KBI 311838 New Feature: Monitor CISCO VPN

Version

Argent Advanced Technology 5.1A-2007-A and above

Date

Tuesday, 16 June 2020

Summary

Argent AT implements a set of CISCO VPN Rules that provides comprehensive CISCO VPN Monitoring out of the box

CISCO Remote Access VPN Activity Rule

Customer can see the full picture of VPN activities including

  • Who – logon user
  • Where – remote IP and geolocation of city, region, and country
  • When – start time, end time, and duration of the VPN session
  • What – protocol, in/out total bytes, and calculated bandwidth usage

VPN activities are archived in SQL table ARGSOFT_SN_CRAS_VPN_SESSION, which can be in the database for VPN compliance reports

This Rule provides unique security features of real-time alerts for potential hacking:

  • VPN connection coming from location that should have no employees working
  • Multiple connections coming from the same remote IP, which is unusual unless both residents work for the same company

The Rule also monitors performance metrics for individual sessions such as extreme bandwidth usage, very long duration (forgot to sign off?), unreliable network connection, etc




Click For Full Size

CISCO Remote Access VPN Global Statistics Rule

This Rule monitors global VPN statistics for remote access such as total sessions, in/out bandwidth usage, packet-dropping rate, etc

It is also important for capacity planning




Click For Full Size

CISCO Remote Access VPN Logon Failure Rule

This Rule detects spikes of VPN logon failures, which could indicate ongoing hacking activity




Click For Full Size

CISCO VPN Tunnel Global Statistics Rule

This Rule monitors global Site-to-Site VPN Tunnel statistics such as total tunnels, in/out bandwidth usage, packet-dropping rate, etc

It is also important for capacity planning




Click For Full Size

CISCO VPN Tunnel Activity Rule

This Rule monitors total count, creation, and termination of VPN tunnels

It also provides the security feature of testing VPN tunnels from unknown locations or multiple tunnels from the same IP, etc




Click For Full Size

CISCO VPN Tunnel Peer Lost Rule

This Rule monitors the connectivity health of Site-to-Site VPN Tunnels

A spike of peer lost errors indicates deteriorating network connections




Click For Full Size

This feature has been implemented in Argent AT 5.1A-2007-A

Technical Background

CISCO Remote Access VPN information is exposed through CISCO-REMOTE-ACCESS-MONITOR-MIB

CISCO Site-To-Site VPN tunnel information is exposed through CISCO-IPSEC-FLOW-MONITOR-MIB

Resolution

Upgrade to Argent Advanced Technology 5.1A-2007-A and above