A Virtual Private Network (VPN) is a group of network hosts that can transfer encrypted data between themselves on a Virtual Private Network. The technology creates a safe encrypted connection, usually over public networks such as the internet, that allows remote users and locations such as branch offices, to securely access and share resources. The main benefit is providing an adequate level of security and encryption to safely transmit private data across unprotected networks. Even though modern Virtual Private Networks use advanced encryption to protect data, additional controls should be utilized to protect them from vulnerabilities that might be introduced through other system componoents and configuration weaknesses.
PRTG offers several sensors for VPN monitoring. PRTG uses the Simple Network Management Protocol for its VPN monitoring. SNMP is the easiest way to monitor a network, as network and CPU loads are kept to a minimum. PRTG comes with a number of default sensors that use SNMP to monitor the VPN traffic, users, and connections of your Cisco ASA. Virtual private network providers have all the necessary networking tools to monitor VPN traffic. Part of the logged info is harmless, such as the number of users, anonymous crash reports, and speed tests used to improve the product.
The following is a list of recommended Virtual Private Network monitoring and security controls:
- Use firewalls and Intrusion Detection/Prevention Systems (IDS/IDPS) in order to monitor VPN connections.
- Use anti-malware and personal firewalls on remote clients and servers.
- All VPN connections require authentication.
- Logging enabled and auditing performed on a regular basis in order to detect possible attacks.
- Establish user and administrator security training requirements.
- VPN’s placed within a Demilitarized Zone (DMZ) to isolate them from internal protected networks.
- Split tunneling to allow local internet access on remote hosts should be prohibited.
- Use strong authentication mechanisms to include certificates, smart cards, or tokens.
- Access privileges granted on as-needed basis.
- Use strong alternative authentication mechanisms such as Terminal Access Controller Access Control System (TACACS), and Remote Authentication Dial-In User Service (RADIUS).
- Remote access computers physically secure.
- Use strong industry proven encryption with sufficient key strength to protect confidentiality.
It is important to note that even though Virtual Private Networks provide secure communications over insecure networks, client-side security must also be addressed in order to ensure end-to-end security.
References
HKSAR-The Government of the Hong Kong Special Administrative Region. (2008, February). VPN Security. Retrieved September 20, 2017, from https://www.infosec.gov.hk/english/technical/files/vpn.pdf.
Vpn Monitoring Protocols
Oracle Docs. Defining a VPN. https://docs.oracle.com/cd/E19047-01/sunscreen32/806-6347/6jfa0g87q/index.html.
Vpn Monitor Fortigate
Tech Target. Virtual Private Network. http://searchnetworking.techtarget.com/definition/virtual-private-network.