In a previous article, we explained to you briefly what a VPN is, and how we used our network traffic monitor for Cisco ASA VPN reporting. In this post, I’ll explain how you can get VPN Traffic Monitoring for your individual users on your VPN Network.

If you have remote users, you most likely have those users connect to your network through a Virtual Private Network (VPN). A VPN is an extension of a private network that uses different types of encryption so remote users can log into a private network safely and securely over the internet and still have access to all of the resources that they would have if they were connected locally. How, though, do you know what your users are doing once they are connected? Are they using too much bandwidth? Are they connecting to non-work related sites?

In order to show you how you can get these details, I have set up a lab environment where users connect to a Cisco ASA for the VPN and all network traffic on the network goes through the SonicWALL firewall. If I look at the Cisco ASA reports in our monitoring solution, I can see that there is a Cisco ASA Users report. Now I can see the VPN users connected through the VPN, bselecting this report.

asa-users

When selecting a user, select the Cisco ASA report “NAT >> Destination Details. Doing so will let us see what internal address the user received when they connected to the VPN. In the case of justinj (that’s me), the internal IP is 10.2.1.75.

nat_address_cisco_vpn

Now if we go to the SonicWALL firewall, we can search for the traffic coming from this IP address and see the external (Internet) traffic that the individual user had.

user_traffic

In the above image, I selected just the SonicWALL WAN Interface (so I am purposefully excluding the LAN traffic). I then specified the IP address that we identified as justinj‘s IP. Having done this, I can now see the traffic that justinj is generating. Additionally, since I know the IP address of the VPN user, I can now run additional reports to discover more details. For example, the SonicWALL can provide URL details, which will let me see the specific web addresses the user went to.

By being able to see the traffic of your remote users, you have better visibility concerning whether they’re doing work related activity while connected to the VPN. In turn, this helps you reduce bandwidth on your network, which will also prevent unnecessary traffic.

Now, since all networks are different, if you need any help getting these details on your network, call our tech support team and they will help you get the visibility you want with VPN traffic monitoring.

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related