Monday, March 03, 2008

SSL VPN Event Reporting

A customer asked me the other day "I`ve no access to the firewall, and Person X claims they are working at home today. Can i check with MARS if they`ve actually used the VPN."

Not exactly, a major security event i know, but that data is in MARS. A quick look at the known WEBVPN events for the Cisco ASA, shows over 66, that MARS understands.

So i basically set up a RAW event query on the ASA device, with a keyword of Webvpn, to see what events i could build a query from.


The event i chose to build the query on, was "Webvpn User Authentication Successful".


The query was set to display event data for the last 7 days, i selected to display the data, as "Reported User Ranking", results format. Once happy with the results being shown, i saved the query as a report.



We can schedule how often we require reports to be run, in which i selected every hour.


And, one cool thing, is that we can customise which reports we want to display under Summary/My Reports..


Now i didnt, just leave it there, with this particular customer. Seeing who has been using the VPN is good, but its also important to see who has been failing to authenticate with the VPN...


And maybe some resource usage...


That completes this article, but look out tomorrow for a new demo, i`ve created for www.demolabs.co.uk, on using Custom IPS Signatures with MARS. This is from a Cisco Security Seminar that Satisnet, have been giving in London over the last week.


No comments: