SlideShare a Scribd company logo

VPN Monitoring Security Use Case Guide version 1.1

P
Protect724manoj

This document provides instructions for installing and configuring an HPE ArcSight ESM VPN Monitoring use case. It describes importing and installing the necessary packages, assigning user permissions, and required configuration. The use case includes a dashboard, active channel, and reports for monitoring VPN login activity and investigating VPN events. It allows monitoring of statistical information about access to critical network assets to detect security threats related to VPN usage.

Software
1 of 19
Downloaded 18 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
HPE Security ArcSight ESM: VPN Monitoring Software Version: 1.1 Security Use Case Guide April 3, 2017
Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HPE Security ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2016 Hewlett Packard Enterprise Development, LP Follow this link to see a complete statement of copyrights and acknowledgements: https://www.protect724.hpe.com/docs/DOC-13026 Support Phone Alistof phone numbers is available on the HPE Security ArcSightTechnical Support Page: https://softwaresupport.hpe.com/documents/10180/14684/esp-support- contact-list Support Web Site https://softwaresupport.hpe.com Protect 724 Community https://www.protect724.hpe.com Contact Information Security Use Case Guide HPE ESM: VPN Monitoring 1.1 Page 2 of 19
Contents Chapter 1: Overview 4 Chapter 2: Installation 6 Importing and Installing a Package 7 Assigning User Permissions 8 Chapter 3: Configuration 9 Chapter 4: Using the VPN Monitoring Use Case 11 Monitoring VPN Login Activity in a Dashboard 12 Investigating VPN Events in an Active Channel 13 Running Reports 15 VPN Monitoring Rules 18 Send Documentation Feedback 19 HPE ESM: VPN Monitoring 1.1 Page 3 of 19
Chapter 1: Overview A Virtual Private Network (VPN) is the standard for extending your internal network to properly authorized users outside the normal network perimeter. There are potential security risks associated with any VPN implementation. The VPN Monitoring use case helps you monitor your VPN devices using statistical information about access to critical network assets. You can use this use case for sophisticated data analysis and correlation to detect and analyze security threats, such as network infiltration and data leakage. Use the resources in this use case for incident investigation as well as routine monitoring to detect suspicious, abnormal or malicious activity: l A dashboard is provided to show an overview of VPN login activity in real time. You can view the top ten users with the most login activity and the most failed logins, as well as all login results (attempted, successful, and failed) and the last ten failed and the last ten successful login events. l An active channel is provided so that you can investigate all VPN events received within the last ten minutes. l Several reports provide charts and tables showing historical information about the top VPN events, event sources, event destinations, and the top users by average session length. Other reports show the number of VPN connections for each user, and VPN connection attempts and failures. You can access the VPN Monitoring use case from the Use Cases tab of the ArcSight Console Navigator panel. The Monitor section of the use case lists the dashboard, active channel, and reports used to monitor traffic and investigate events. The Library section of the use case lists all supporting resources that help compile information in the dashboard, active channel, and reports. The use case also provides a configuration wizard that guides you through required configuration. HPE ESM: VPN Monitoring 1.1 Page 4 of 19
The VPN Monitoring use case is shown below. This document describes how to install, configure, and use the VPN Monitoring use case and is designed for security professionals who have a basic understanding of ArcSight ESM and are familiar with the ArcSight Console. For detailed information about using ArcSightESM, see the ArcSight ESM help system from the ArcSight Console Help menu. Find PDFs of all ArcSight documentation on Protect 724. Security Use Case Guide Chapter 1: Overview HPE ESM: VPN Monitoring 1.1 Page 5 of 19
Chapter 2: Installation To install the VPN Monitoring use case, perform the following tasks in the following sequence: 1. Download the VPN Monitoring use case zip file into the ArcSight Console system where you plan to install the use case, then extract the zip file. 2. Log into the ArcSight Console as administrator. Note: During the package installation process, do not use the same administrator account to start another Console or Command Center session simultaneously. This login is locked until the package installation is completed. 3. Verify if you have a previous version of the use case package you want to install. If so, uninstall and delete this previous version: a. On the Packages tab of the Navigator panel, right-click the package and select Uninstall Package. The package icon is gray when it is uninstalled. b. Right-click the package and select Delete Package. 4. On the Packages tab, verify if Downloads Groups is already installed. If you see packages in /All Packages/Downloads/Downloads Groups, then ignore this step. If the Downloads Groups package is not present, import and install the Downloads_Groups_1.0.arb package. See "Importing and Installing a Package" on the next page for details. 5. Import and install the VPN Monitoring use case package. See "Importing and Installing a Package" on the next page for details. 6. Assign user permissions to the VPN Monitoring resources. See "Assigning User Permissions" on page 8 for details. HPE ESM: VPN Monitoring 1.1 Page 6 of 19
Importing and Installing a Package Follow the steps below to import and install the package(s). This assumes you have downloaded the zip file and extracted the contents into the ArcSight Console system. l If the ArcSight Console does not have the Downloads Groups package in /All Packages/Downloads/Downloads Groups, import and install the package first. Then repeat the steps to import and install the VPN Monitoring use case package. Note: The Downloads Groups package contains the groups used by the resources in the security use case; you must import and install this package first. l If the Downloads Groups package is already installed, follow the steps to import and install the VPN Monitoring use case package only. To import and install a package: 1. Log into the ArcSight Console as administrator. In the Navigator panel, click the Packages tab. 2. Click Import. 3. In the Open dialog, browse and select the package file (*.arb) you want to import, then click Open. The Importing Packages dialog shows how the package import is being verified for any resource conflicts. 4. In the Packages for Installation dialog, make sure that the check box is selected next to the name of the package you want to install and click Next. The Progress tab shows how the installation is progressing. When the installation is complete, the Results tab displays the summary report. 5. In the Installing Packages dialog, click OK. In the Importing Packages dialog, click OK. 6. On the Packages tab of the Navigator panel, expand the package group in /All Packages/Downloads/ to verify that the package group is populated and that installation is successful. Security Use Case Guide Chapter 2: Installation HPE ESM: VPN Monitoring 1.1 Page 7 of 19
Assigning User Permissions By default, users in the Administrators and Default User Groups/Analyzer Administrators user groups can view and edit the resources. Users in the Default User Groups (and any custom user group under this group) can only view VPN Monitoring resources. Depending on how you set up user access controls within your organization, you might need to adjust those controls to make sure the resources are accessible to the right users. Note: By default, the Default User Groups/Analyzer Administrators user group does not have edit permissions for archived reports in the Downloads group. The following procedure assumes that you have logged into the ArcSight Console as administrator, and that you have set up the required user groups with the right users. To assign user permissions: 1. In the Navigator panel, open the Resources tab. 2. For each of the resource types provided in the use case, navigate to Downloads/VPN Monitoring. 3. Right-click the VPN Monitoring group and select Edit Access Control to open the ACL editor in the Inspect/Edit panel. 4. Select the user groups for which you want to grant permissions and click OK. Security Use Case Guide Chapter 2: Installation HPE ESM: VPN Monitoring 1.1 Page 8 of 19
Chapter 3: Configuration Before configuring the use case, make sure that you have populated your ESM network model. A network model keeps track of the network nodes participating in the event traffic. For information about populating the network model, refer to the ArcSight Console User’s Guide. The VPN Monitoring use case requires the following configuration for your environment: l Install the appropriate ArcSight SmartConnectors to receive relevant events. For example, to receive relevant events from Cisco VPN devices, install the SmartConnector for Cisco VPN Syslog. l Manually categorize all internal assets (assets inside the company network), or the zones to which the assets belong, with the Protected asset category (located in /All Asset Categories/Site Asset Categories/Address Spaces/Protected). Assets that are not categorized as internal to the network are considered to be external. Make sure that you also categorize assets that have public addresses but are controlled by the organization (such as Web servers) as Protected. A configuration wizard is provided to guide you through some of the required configuration. Follow the procedure below. Note: You must categorize assets internal to the network manually; the procedure is not part of the configuration wizard. For information about categorizing assets, see the ArcSight Console User's Guide. To configure the VPN Monitoring use case: 1. In the Navigator panel, click the Use Cases tab. 2. Browse for the VPN Monitoring use case located in /All Use Cases/Downloads/VPN Monitoring. 3. Open the VPN Monitoring use case : either double-click the use case or right-click the use case and select Open Use Case. The VPN Monitoring use case lists all the resources used for monitoring VPN activity. HPE ESM: VPN Monitoring 1.1 Page 9 of 19
4. Click the Configure button to open the configuration wizard. 5. Click Next to follow the configuration steps. After you configure the VPN Monitoring use case, you are ready to monitor your VPN devices. See "Using the VPN Monitoring Use Case" on page 11. Security Use Case Guide Chapter 3: Configuration HPE ESM: VPN Monitoring 1.1 Page 10 of 19
Chapter 4: Using the VPN Monitoring Use Case The VPN Monitoring use case is located on the Use Cases tab in the Navigator panel under /All Use Cases/Downloads/VPN Monitoring. To open the VPN Monitoring use case in the Viewer panel, either double-click the use case or right-click the use case and select Open Use Case. The Monitor section of the VPN Monitoring use case provides resources to help you monitor and investigate VPN-related activity: l Use the dashboard to monitor all VPN login activity in real time. See "Monitoring VPN Login Activity in a Dashboard" on the next page. l Use the active channel to investigate all VPN events. See "Investigating VPN Events in an Active Channel" on page 13. l Run reports that show the top VPN events, event sources, event destinations, and users by average session length. The reports also show the number of VPN connections for each user, and VPN connection attempts and failures. See "Running Reports" on page 15. The Library section of the VPN Monitoring use case lists all supporting resources that help compile information in the dashboard, active channel, and reports and includes rules that generate correlated events when triggered. The rules are described in "VPN Monitoring Rules" on page 18. HPE ESM: VPN Monitoring 1.1 Page 11 of 19
Monitoring VPN Login Activity in a Dashboard The VPN Monitoring use case provides a dashboard to help you monitor VPN login activity in real time. Use the information in the dashboard to look for patterns of use or misuse, or any unusual activity that might indicate potential security concerns. To open the dashboard, click the link for the VPN Login Overview dashboard in the VPN Monitoring use case. The dashboard opens in the Viewer panel of the ArcSight Console and displays these data monitors: l Top Users by Login Activity displays a pie chart showing the top ten users with the most VPN login activity within the last 60 minutes. Investigate any unusual or excessive login activity by a user as this might indicate a potential security concern. For example, an excessive number of logins by a particular user might indicate that a brute force attack is in progress. l Login Results displays a pie chart showing the number of VPN login attempts, successes, and failures within the last 60 minutes. Examine this data monitor for unusual patterns that might indicate that an attack is being attempted. l Top 10 Users With Failed Logins shows the ten users with the highest number of failed VPN logins within the last 60 minutes. This information is very useful to determine if somebody is trying to compromise your network through your VPN device. Investigate repeated or abnormal failed connections as they might indicate potential attacks. l Last 10 Successful Login Events shows information about the last ten successful logins to a VPN device. You can see the VPN user name, source, destination, and zone information. Watch this activity for any unusual behavior. l Last 10 Failed Login Events shows details about the last ten VPN logins that failed. You can see the VPN user name, the source, destination, and zone information. Investigate multiple failed VPN logins from the same user as this might indicate malicious activity. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 12 of 19
