Are You Monitoring Your VPN Logs?

VPN in Time of Pandemic: Best Practices

In the times of the COVID-19 crisis, many employees are working from home. The general best practice is to allow them to connect to the corporate network through VPN. That is important for the security of the organization – if you just expose your services to the internet, they will be attacked immediately, with brute force attempts, vulnerability scanning (due to unpatched software), etc. That’s why introducing a secure single point of entry is a must.

VPN Configuration for Organizations

A VPN can be configured in many ways depending on the organization and the available software and network equipment. There are several VPN protocols available with varying levels of security (e.g. OpenVPN, SSTP, PPTP). Small businesses with low grade office router may have the option to just enable PPTP connections, while larger organizations would normally have more enterprise network equipment or dedicated servers to support proper VPN setups.

Installing and configuring a VPN is no easy task, and each organization should follow the steps of their chosen technology. For example, here’s how to setup OpenVPN. There’s also the option to use a Cloud VPN service, but setup is not much simpler, for large organizations at least.

VPN: Information Security Aspects

One thing that all VPN setups have in common is the availability of logs. Having logs that indicate all connection and authentication attempts are crucial for the security of a VPN setup, as the VPN endpoint is exposed to the internet and if there are compromised credentials, or a successful bruteforce attack, malicious actors may gain access to your corporate network.

That’s why VPN logs should be monitored in real-time for any anomalies. Any excessive authentication attempts or multiple failed attempts by a particular user may indicate that there’s an attack going on. This report by NCP-E shows the importance of a VPN audit log:

Auditing

VPN logs are useful not only for troubleshooting, but also for detecting and responding to incidents. A list like the following can be used to configure the specific events to be collected, reviewed and archived:

1.User

2.Date, time and command

3.System location

4.Authentication success/failure

5.Authorization success/failure

6.Configuration change, especially to protection (anti-virus and intrusion detection)

7.Privileged access

8.Network addresses and protocols.

An investigation of a VPN attack will depend on audit trails, since the details for each of these areas are essential to establish who did what, where and when.

VPN Log Collectors

The usual protocol for shipping logs from a VPN endpoint to a log collector is syslog. It has its downsides, but is fairly standard and is supported by many tools. Our secure audit trail solution, SentinelTrails, also supports syslog (with all of its variations – over TCP and UDP and in its two RFC standard forms). You can read more about syslog integration here. Have in mind that it’s not a good idea to send unencrypted logs to a cloud provider – while we can assure you your data is protected when it reaches our servers, we can’t protect it in transit. So if your VPN enpoint doesn’t support syslog over TLS, you’d either need an on-premise setup or configure a tunnel to our environment.

Detecting Anomalies Using VPN Logs

Once the logs are collected, you should define rules that alert you in case of anomalous behavior. If the log collection system you use has default rules, review them to see if they match your requirements. SentinelTrails supports a wide variety of such rules, as well as machine-learning based anomaly detection, and we’re happy to assist our customers with setting up the right combination of alerts for their use-case.

While organizations have rushed to allow their employees to work remotely, now that probably everything is setup, possible attack vectors should be assessed and audit logs should be enabled in order to have a good overview of what’s happening with your VPN.

Interested to improve your VPN log protection? Book a demo to learn how: