KBI 311838 New Feature: Monitor CISCO VPN
Version
Argent Advanced Technology 5.1A-2007-A and above
Date
Tuesday, 16 June 2020
Summary
Argent AT implements a set of CISCO VPN Rules that provides comprehensive CISCO VPN Monitoring out of the box
CISCO Remote Access VPN Activity Rule
Customer can see the full picture of VPN activities including
- Who – logon user
- Where – remote IP and geolocation of city, region, and country
- When – start time, end time, and duration of the VPN session
- What – protocol, in/out total bytes, and calculated bandwidth usage
VPN activities are archived in SQL table ARGSOFT_SN_CRAS_VPN_SESSION, which can be in the database for VPN compliance reports
This Rule provides unique security features of real-time alerts for potential hacking:
- VPN connection coming from location that should have no employees working
- Multiple connections coming from the same remote IP, which is unusual unless both residents work for the same company
The Rule also monitors performance metrics for individual sessions such as extreme bandwidth usage, very long duration (forgot to sign off?), unreliable network connection, etc
CISCO Remote Access VPN Global Statistics Rule
This Rule monitors global VPN statistics for remote access such as total sessions, in/out bandwidth usage, packet-dropping rate, etc
It is also important for capacity planning
CISCO Remote Access VPN Logon Failure Rule
This Rule detects spikes of VPN logon failures, which could indicate ongoing hacking activity
CISCO VPN Tunnel Global Statistics Rule
This Rule monitors global Site-to-Site VPN Tunnel statistics such as total tunnels, in/out bandwidth usage, packet-dropping rate, etc
It is also important for capacity planning
CISCO VPN Tunnel Activity Rule
This Rule monitors total count, creation, and termination of VPN tunnels
It also provides the security feature of testing VPN tunnels from unknown locations or multiple tunnels from the same IP, etc
CISCO VPN Tunnel Peer Lost Rule
This Rule monitors the connectivity health of Site-to-Site VPN Tunnels
A spike of peer lost errors indicates deteriorating network connections
This feature has been implemented in Argent AT 5.1A-2007-A
Technical Background
CISCO Remote Access VPN information is exposed through CISCO-REMOTE-ACCESS-MONITOR-MIB
CISCO Site-To-Site VPN tunnel information is exposed through CISCO-IPSEC-FLOW-MONITOR-MIB
Resolution
Upgrade to Argent Advanced Technology 5.1A-2007-A and above