Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

VPN - VPN Traffic

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This method detects VPN connections and tunnels using behavior analysis or well-known ports and protocols. Basic detection based on pairs of ports and protocols is used for detecting the Microsoft PPTP, IKE Key Exchange, or OpenVPN traffic on standard ports. The behavior analysis detects general VPN traffic to external servers. The LanFilter parameter specifies the local network. Other parameters (MinimalTime and MinimalData) define the minimal length of connection with the external VPN server and the minimal capacity of the transferred data. In the case of Microsoft PPT, it is possible to set a minimum length of VPN connection in seconds and a minimal amount of transferred data in MiB.

This method consists of the following submethods:

  • OpenVPN: Reports the usage of the OpenVPN tunnel.

  • BehavioralDetection: Reports the usage of a VPN tunnel using the advanced behavioral analysis of network traffic generated by devices in the monitored network.

  • MSPPTP: Reports the usage of obsolete MS PPTP protocol that is used to implement virtual private networks.

  • IPSec: Reports devices that use the IPSec tunnel.

  • InternetTunnel: Reports the usage of known implementations of Internet tunnels. The detection is based on the list of default ports that applications use.

  • Hamachi: Reports the usage of the Hamachi VPN service.

Method configuration

It is recommended to apply this method for explicitly selected IP addresses of an organization whose traffic structure is known or expected. The right place for traffic monitoring is the Internet connection line.

Method parameters

BehavioralDetection

  • MinimalData: Threshold for the minimum amount of transferred data (in MiB).

  • MinimalTime: Threshold for the minimum duration of the VPN connection.

  • LanFilter: Name of the filter that defines the IP addresses in the local network. The communication between the devices in the local network is ignored within the detection.

MSPPTP

  • ConnectionLength: Threshold for the minimal duration of the MSPPTP VPN connection (in seconds).

  • Transferred: Minimal amount of transferred data using the MSPPTP protocol (in bytes).

Assigned filter

The filter is used for restricting source IP addresses.

Interpretation of results

This method allows you to determine the devices that are using VPN/tunnels in your network. Basic detection is focused solely on pairs of port and protocol. If the method is incorrectly configured it can produce a large number of false positives. Behavioral detection successfully detects general VPN traffic, by which all stations communicate with the external network. The VPN technology is being intentionally used to bypass existing network policy or access content that is actively blocked. It can also create a communication channel that cannot be controlled using standard security measures within the organization and thus puts the network environment at risk.

TitleResults for “How to create a CRG?”Also Available inAlert