kalafoto - Fotolia


Best practices for VPN traffic monitoring

VPNs are still a critical part of many enterprise remote access strategies. Networks teams that monitor VPN traffic should look at factors like application usage and overhead.

For many years, virtual private networks, or VPNs, have been the go-to technology for remote access to IT resources. VPN-optimized routers connect to the internet and establish a tunnel between the sending device and the destination, which also has a VPN-compatible device.

The COVID-19 pandemic boosted use of remote access to significant levels, as huge numbers of employees, contractors and others began working from home or alternate offices. Despite the current availability of three different vaccines for the coronavirus, most people will likely continue to work remotely for some time.

Demand for VPNs and other remote access technologies means that, among other things, bandwidth usage has increased dramatically from pre-pandemic levels. This increased demand means network professionals must carefully monitor and analyze bandwidth usage levels to ensure bandwidth is available for all users and that devices using excessive bandwidth can be identified and adjusted as needed.

This article examines best practices to monitor VPN traffic and discusses why it is an essential activity. It provides details on what teams should monitor, such as connection details, application usage, traffic time frames and types, overhead, bandwidth, capacity and more. It also examines how network teams can integrate VPN monitoring with network security strategies.

What network monitoring systems do

Network monitoring systems perform many functions, including the following:

  • examine and analyze network traffic according to preset and user-defined rules;
  • analyze bandwidth by application, protocol and IP address groups;
  • identify network traffic capacity, traffic patterns, overhead, latency and throughput;
  • identify and mitigate devices and applications that use excessive bandwidth;
  • get notified when network usage exceeds set thresholds;
  • identify high-bandwidth users and restrict their activities;
  • detect, diagnose and resolve network performance issues;
  • track response time, availability and uptime of routers, switches and other devices; and
  • display performance data in dashboards and other visual representations.

In the diagram below, both a remote office and a remote user are using VPNs to connect to a headquarters data center for access to the company's information resources. The network monitoring system can monitor devices and network traffic at both the data center and remote office. It can also monitor the remote user by examining data traffic over the internet. IP addresses identify each location and remote user and are used by the monitoring system to analyze traffic activity.

Network monitoring for VPNs
A generic network monitoring system configured for VPNs

Importance and benefits of network monitoring

Network traffic analysis and management ensure that organizations get the most from their bandwidth. With real-time network performance data, it is easier to respond proactively to issues that cause network slowdowns and outages. While it's good to obtain network performance data, it's even more important to manage devices connected to networks. With the right network monitoring and control systems, it's possible to reduce extraneous traffic, network latency, congestion and packet loss across the network.

VPN network monitoring equipment should not only monitor a variety of performance metrics, but also provide a tool to help optimize network traffic.

Network monitoring devices help identify who is using network bandwidth. Data on bandwidth usage is key to maintaining optimal network speeds. To avoid user complaints about slow response times and other performance issues, network teams should first identify users with high network bandwidth. Bandwidth bottlenecks can be more easily resolved by managing those users.

Monitoring devices need to analyze many different network protocols and characteristics data -- such as Simple Network Management Protocol (SNMP), NetFlow, J-Flow, sFlow, NetStream and IP Flow Information Export -- that are built into most routers. By examining data from these metrics, teams can identify users, applications and protocols using excessive bandwidth before they spend money on unnecessary resources.

Optimizing network resources with monitoring and control systems can keep network costs under control by minimizing the need for additional bandwidth, access channels, routers and switches. Another benefit of effective network monitoring is that mission-critical applications will have the bandwidth they need for optimal performance.

VPN monitoring device characteristics

As noted earlier, VPN network monitoring equipment should not only monitor a variety of performance metrics, but also provide a tool to help optimize network traffic. Typical devices gather traffic data, transform it into a usable format for analysis and display it in an appropriate interface, such as a dashboard.

Devices should measure network traffic across VPNs by analyzing bandwidth and packet routing metrics. They should be able to trace and display network traffic using pre-configured and customizable parameters. Alerts should be programmable to identify when abnormal conditions exist. If possible, the system should be able to map the entire network infrastructure, as displaying all routes and devices helps quickly identify issues to address.

How VPN monitoring works

VPN monitoring uses Internet Control Message Protocol echo requests, or pings, to determine if a VPN tunnel is available. In typical operation, pings are sent through the VPN tunnel to a peer gateway or a specific destination at the other end of the tunnel. Pings can be sent in preset 10-second intervals for a specific number of attempts. If there is no reply after the preset number of ping attempts, the VPN is assessed as down, and security protocols -- e.g., IPsec -- are cleared. The VPN monitoring device must be set to the VPN-monitor option so that endpoint IP addresses using the VPN tunnel can be monitored. Pings are sent only when there is outgoing traffic and no incoming traffic through the VPN tunnel. The tunnel is deemed active if it detects incoming traffic through the VPN tunnel.

SNMP is also used for VPN monitoring. Devices should be equipped with default and customizable sensors that use SNMP to monitor VPN traffic, users and connections of various network devices -- e.g., switches, routers and firewalls. A VPN failure alarm will activate alarms when system monitors detect different kinds of events, such as the following:

  • Authentication failure. This occurs when packet authentication failures reach a specified value.
  • Encryption and decryption failure. This occurs when encryption or decryption failures exceed a specified number.
  • Self-test failure. Self-tests verify whether security software is implemented correctly when a device powers up. The monitoring system can generate an alarm when a self-test failure occurs.
  • IDP flow policy attack. An intrusion detection and prevention (IDP) policy enforces attack detection and prevention actions on network traffic. Configure the system to generate an alarm when IDP flow policy violations occur.
  • Replay attack. A replay attack is a network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Set the monitor to generate an alarm when a replay attack occurs.

Alarms based on VPN issues are logged, but alarms are generated only when specific thresholds have been reached or exceeded. Once teams remediate the issues, they can clear the alarms.

Security value of VPN traffic monitoring

Integrating network monitoring with cybersecurity activities can be optimized by using VPN monitoring. VPNs typically use Secure Sockets Layer-encrypted remote access using the internet as a transmission path. A VPN gateway or VPN client is at the end of this path. When outside the VPN, a VPN user accesses systems and data just like a regular network client. Access to network performance data is essential for spotting potential cyber attacks, such as phishing, ransomware, viruses and denial-of-service attacks.

Next Steps

Hackers targeting VPN vulnerabilities in ongoing attacks

Dig Deeper on Network management and monitoring

Unified Communications
Mobile Computing
Data Center