An example VPN Login Overview dashboard is shown below. Right-click on an item in a data monitor and select Investigate > Create Channel to open an active channel and investigate events further. For example, right-click on a user name in the Top Users by Login Activity data monitor and select Investigate > Create Channel to open an active channel and investigate the user to obtain details, such as the source IP address and the destination IP address. In the active channel, you can also: l Create an inline filter to focus on events of interest; for example, you can filter on a specific user name or source address. For detailed information about using inline filters, see the ArcSight Console User's Guide. l Double-click on an event in the active channel to open the event inspector and see details about the event. Investigating VPN Events in an Active Channel The VPN Monitoring active channel shows all VPN events received within the last ten minutes. Observing and understanding VPN events is essential to the security of your environment and can help you prevent malicious activity and mitigate significant security risks. To open the active channel, click the VPN Events link in the VPN Monitoring use case. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 13 of 19
The VPN Events active channel opens in the Viewer panel. An example VPN Events active channel is shown below. Examine these events to spot any unusual patterns involving VPN user logins, and start and terminate VPN sessions. Be sure to investigate events with an ESM priority higher than 7 as this might represent a potential risk to your network. The priority of an event is listed in the Priority column on the far right of the active channel display. You might have to scroll to see the Priority column. Right-click an item (such as IP address) and select Show Event Details to see detailed information about the event. You can also create an inline filter to display events from a specific item. See the ArcSight Console User's Guide's topic on using active channels for information about menu options and inline filters. Note: The events displayed in an active channel do not refresh automatically at ten-minute Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 14 of 19
intervals. To refresh the view, click the Stop and Replay channel controls in the toolbar. Depending on your environment, ESM load, and specific investigation needs, you can configure an active channel to use continuous, automatic channel refresh: Right-click the link for the active channel in the use case and select Edit Active Channel. From the Time Parameters drop-down on the Attributes tab of the Inspect/Edit panel, select Continuously evaluate. Note: In a high EPS environment, you might see performance issues if you scroll down to try and view all the events in the active channel. Running Reports The VPN Monitoring use case provides several reports that you can run to obtain a historical view of your VPN activity graphically in a table or a chart. You can provide these reports to the stakeholders in your company. The reports use VPN device activity information provided by the VPN Connections trend, which runs every day using the VPN Connections - Trend Base query. By default, the reports use data from the previous day. You can change the start and end time of the report for longer- or shorter-term analysis when you run the report. To run a report: 1. Click the link for the report in the VPN Monitoring use case. 2. In the Report Parameters dialog, set the parameters, then click OK. For example, you can change the report format from HTML (the default) to pdf, csv, xls, or rtf, change the page size, and update the report start and end time. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 15 of 19
3. For formats other than HTML, either open the report or save the report to your computer when prompted. The VPN Monitoring use case provides the following reports: l Users by Connection Count shows information about the number of VPN connections for each user. A summary of the users with the most connections is provided. Details of the connections for each user are also provided, including the number of connections and the systems accessed. l Top Users by Average Session Length shows duration information about VPN sessions for each user. A summary of the top VPN connection duration by user is provided. Details of the connection duration for each user are also provided, including minimum, average, maximum, and total connection minutes. Also provided are details about sessions that are currently active at the time the report is run. l Top VPN Event Destinations provides a table showing the IP address, hostname and zone for the top destinations in VPN events, sorted by the number of connections per destination. l VPN Connection Attempts provides a table showing event information where VPN access did not result in failure. l Top VPN Event Sources provides a table showing the IP address, hostname, and zone for the top sources in VPN events, sorted by the number of connections per source. l Top VPN Events provides a table showing the top VPN events (modification events are not included). The table provides the event name, and the source and destination IP address and zone. l VPN Connection Failures provides a table showing information about failed VPN connections. The information includes the VPN user name, source and destination IP address and zone, the VPN device IP address and zone, and the number of failed connections. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 16 of 19
An example chart from the Top Users by Average Session Length report is shown below. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 17 of 19
VPN Monitoring Rules The VPN Monitoring use case provides two rules, described below. The rules are deployed in the Real- time Rules group on the Resources tab of the Navigator panel (/All Rules/Real-time Rules/Downloads/Network Monitoring/VPN Monitoring) and enabled by default. The rules trigger when events match one or more set of conditions, at which point a correlation event is generated. A correlation event is displayed in an active channel with the flash icon . Correlation events are fed back into the event life cycle at the ArcSight Manager and are evaluated by both the ArcSight Manager and by the correlation processes. For more information about rule triggering and correlation events, see the ArcSight Console User's Guide. l User VPN Session Started This rule triggers when a VPN user session start event is detected. The rule then creates a new VPN session in the User VPN Sessions and VPN Session by Source IP session lists. This rule supports Cisco VPN products, the Nokia's Security Platform product, and Nortel's VPN product. l User VPN Session Stopped This rule triggers when a VPN user session terminate event is detected. The rule then terminates the VPN session in the User VPN Sessions and VPN Session by Source IP session lists.This rule supports Cisco VPN products, the Nokia's Security Platform product, and Nortel's VPN product. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 18 of 19
Send Documentation Feedback If you have comments about this document, you can contact the documentation team by email. If an email client is configured on this system, click the link above and an email window opens with the following information in the subject line: Feedback on Security Use Case Guide (ESM: VPN Monitoring 1.1) Just add your feedback to the email and click send. If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to arc-doc@hpe.com. We appreciate your feedback! HPE ESM: VPN Monitoring 1.1 Page 19 of 19

More Related Content

PDF
Suspicious Outbound Traffic Monitoring Security Use Case Guide
Protect724manoj
 
PDF
Anomalous Traffic Detection Security Use Case Guide
Protect724manoj
 
PDF
IDS - IPS Monitoring Security Use Case Guide
Protect724manoj
 
PDF
Reconnaissance Security Use Case
Protect724manoj
 
PDF
Antivirus Monitoring Security Use Case Guide
Protect724manoj
 
PDF
Brute Force Attack Security Use Case Guide
Protect724manoj
 
PPTX
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
Dsunte Wilson
 
PPTX
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...
Dsunte Wilson
 
Suspicious Outbound Traffic Monitoring Security Use Case Guide
Protect724manoj
 
Anomalous Traffic Detection Security Use Case Guide
Protect724manoj
 
IDS - IPS Monitoring Security Use Case Guide
Protect724manoj
 
Reconnaissance Security Use Case
Protect724manoj
 
Antivirus Monitoring Security Use Case Guide
Protect724manoj
 
Brute Force Attack Security Use Case Guide
Protect724manoj
 
SYMANTEC ENDPOINT PROTECTION Performing Server and Database Management
Dsunte Wilson
 
SYMANTEC ENDPOINT PROTECTION Configuring Replication and Failover and Load Ba...
Dsunte Wilson
 

What's hot (20)

PDF
HPE ArcSight RepSM Plus 1.6 Solution Guide
protect724rkeer
 
PPTX
Mcafee Epolicy Orchestrator
MindRiver Group
 
PPTX
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
Dsunte Wilson
 
PPT
Symantec Endpoint Protection 12.1 RU6 MP6
Sarah Isaacs
 
PPTX
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
Dsunte Wilson
 
PDF
How to monitor ESX/ESXi servers
Egnyte
 
DOCX
Deployment websese
thanglx
 
PDF
ArcSight Logger Forwarding Connector for HP Operations Manager
Protect724manoj
 
PPTX
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
PDF
Deployment Guide for Risk_Insight 1.1
Protect724gopi
 
PDF
ArcSight Model Import Connector for RepSM 7.1.7.7607.0 Configuration guide
protect724rkeer
 
PDF
Vulnerability Assessment Report
Harshit Singh Bhatia
 
PDF
How to monitor .Net Framework
Egnyte
 
RTF
qwe
Ako Red
 
PDF
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara
 
DOCX
Five ways to Securing and Hardening your Windows 10 system
Femi Baiyekusi
 
ODP
Pen test methodology
Cahyo Darujati
 
PPTX
Whats New in OSSIM v2.3?
AlienVault
 
PPTX
OSSIM User Training: Get Improved Security Visibility with OSSIM
AlienVault
 
RTF
License
vandu24
 
HPE ArcSight RepSM Plus 1.6 Solution Guide
protect724rkeer
 
Mcafee Epolicy Orchestrator
MindRiver Group
 
SYMANTEC ENDPOINT PROTECTION Advanced Monitoring and Reporting
Dsunte Wilson
 
Symantec Endpoint Protection 12.1 RU6 MP6
Sarah Isaacs
 
SYMANTEC ENDPOINT PROTECTION Interfacing the SEPM with Protection Center
Dsunte Wilson
 
How to monitor ESX/ESXi servers
Egnyte
 
Deployment websese
thanglx
 
ArcSight Logger Forwarding Connector for HP Operations Manager
Protect724manoj
 
OSSIM User Training: Detect and Respond to Threats More Quickly with OSSIM v4.5
AlienVault
 
Deployment Guide for Risk_Insight 1.1
Protect724gopi
 
ArcSight Model Import Connector for RepSM 7.1.7.7607.0 Configuration guide
protect724rkeer
 
Vulnerability Assessment Report
Harshit Singh Bhatia
 
How to monitor .Net Framework
Egnyte
 
qwe
Ako Red
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara
 
Five ways to Securing and Hardening your Windows 10 system
Femi Baiyekusi
 
Pen test methodology
Cahyo Darujati
 
Whats New in OSSIM v2.3?
AlienVault
 
OSSIM User Training: Get Improved Security Visibility with OSSIM
AlienVault
 
License
vandu24
 
Ad

Similar to VPN Monitoring Security Use Case Guide version 1.1 (20)

PDF
Firewall Monitoring 1.1 Security Use Case Guide
Protect724manoj
 
PDF
Intrusion Monitoring Standard Content Guide for ESM 6.8c
Protect724migration
 
PDF
Netflow Monitoring Standard Content Guide for ESM 6.8c
Protect724migration
 
PDF
Aruba cppm 6_1_user_guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
Avanan Platform.pdf
praveen830370
 
PDF
Risk Insight v1.0 Deployment Guide
Protect724gopi
 
PDF
ArcSight Express 4.0 Virtual Appliance Guide
Protect724v2
 
PDF
IPv6 Standard Content Guide for ESM 6.8c
Protect724migration
 
PDF
Workflow Standard Content Guide for ESM 6.8c
Protect724migration
 
PDF
Hpe man dp10.00_getting_started_pdf
KimHuu
 
PDF
Network Monitoring Standard Content Guide for ESM 6.8c
Protect724migration
 
PDF
ESM5.6_SCG_NetFlow.pdf
Protect724v3
 
PDF
Upgrading ArcSight Express 3.0 to ArcSight Express 4.0
Protect724v2
 
PDF
Nipper-Users-Guide-2-13-0 pdf configuration step by step
truonggiang8101992
 
PDF
ArcSight Core, ArcSight Administration, and ArcSight System Standard Content ...
Protect724migration
 
PDF
Configuration Monitoring Standard Content Guide for ESM 6.8c
Protect724migration
 
PDF
CIP for PCI 4.0 Release Notes for ArcSight Logger
protect724rkeer
 
PPTX
Monitoring of computers
carlosrudy_45
 
PDF
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Release Notes
Protect724manoj
 
PDF
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide
Protect724manoj
 
Firewall Monitoring 1.1 Security Use Case Guide
Protect724manoj
 
Intrusion Monitoring Standard Content Guide for ESM 6.8c
Protect724migration
 
Netflow Monitoring Standard Content Guide for ESM 6.8c
Protect724migration
 
Aruba cppm 6_1_user_guide
Aruba, a Hewlett Packard Enterprise company
 
Avanan Platform.pdf
praveen830370
 
Risk Insight v1.0 Deployment Guide
Protect724gopi
 
ArcSight Express 4.0 Virtual Appliance Guide
Protect724v2
 
IPv6 Standard Content Guide for ESM 6.8c
Protect724migration
 
Workflow Standard Content Guide for ESM 6.8c
Protect724migration
 
Hpe man dp10.00_getting_started_pdf
KimHuu
 
Network Monitoring Standard Content Guide for ESM 6.8c
Protect724migration
 
ESM5.6_SCG_NetFlow.pdf
Protect724v3
 
Upgrading ArcSight Express 3.0 to ArcSight Express 4.0
Protect724v2
 
Nipper-Users-Guide-2-13-0 pdf configuration step by step
truonggiang8101992
 
ArcSight Core, ArcSight Administration, and ArcSight System Standard Content ...
Protect724migration
 
Configuration Monitoring Standard Content Guide for ESM 6.8c
Protect724migration
 
CIP for PCI 4.0 Release Notes for ArcSight Logger
protect724rkeer
 
Monitoring of computers
carlosrudy_45
 
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Release Notes
Protect724manoj
 
Logger Forwarding Connector for NNMi 7.3.0.7837.0 Configuration Guide
Protect724manoj
 
Ad

More from Protect724manoj (20)

PDF
ArcSight Forwarding Connector Configuration Guide
Protect724manoj
 
PDF
ArcSight Logger Forwarding Connector for HP Operations Manager i
Protect724manoj
 
PDF
ArcSight Logger Forwarding Connector for HP Network Node Manager i
Protect724manoj
 
PDF
Forwarding Connector Configuration Guide 5.1.7.6085
Protect724manoj
 
PDF
ArcSight Logger Forwarding Connector for HP NNMi Configuration Guide 5.1.7.6081
Protect724manoj
 
PDF
ArcSight Logger Forwarding Connector for HP OM Configuration Guide 5.1.7.6079
Protect724manoj
 
PDF
ArcSight Logger Forwarding Connector for HP OMi Configuration Guide 5.1.7.6080
Protect724manoj
 
PDF
HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...
Protect724manoj
 
PDF
ArcSight Logger Forwarding Connector for HP NNMi 5.2.3.6287.0 Configuration G...
Protect724manoj
 
PDF
Logger Forwarding Connector for HPE NNMi Release Notes 7.1.7.7609.0
Protect724manoj
 
PDF
Logger Forwarding Connector for HPE NNMi Configuration Guide 7.1.7.7609.0
Protect724manoj
 
PDF
Logger Forwarding Connector for HPE OM Release Notes 7.1.7.7611.0
Protect724manoj
 
PDF
Logger Forwarding Connector for HPE OM Configuration Guide 7.1.7.7611.0
Protect724manoj
 
PDF
Logger Forwarding Connector for HPE OMi Release Notes 7.1.7.7610
Protect724manoj
 
PDF
Logger Forwarding Connector for HPE OMi Configuration Guide 7.1.7.7610.0
Protect724manoj
 
PDF
Logger Forwarding Connector for OM 7.3.0.7838.0 Release Notes
Protect724manoj
 
PDF
Logger Forwarding Connector for OM 7.3.0.7838.0 Configuration Guide
Protect724manoj
 
PDF
Logger Forwarding Connector for OMi 7.3.0.7839.0 Release Notes
Protect724manoj
 
PDF
Logger Forwarding Connector for OMi 7.3.0.7839.0 Configuration Guide
Protect724manoj
 
PDF
HPE ArcSight ESM Support Matrix
Protect724manoj
 
ArcSight Forwarding Connector Configuration Guide
Protect724manoj
 
ArcSight Logger Forwarding Connector for HP Operations Manager i
Protect724manoj
 
ArcSight Logger Forwarding Connector for HP Network Node Manager i
Protect724manoj
 
Forwarding Connector Configuration Guide 5.1.7.6085
Protect724manoj
 
ArcSight Logger Forwarding Connector for HP NNMi Configuration Guide 5.1.7.6081
Protect724manoj
 
ArcSight Logger Forwarding Connector for HP OM Configuration Guide 5.1.7.6079
Protect724manoj
 
ArcSight Logger Forwarding Connector for HP OMi Configuration Guide 5.1.7.6080
Protect724manoj
 
HP ArcSight Logger Forwarding Connector for HP NNMI Configuration Guide 5.2.1...
Protect724manoj
 
ArcSight Logger Forwarding Connector for HP NNMi 5.2.3.6287.0 Configuration G...
Protect724manoj
 
Logger Forwarding Connector for HPE NNMi Release Notes 7.1.7.7609.0
Protect724manoj
 
Logger Forwarding Connector for HPE NNMi Configuration Guide 7.1.7.7609.0
Protect724manoj
 
Logger Forwarding Connector for HPE OM Release Notes 7.1.7.7611.0
Protect724manoj
 
Logger Forwarding Connector for HPE OM Configuration Guide 7.1.7.7611.0
Protect724manoj
 
Logger Forwarding Connector for HPE OMi Release Notes 7.1.7.7610
Protect724manoj
 
Logger Forwarding Connector for HPE OMi Configuration Guide 7.1.7.7610.0
Protect724manoj
 
Logger Forwarding Connector for OM 7.3.0.7838.0 Release Notes
Protect724manoj
 
Logger Forwarding Connector for OM 7.3.0.7838.0 Configuration Guide
Protect724manoj
 
Logger Forwarding Connector for OMi 7.3.0.7839.0 Release Notes
Protect724manoj
 
Logger Forwarding Connector for OMi 7.3.0.7839.0 Configuration Guide
Protect724manoj
 
HPE ArcSight ESM Support Matrix
Protect724manoj
 

Recently uploaded (20)

PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
System and Network Administraation Chapter 3
jaramharo
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 

VPN Monitoring Security Use Case Guide version 1.1

  • 1. HPE Security ArcSight ESM: VPN Monitoring Software Version: 1.1 Security Use Case Guide April 3, 2017
  • 2. Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. The network information used in the examples in this document (including IP addresses and hostnames) is for illustration purposes only. HPE Security ArcSight products are highly flexible and function as you configure them. The accessibility, integrity, and confidentiality of your data is your responsibility. Implement a comprehensive security strategy and follow good security practices. This document is confidential. Restricted Rights Legend Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice © Copyright 2016 Hewlett Packard Enterprise Development, LP Follow this link to see a complete statement of copyrights and acknowledgements: https://www.protect724.hpe.com/docs/DOC-13026 Support Phone Alistof phone numbers is available on the HPE Security ArcSightTechnical Support Page: https://softwaresupport.hpe.com/documents/10180/14684/esp-support- contact-list Support Web Site https://softwaresupport.hpe.com Protect 724 Community https://www.protect724.hpe.com Contact Information Security Use Case Guide HPE ESM: VPN Monitoring 1.1 Page 2 of 19
  • 3. Contents Chapter 1: Overview 4 Chapter 2: Installation 6 Importing and Installing a Package 7 Assigning User Permissions 8 Chapter 3: Configuration 9 Chapter 4: Using the VPN Monitoring Use Case 11 Monitoring VPN Login Activity in a Dashboard 12 Investigating VPN Events in an Active Channel 13 Running Reports 15 VPN Monitoring Rules 18 Send Documentation Feedback 19 HPE ESM: VPN Monitoring 1.1 Page 3 of 19
  • 4. Chapter 1: Overview A Virtual Private Network (VPN) is the standard for extending your internal network to properly authorized users outside the normal network perimeter. There are potential security risks associated with any VPN implementation. The VPN Monitoring use case helps you monitor your VPN devices using statistical information about access to critical network assets. You can use this use case for sophisticated data analysis and correlation to detect and analyze security threats, such as network infiltration and data leakage. Use the resources in this use case for incident investigation as well as routine monitoring to detect suspicious, abnormal or malicious activity: l A dashboard is provided to show an overview of VPN login activity in real time. You can view the top ten users with the most login activity and the most failed logins, as well as all login results (attempted, successful, and failed) and the last ten failed and the last ten successful login events. l An active channel is provided so that you can investigate all VPN events received within the last ten minutes. l Several reports provide charts and tables showing historical information about the top VPN events, event sources, event destinations, and the top users by average session length. Other reports show the number of VPN connections for each user, and VPN connection attempts and failures. You can access the VPN Monitoring use case from the Use Cases tab of the ArcSight Console Navigator panel. The Monitor section of the use case lists the dashboard, active channel, and reports used to monitor traffic and investigate events. The Library section of the use case lists all supporting resources that help compile information in the dashboard, active channel, and reports. The use case also provides a configuration wizard that guides you through required configuration. HPE ESM: VPN Monitoring 1.1 Page 4 of 19
  • 5. The VPN Monitoring use case is shown below. This document describes how to install, configure, and use the VPN Monitoring use case and is designed for security professionals who have a basic understanding of ArcSight ESM and are familiar with the ArcSight Console. For detailed information about using ArcSightESM, see the ArcSight ESM help system from the ArcSight Console Help menu. Find PDFs of all ArcSight documentation on Protect 724. Security Use Case Guide Chapter 1: Overview HPE ESM: VPN Monitoring 1.1 Page 5 of 19
  • 6. Chapter 2: Installation To install the VPN Monitoring use case, perform the following tasks in the following sequence: 1. Download the VPN Monitoring use case zip file into the ArcSight Console system where you plan to install the use case, then extract the zip file. 2. Log into the ArcSight Console as administrator. Note: During the package installation process, do not use the same administrator account to start another Console or Command Center session simultaneously. This login is locked until the package installation is completed. 3. Verify if you have a previous version of the use case package you want to install. If so, uninstall and delete this previous version: a. On the Packages tab of the Navigator panel, right-click the package and select Uninstall Package. The package icon is gray when it is uninstalled. b. Right-click the package and select Delete Package. 4. On the Packages tab, verify if Downloads Groups is already installed. If you see packages in /All Packages/Downloads/Downloads Groups, then ignore this step. If the Downloads Groups package is not present, import and install the Downloads_Groups_1.0.arb package. See "Importing and Installing a Package" on the next page for details. 5. Import and install the VPN Monitoring use case package. See "Importing and Installing a Package" on the next page for details. 6. Assign user permissions to the VPN Monitoring resources. See "Assigning User Permissions" on page 8 for details. HPE ESM: VPN Monitoring 1.1 Page 6 of 19
  • 7. Importing and Installing a Package Follow the steps below to import and install the package(s). This assumes you have downloaded the zip file and extracted the contents into the ArcSight Console system. l If the ArcSight Console does not have the Downloads Groups package in /All Packages/Downloads/Downloads Groups, import and install the package first. Then repeat the steps to import and install the VPN Monitoring use case package. Note: The Downloads Groups package contains the groups used by the resources in the security use case; you must import and install this package first. l If the Downloads Groups package is already installed, follow the steps to import and install the VPN Monitoring use case package only. To import and install a package: 1. Log into the ArcSight Console as administrator. In the Navigator panel, click the Packages tab. 2. Click Import. 3. In the Open dialog, browse and select the package file (*.arb) you want to import, then click Open. The Importing Packages dialog shows how the package import is being verified for any resource conflicts. 4. In the Packages for Installation dialog, make sure that the check box is selected next to the name of the package you want to install and click Next. The Progress tab shows how the installation is progressing. When the installation is complete, the Results tab displays the summary report. 5. In the Installing Packages dialog, click OK. In the Importing Packages dialog, click OK. 6. On the Packages tab of the Navigator panel, expand the package group in /All Packages/Downloads/ to verify that the package group is populated and that installation is successful. Security Use Case Guide Chapter 2: Installation HPE ESM: VPN Monitoring 1.1 Page 7 of 19
