Your VPN access logs show only valid authentications. How would you know that one of the open connections is being used as a conduit between a development team in China and your employee—who has subcontracted his software development work at a fifth of his salary?


In the actual case, the employee at a US firm FedExed his RSA token to the team in China. The Chinese team logged in with the employee's credentials and security token, depositing completed work into directories on the employees workstation. The arrangement continued for as long as two years before an IT audit found anomalies in the VPN logs and enlisted the help of the long-haul carrier to determine the details related to the data pipeline to China.


Performing a Rolling Audit of Aberrant VPN Connections

Many companies that setup VPNs do so to support work schedule flexibility among employees in multiple geographical regions.  An employee can more easily participate in late night collaboration with team members in other time zones if he can access company network resources from a home office.


Expecting a particular pattern of regional access through a VPN allows an IT team to setup monitoring that flags anomalies. And an effective monitoring system would notice when access to the VPN occurs from a region that is outside expectations and send an appropriate alert.


The monitoring system needs flexible logic for defining what access violates expectations. SolarWinds Network Performance Monitor, for example, besides monitoring the VPN node and polling via SNMP for status, includes a separate Alert Manager application that accepts syslog data as imput and supports regular expression statements that would allow you to define alerts that trigger if a VPN connection is opened from IP blocks different from the ones corresponding to the regions where your company has offices. Based on the alerts, you could use a tool such as ARIN to investigate the source of suspect IP addresses. In some cases, the errant IPs might belong to diligent employees on vacation, in which case the connection activity would be short-lived. The point is to get earliest possible warning of activity that turns out to pose a real threat to your network.