Chapter 4
Although this file is markedly different from the Cisco switch and router configuration I listed
earlier, it is nonetheless a straightforward easy-to-handle text file that can be easily supported by
a third-party configuration management solution. VPN concentrators also produce prodigious log
files, primarily to account for user activity. The following example log file, which Listing 4.4
shows, illustrates how straightforward this information is in its presentation and formatting.
50235 10/23/2002 17:44:00.930 SEV=4 IKE/52 RPT=1217 201.214.18.178
Group [VPNUser] User [DOMAINX\userx]
User (DOMAINX\ userx) authenticated.
50236 10/23/2002 17:44:01.760 SEV=5 IKE/184 RPT=1215 201.214.18.178
Group [VPNUser] User [DOMAINX\userx]
Client OS: N/A
Client Application Version: 3.5 (Rel)
50238 10/23/2002 17:44:37.610 SEV=4 IKEDBG/65 RPT=397 201.214.18.178
Group [VPNUser] User [DOMAINX\userx]
IKE TM V6 FSM error history (struct &0x4c5db3c)
<state>, <event>:
TM_DONE, EV_ERROR
TM_WAIT_QM_MSG, EV_TIMEOUT
TM_WAIT_QM_MSG, NullEvent
TM_SND_REPLY, EV_SND_MSG
Listing 4.4: An example log file.
These logs can, of course, include information about when administrators log on and off of the
concentrator. An administrator logging off is a clue that a configuration change might have
occurred; by scanning these log files for changes, network configuration management solutions
can use the logoff event as a trigger to pull the device's configuration and look for any changes
the administrator might have made.
However, not
all
concentrators are hardware-based. Microsoft Windows, for example, includes
Routing and Remote Access software that can serve as a VPN concentrator but is much less easy to
manage by using external utilities. Also, some hardware-based concentrators aren't
managed
and
are simply "dumb" terminals that accept incoming VPN connections and place them onto your
network. These lower-end concentrators are typically found in smaller environments and might only
support a handful of user connections. Be aware of the manageability of these devices when
considering them for your network.
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are among the newest
types of devices being found on today's networks. Rather than acting as active components of
the network, such as a firewall--which creates a more secure environment by actively limiting
traffic--IDSs and IPSs typically act in a more passive role, sitting on the sidelines and scanning
traffic, log files, and other data for evidence of an attack. For example, the popular Nokia IP330
or the Econet Sentinel both monitor network traffic. In the case of an IDS such as the Nokia, you
receive warnings and notifications when suspicious activity is detected; in the case of an IPS
such as the Sentinel, the device can actually block attackers' computers from accessing your
network once an attack is detected.
73