VPNSCAN: Extending the Audit and Compliance Perimeter

Rob VandenBrink

In my work as a security consultant, I have a large number of clients with remote access or remote computing security policies. All of these policies have wording that encompasses some or all of:

• All VPN or dial-up connections to the corporate network will be made from corporately owned hardware.
• Any Internet connection made from a non-corporate location will use a properly configured (or corporately owned and configured) hardware firewall.
• All corporately owned laptops will have a corporate-approved, properly configured personal firewall installed.

However, what struck me was that none of these companies had a good method of auditing these policies to ensure compliance. After some research, I found that there are not a lot of solutions to accomplish this without a large budget commitment. The VPNSCAN tool that I will present in this article addresses this issue and has been deployed at several customer sites to date.

Solution Overview

VPNSCAN uses several tools to accomplish this auditing goal:

• Swatch is used to monitor syslog from the VPN gateway. It waits for a successful VPN connection, then feeds that entire syslog event to a shell script
• The shell script parses out the command-line arguments and then uses Nessus to scan the external (public Internet IP) of the person who just VPN'd in.
• The Nessus scan is saved to an HTML report file.
• If the Nessus scan indicates a violation of company policy (i.e., if the remote firewall fails the scan on some or all identified tests), an alert email is sent to the IT team responsible for security.<>