VPN monitoring is something every network and security engineer should be familiar with. It is often used for checking in on users or making sure their business critical applications are working properly. But in recent years, security teams have taken a much more granular approach when looking at this information since a lot of data breaches have been traced back to improper VPN access controls. This blog will cover how to keep a close eye on this type of traffic and get alerted proactively when odd behaviors are seen.

VPN IPFIX Exports:

Many VPN vendors have implemented NetFlow, IPFIX, or another form of metadata exports we can integrate with. Some of the major vendors/solutions doing this are listed below (this is by no means a complete list – please reach out to the Plixer team with questions!).

  • Palo Alto
  • Cisco ASA
  • SonicWALL
  • Juniper
  • CounterACT
  • Microsoft Active Directory

By collecting from these vendors, we can get insight into which users have logged in, what resources they have touched, and what applications they have used. Take the image below, which shows my VPN traffic from when I was working remotely (obfuscated critical resources). I can very easily see when I logged into the network (x-axis on the graph) and exactly what resources I touched.

VPN monitoring with Scrutinizer

Notice the filter on the far left for my username. The best part about this reporting is that we never need to remember IP addresses; we just need the username that is used for access, which is much easier to find or remember.

Proactive VPN Monitoring:

Now that we have our VPN device configured for NetFlow/IPFIX, it’s time to create some thresholds or reports to make sure that our vendors are only accessing what they need. We can very easily define authorized/unauthorized zones through our IP Groups. See the example below that I have set up for the particular server IPs that the vendor should be accessing. Once I take a look at the report with the particular vendor, I’ll be able to see if there are any other groups they are accessing (this is made even easier through our various IPAM integrations).

IP Group rules

You can now see from the image below that the user in question (jakeb) has only accessed the Authorized Zones group we created!

Monitoring IP Groups a user has accessed

Future of VPN Monitoring:

Since networks are getting larger and VPN access is becoming more and more prevalent, even in smaller networks, the need to monitor this traffic is becoming a necessity. Take the quote below, which is from 2013:

“For example, 63 percent of the 450 data breaches studied in the 2013 Trustwave Global Security Report were “linked to a third-party component of IT system administrators,” meaning a third-party introduced security deficiencies easily exploited by hackers.” – Wired

Even though the quote is 4 years old, I think it is still extremely relevant given the latest data breaches. It shows that even back then, network/security engineers had to stay vigilant on who accessed their network. Using NetFlow/IPFIX and other forms of metadata will help shed light on suspicious traffic and problem users for you and your team. If you have questions or need help policing this traffic, feel free to reach out to our team here!



Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.