  • 8. Assigning User Permissions By default, users in the Administrators and Default User Groups/Analyzer Administrators user groups can view and edit the resources. Users in the Default User Groups (and any custom user group under this group) can only view VPN Monitoring resources. Depending on how you set up user access controls within your organization, you might need to adjust those controls to make sure the resources are accessible to the right users. Note: By default, the Default User Groups/Analyzer Administrators user group does not have edit permissions for archived reports in the Downloads group. The following procedure assumes that you have logged into the ArcSight Console as administrator, and that you have set up the required user groups with the right users. To assign user permissions: 1. In the Navigator panel, open the Resources tab. 2. For each of the resource types provided in the use case, navigate to Downloads/VPN Monitoring. 3. Right-click the VPN Monitoring group and select Edit Access Control to open the ACL editor in the Inspect/Edit panel. 4. Select the user groups for which you want to grant permissions and click OK. Security Use Case Guide Chapter 2: Installation HPE ESM: VPN Monitoring 1.1 Page 8 of 19
  • 9. Chapter 3: Configuration Before configuring the use case, make sure that you have populated your ESM network model. A network model keeps track of the network nodes participating in the event traffic. For information about populating the network model, refer to the ArcSight Console User’s Guide. The VPN Monitoring use case requires the following configuration for your environment: l Install the appropriate ArcSight SmartConnectors to receive relevant events. For example, to receive relevant events from Cisco VPN devices, install the SmartConnector for Cisco VPN Syslog. l Manually categorize all internal assets (assets inside the company network), or the zones to which the assets belong, with the Protected asset category (located in /All Asset Categories/Site Asset Categories/Address Spaces/Protected). Assets that are not categorized as internal to the network are considered to be external. Make sure that you also categorize assets that have public addresses but are controlled by the organization (such as Web servers) as Protected. A configuration wizard is provided to guide you through some of the required configuration. Follow the procedure below. Note: You must categorize assets internal to the network manually; the procedure is not part of the configuration wizard. For information about categorizing assets, see the ArcSight Console User's Guide. To configure the VPN Monitoring use case: 1. In the Navigator panel, click the Use Cases tab. 2. Browse for the VPN Monitoring use case located in /All Use Cases/Downloads/VPN Monitoring. 3. Open the VPN Monitoring use case : either double-click the use case or right-click the use case and select Open Use Case. The VPN Monitoring use case lists all the resources used for monitoring VPN activity. HPE ESM: VPN Monitoring 1.1 Page 9 of 19
  • 10. 4. Click the Configure button to open the configuration wizard. 5. Click Next to follow the configuration steps. After you configure the VPN Monitoring use case, you are ready to monitor your VPN devices. See "Using the VPN Monitoring Use Case" on page 11. Security Use Case Guide Chapter 3: Configuration HPE ESM: VPN Monitoring 1.1 Page 10 of 19
  • 11. Chapter 4: Using the VPN Monitoring Use Case The VPN Monitoring use case is located on the Use Cases tab in the Navigator panel under /All Use Cases/Downloads/VPN Monitoring. To open the VPN Monitoring use case in the Viewer panel, either double-click the use case or right-click the use case and select Open Use Case. The Monitor section of the VPN Monitoring use case provides resources to help you monitor and investigate VPN-related activity: l Use the dashboard to monitor all VPN login activity in real time. See "Monitoring VPN Login Activity in a Dashboard" on the next page. l Use the active channel to investigate all VPN events. See "Investigating VPN Events in an Active Channel" on page 13. l Run reports that show the top VPN events, event sources, event destinations, and users by average session length. The reports also show the number of VPN connections for each user, and VPN connection attempts and failures. See "Running Reports" on page 15. The Library section of the VPN Monitoring use case lists all supporting resources that help compile information in the dashboard, active channel, and reports and includes rules that generate correlated events when triggered. The rules are described in "VPN Monitoring Rules" on page 18. HPE ESM: VPN Monitoring 1.1 Page 11 of 19
  • 12. Monitoring VPN Login Activity in a Dashboard The VPN Monitoring use case provides a dashboard to help you monitor VPN login activity in real time. Use the information in the dashboard to look for patterns of use or misuse, or any unusual activity that might indicate potential security concerns. To open the dashboard, click the link for the VPN Login Overview dashboard in the VPN Monitoring use case. The dashboard opens in the Viewer panel of the ArcSight Console and displays these data monitors: l Top Users by Login Activity displays a pie chart showing the top ten users with the most VPN login activity within the last 60 minutes. Investigate any unusual or excessive login activity by a user as this might indicate a potential security concern. For example, an excessive number of logins by a particular user might indicate that a brute force attack is in progress. l Login Results displays a pie chart showing the number of VPN login attempts, successes, and failures within the last 60 minutes. Examine this data monitor for unusual patterns that might indicate that an attack is being attempted. l Top 10 Users With Failed Logins shows the ten users with the highest number of failed VPN logins within the last 60 minutes. This information is very useful to determine if somebody is trying to compromise your network through your VPN device. Investigate repeated or abnormal failed connections as they might indicate potential attacks. l Last 10 Successful Login Events shows information about the last ten successful logins to a VPN device. You can see the VPN user name, source, destination, and zone information. Watch this activity for any unusual behavior. l Last 10 Failed Login Events shows details about the last ten VPN logins that failed. You can see the VPN user name, the source, destination, and zone information. Investigate multiple failed VPN logins from the same user as this might indicate malicious activity. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 12 of 19
