Remote Access and VPN Tunnel Monitoring
Preventative controls cannot prevent all security threats and mitigate all security vulnerabilities. To ensure that preventative measures are not bypassed, monitoring needs to be put in place. Remote access monitoring should include the following:
-
Prioritize monitoring toward critical assets and services.
-
Monitor failed authentication attempts.
-
Monitor successful authentication attempts from different sources and alert when the same user logs in.
-
Monitor failed access attempts; all devices or processes that manage access control to communications, data, or services should log and/or alert when access is requested that is not allowed.
-
Monitor successful access attempts; all devices or processes that manage access control to communications, data, or services should log when access is requested and allowed.
-
Log VPN connections to track what users are on the network at what time and for what duration.
-
Log any remote logon attempt on end user devices.
Anytime you allow remote access to your internal protected local area network (LAN) by remote users, you increase the risk of security violations. It is important that you know who is using the remote access features you’ve enabled to access your resources. There’s a lot you can monitor with respect to remote access, but the best place to start is by identifying and validating just who is using remote access.
The overall idea is to keep track of who is using your VPNs and what they are doing. For example, suppose your primary VPN is optimized for large volumes of small messages. Your expectation when you enabled the VPN was that users would use it to access your online order management system. VPN and remote access monitoring has shown you that most VPN users are running very large custom reports from your database to analyze data. The VPN is actually transporting large volumes of data for a relatively small number of users. You find that you can change some VPN settings that make it run faster for the way your users are using the VPN. Reports run faster, and your data are more available. Table 13-2 lists a few programs that help monitor remote access and VPN usage.
TABLE 13-2 Remote access and VPN monitoring tools.
| Product | Source |
|---|---|
| CodePlex Remote Access Monitor (open source) | http://remoteaccessmonitor.codeplex.com/ |
| SoftSea Remote Access Monitor (free) | http://www.softsea.com/review/Remote-Access-Monitor.html |
| Cisco VPN Monitor | http://www.cisco.com/en/US/products/sw/cscowork/ps2326/ products_user_guide_chapter09186a00800e680d.html#63236 |
| Simple Network Management Protocol (SNMP) | Not a vendor-specific product |
The last entry in Table 13-2 is the Simple Network Management Protocol (SNMP). SNMP is a network protocol used to monitor network devices. Most network devices include SNMP support and can run SNMP agents to report conditions that require attention by another computer or device running network management system software. SNMP uses UDP protocol messages to retrieve information from network devices and for the devices to send updates when conditions you define are met. Although there are many ways to use SNMP, you can configure devices to send an alert to the network manager when remote users connect to your network.