recommendation: WireGuard for teams under 50. IKEv2 for Apple-heavy environments. Both can run on MikroTik RouterOS.
Step 2: Deploy VPN Server
Options:
- MikroTik router — WireGuard and IKEv2 built into RouterOS 7
- Linux server — WireGuard kernel module (fastest option)
- Cloud VPS — if no on-premise server available
# WireGuard on Ubuntu (example)
apt install wireguard
wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.keyStep 3: Configure Per-User Access
- One certificate/key per user — never share credentials
- Separate access profiles — accountant only reaches accounting server, not all internal resources
- Logging enabled — who connected, when, from where
Step 4: Close Direct Access
Once VPN is operational:
☐ Close RDP port (3389) on firewall — access only via VPN
☐ Close SMB port (445) — file sharing only through VPN
☐ Close SSH (22) to internet — management only through VPN
☐ Close admin panels to internet — router, NAS, camerasTest before blocking: Verify all remote workers can connect via VPN before closing direct ports.
RDP: The Most Dangerous Default
# Check if RDP is exposed (Windows PowerShell)
netstat -an | findstr :3389
# If 0.0.0.0:3389 appears — it's open to the internetIf RDP must be used:
- Only through VPN tunnel
- Network Level Authentication (NLA) enabled
- Account lockout after 5 failed attempts
- MFA on top of VPN
Cost Comparison
| Approach | Monthly Cost | Security Level |
|---|---|---|
| RDP open to internet | $0 | ❌ None |
| Cloud VPN service | $5-15/user | ✅ Good |
| Self-hosted WireGuard | $0 (existing hardware) | ✅ Excellent |
| MikroTik IKEv2 | $0 (existing hardware) | ✅ Excellent |
| Enterprise VPN (Cisco, Fortinet) | $20-50/user | ✅ Enterprise |
Self-hosted VPN on existing MikroTik or Linux infrastructure costs nothing beyond the initial configuration. Compare this to the average ransomware recovery cost of $1.82 million (Sophos 2024).
Checklist
☐ VPN protocol selected (WireGuard/IKEv2)
☐ VPN server deployed and tested
☐ Per-user certificates/keys generated
☐ All remote workers connected via VPN
☐ RDP (3389) closed to internet
☐ SMB (445) closed to internet
☐ SSH/admin panels closed to internet
☐ Connection logging enabled
☐ MFA enabled on VPN
☐ Monthly access review scheduledDon’t wait for a breach to justify VPN. The cost of prevention is a fraction of the cost of recovery.
Kaynaklar
- RDP is the initial access vector in 50% of ransomware attacks — Sophos Active Adversary Report (2024)
- 3.4 billion brute-force attacks on RDP per month globally — Kaspersky Security Bulletin (2024)
Sıkça Sorulan Sorular
Why is remote work without VPN dangerous? +
Without VPN, data travels unencrypted over public networks. An attacker on the same WiFi can intercept credentials, files, and emails. RDP exposed directly to the internet is the #1 target for brute-force attacks.
WireGuard or IKEv2 — which should I choose? +
WireGuard: simpler configuration, lower CPU usage, higher performance. IKEv2: native iOS/macOS support, better for mobile networks (MOBIKE maintains connection during WiFi→4G switch). Corporate environments with Apple devices: IKEv2. Small teams: WireGuard.
Is free VPN software safe for business use? +
No. Free VPN services often log and sell user data, have limited encryption, and provide no SLA or support. For business, use self-hosted VPN (WireGuard/OpenVPN on your own server) or enterprise VPN solutions.
How much does VPN setup cost for an SMB? +
Self-hosted on existing MikroTik/Linux server: $0 additional hardware cost. Configuration service: one-time $200-500. Enterprise VPN-as-a-Service: $5-15/user/month.
Profesyonel Destek mi Lazım?
Bu konuda yardıma ihtiyacın varsa yanındayız. Kurulum, konfigürasyon ve sorun giderme için ulaş.