  • 13. An example VPN Login Overview dashboard is shown below. Right-click on an item in a data monitor and select Investigate > Create Channel to open an active channel and investigate events further. For example, right-click on a user name in the Top Users by Login Activity data monitor and select Investigate > Create Channel to open an active channel and investigate the user to obtain details, such as the source IP address and the destination IP address. In the active channel, you can also: l Create an inline filter to focus on events of interest; for example, you can filter on a specific user name or source address. For detailed information about using inline filters, see the ArcSight Console User's Guide. l Double-click on an event in the active channel to open the event inspector and see details about the event. Investigating VPN Events in an Active Channel The VPN Monitoring active channel shows all VPN events received within the last ten minutes. Observing and understanding VPN events is essential to the security of your environment and can help you prevent malicious activity and mitigate significant security risks. To open the active channel, click the VPN Events link in the VPN Monitoring use case. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 13 of 19
  • 14. The VPN Events active channel opens in the Viewer panel. An example VPN Events active channel is shown below. Examine these events to spot any unusual patterns involving VPN user logins, and start and terminate VPN sessions. Be sure to investigate events with an ESM priority higher than 7 as this might represent a potential risk to your network. The priority of an event is listed in the Priority column on the far right of the active channel display. You might have to scroll to see the Priority column. Right-click an item (such as IP address) and select Show Event Details to see detailed information about the event. You can also create an inline filter to display events from a specific item. See the ArcSight Console User's Guide's topic on using active channels for information about menu options and inline filters. Note: The events displayed in an active channel do not refresh automatically at ten-minute Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 14 of 19
  • 15. intervals. To refresh the view, click the Stop and Replay channel controls in the toolbar. Depending on your environment, ESM load, and specific investigation needs, you can configure an active channel to use continuous, automatic channel refresh: Right-click the link for the active channel in the use case and select Edit Active Channel. From the Time Parameters drop-down on the Attributes tab of the Inspect/Edit panel, select Continuously evaluate. Note: In a high EPS environment, you might see performance issues if you scroll down to try and view all the events in the active channel. Running Reports The VPN Monitoring use case provides several reports that you can run to obtain a historical view of your VPN activity graphically in a table or a chart. You can provide these reports to the stakeholders in your company. The reports use VPN device activity information provided by the VPN Connections trend, which runs every day using the VPN Connections - Trend Base query. By default, the reports use data from the previous day. You can change the start and end time of the report for longer- or shorter-term analysis when you run the report. To run a report: 1. Click the link for the report in the VPN Monitoring use case. 2. In the Report Parameters dialog, set the parameters, then click OK. For example, you can change the report format from HTML (the default) to pdf, csv, xls, or rtf, change the page size, and update the report start and end time. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 15 of 19
  • 16. 3. For formats other than HTML, either open the report or save the report to your computer when prompted. The VPN Monitoring use case provides the following reports: l Users by Connection Count shows information about the number of VPN connections for each user. A summary of the users with the most connections is provided. Details of the connections for each user are also provided, including the number of connections and the systems accessed. l Top Users by Average Session Length shows duration information about VPN sessions for each user. A summary of the top VPN connection duration by user is provided. Details of the connection duration for each user are also provided, including minimum, average, maximum, and total connection minutes. Also provided are details about sessions that are currently active at the time the report is run. l Top VPN Event Destinations provides a table showing the IP address, hostname and zone for the top destinations in VPN events, sorted by the number of connections per destination. l VPN Connection Attempts provides a table showing event information where VPN access did not result in failure. l Top VPN Event Sources provides a table showing the IP address, hostname, and zone for the top sources in VPN events, sorted by the number of connections per source. l Top VPN Events provides a table showing the top VPN events (modification events are not included). The table provides the event name, and the source and destination IP address and zone. l VPN Connection Failures provides a table showing information about failed VPN connections. The information includes the VPN user name, source and destination IP address and zone, the VPN device IP address and zone, and the number of failed connections. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 16 of 19
  • 17. An example chart from the Top Users by Average Session Length report is shown below. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 17 of 19
  • 18. VPN Monitoring Rules The VPN Monitoring use case provides two rules, described below. The rules are deployed in the Real- time Rules group on the Resources tab of the Navigator panel (/All Rules/Real-time Rules/Downloads/Network Monitoring/VPN Monitoring) and enabled by default. The rules trigger when events match one or more set of conditions, at which point a correlation event is generated. A correlation event is displayed in an active channel with the flash icon . Correlation events are fed back into the event life cycle at the ArcSight Manager and are evaluated by both the ArcSight Manager and by the correlation processes. For more information about rule triggering and correlation events, see the ArcSight Console User's Guide. l User VPN Session Started This rule triggers when a VPN user session start event is detected. The rule then creates a new VPN session in the User VPN Sessions and VPN Session by Source IP session lists. This rule supports Cisco VPN products, the Nokia's Security Platform product, and Nortel's VPN product. l User VPN Session Stopped This rule triggers when a VPN user session terminate event is detected. The rule then terminates the VPN session in the User VPN Sessions and VPN Session by Source IP session lists.This rule supports Cisco VPN products, the Nokia's Security Platform product, and Nortel's VPN product. Security Use Case Guide Chapter 4: Using the VPN Monitoring Use Case HPE ESM: VPN Monitoring 1.1 Page 18 of 19
  • 19. Send Documentation Feedback If you have comments about this document, you can contact the documentation team by email. If an email client is configured on this system, click the link above and an email window opens with the following information in the subject line: Feedback on Security Use Case Guide (ESM: VPN Monitoring 1.1) Just add your feedback to the email and click send. If no email client is available, copy the information above to a new message in a web mail client, and send your feedback to arc-doc@hpe.com. We appreciate your feedback! HPE ESM: VPN Monitoring 1.1 Page 19 of 19