KBI 311809 New Feature: Secure VPN With Argent Advanced Technology

Version

Argent Advanced Technology 5.1A-2004-A and above

Date

Thursday, 16 April 2020

Summary

During the COVID-19 lockdown, most stay-home workers use some sort of VPN to connect to their corporate network for daily work

This poses a very significant security challenge

Argent for SNMP 5.1A-2004-A introduces two sophisticated Rules to catch potential security threats:

  • One VPN Connection for One Location

    The Argent AT Engine enumerates active VPN tunnels and alerts if any remote IP address initiates multiple VPN connections

    The idea is that each home location should have only one company employee remotely accessing the corporate network

    Exceptions can be configured to allow larger connection limits for specific remote IP addresses

  • VPN Connection from Allowed Locations

    The Argent AT Engine enumerates active VPN tunnels and alerts if any remote location is not in the white list of allowed locations

    The idea is that company employees should live in a few counties close to the company

    If someone suddenly connects from a foreign country, it is highly likely to be a hacker

The following Vendors (sorted by popularity) are supported out of the box:

  • Cisco
  • SonicWall
  • Check Point
  • Juniper
  • FortiGate
  • Barracuda
  • ZyXEL

Because Cisco provides richer information about VPN connections, Argent for SNMP also provides Rules to catch spikes of certain failures

For example, a spike of authentication failures might indicate someone is hacking, while a spike of peer-lost failures might indicate deteriorating network connections

Argent for Compliance 5.1A-2004-A introduces an SNMP trap and SYSLOG Rules that can be valuable for security analysis too

By archiving SNMP traps related to VPN activity, for example, tunnel up and down events can generate reports for VPN durations, lists of VPN failed authentication attempts can pinpoint hacking activity, etc

Technical Background

It is important to remember to configure the VPN router/switch so that the Argent AT Engine can process the messages:

  1. The Argent AT Engine should be registered as the device’s SNMP manager so that the device can respond to SNMP Get/GetNext queries from Argent AT Engine
  2. Point the device’s SNMP trap and/or SYSLOG to Argent AT Engine

Both should be configured in the VPN router/switch

It is outside of the Argent AT configuration

Resolution

Upgrade to Argent Advanced Technology 5.1A-2004-A or above

For existing customers who do not want to upgrade immediately, contact Argent Tech Support to acquire the Argent AT VPN package to import VPN Rules and install required software