The question (in various different forms) was asked several times, and the answer is always the same, it is security or convenience, select one*.
If you need just the notification then set a “mirror” site with no actual data in a place outside of the VPN, and check it from time to time (how to keep it in sync? you do have your production code on git, right? 😉 ), or install one of those plugins that send an email.
An even better solution is to write a script that will use the wordpress.org API to get the current versions of plugin and notify you when they change. This requires more work than the previous option, but OTOH you do not need to maintain and secure an additional wordpress install just for this.
*OK, you can argue with the IT security guys to let you poke a hole in the security, and explain how important it is for you, but I assume their first instinct will be to refuse as it is not essential to the working of wordpress