VPN - VPN Traffic

Method description

This method detects VPN connections and tunnels using pairs of ports and protocols. The Advanced parameter allows you to activate the advanced VPN tunnel detection, which is based on the behavioral analysis of the client's network traffic. Basic detection is recommended mainly for detecting the Microsoft PPTP, IKE Key Exchange, or OpenVPN traffic on standard ports. Advanced detection allows the detection of general VPN traffic to external servers. The LanFilter parameter specifies the local network. Other parameters (MinimalTime and MinimalData) define the minimal length of connection with the external VPN server and the minimal capacity of the transferred data. In the case of Microsoft PPT, it is possible to set a minimum length of VPN connection in seconds and a minimal amount of transferred data in MiB.

This method consists of the following submethods:

• OpenVPN: Reports the usage of the OpenVPN tunnel. This submethod is activated when the parameter Standard is set to the value active.

• BehavioralDetection: Reports the usage of a VPN tunnel using the advanced behavioral analysis of network traffic generated by devices in the monitored network. This submethod is activated when the parameter Advanced is set to the value active.

• MSPPTP: Reports the usage of obsolete MS PPTP protocol that is used to implement virtual private networks. This submethod is activated when the parameter MSPPTP is set to the value active.

• IPSec: Reports devices that use the IPSec tunnel. This submethod is activated when the parameter Standard is set to the value active.

• InternetTunnel: Reports the usage of known implementations of Internet tunnels. The detection is based on the list of default ports that applications use. This submethod is activated when the parameter Standard is set to the value active.

• Hamachi: Reports the usage of the Hamachi VPN service. This submethod is activated when the parameter Standard is set to the value active.

Method configuration

It is recommended to apply this method for explicitly selected IP addresses of an organization whose traffic structure is known or expected. The right place for traffic monitoring is the Internet connection line.

Method parameters

• Advanced: Utilization of VPN traffic detection based on behavioral analysis.

• MinimalData: Threshold for the minimum amount of transferred data (in MiB).

• MinimalTime: Threshold for the minimum duration of the VPN connection.

• LanFilter: Name of the filter that defines the IP addresses in the local network. The communication between the devices in the local network is ignored within the detection.

• Standard: Utilization of port-based detection.

• ConnectionLength: Threshold for the minimal duration of the MSPPTP VPN connection (in seconds).

• Transferred: Minimal amount of transferred data using the MSPPTP protocol (in bytes).

• MSPPTP: Detection of usage of the MSPPTP protocol.

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of results

This method allows you to determine the devices that are using VPN/tunnels in your network. Basic detection is focused solely on pairs of port and protocol. If the method is wrongly configured it can produce a large number of false positives. Advanced detection successfully detects general VPN traffic, by which of all stations communicate with the external network. The VPN technology is being intentionally used to bypass existing network policy or access content that is actively blocked. It can also create a communication channel that cannot be controlled using standard security measures within the organization and thus put the network environment at risk.