Remote access with the accountability

we have users doing remote access daily to support our system apart from the other service  vendor support . and also we have standards-based IPSec VPN  connectivity . we do not know the way to get the accountability to see the user that login and what type of activity he has done in the network . this solution can be combination of hardware firewall and remote access software .
curAsked:
Who is Participating?
 
btanExec ConsultantCommented:
For Windows - To view these IKE events, enable success and failure auditing for the Audit logon events audit policy for your domain or local computer. The IKE event category is also used for auditing user logon events in services other than IPsec. Keep in mind that enabling this type of auditing can cause the security log to fill with IKE events. Check out the event id which will be handy in reviewing the event log
http://www.isaserver.org/blogs/pouseele/isa-corner/basic-troubleshooting-for-ipsec-based-vpns-53.html

It is also a good indicator that logon type of 10 is of remote login type, see more info below
https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

Otherwise for FW, besides enabling I will say the packet capture and logging with pcap (or some has debug log to enabled for ipsec e.g. in sonciwall is using ipsec_debug=10, DumpIpsecSadb, PrintIpsecSas) can help to surface such connectivity esp if the remote app are using specific ports on top of the IPSec and some VPN client has trace that can be enabled too.

Using wireshark for analysis - https://wiki.wireshark.org/ESP_Preferences
decrypting https://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets
0
 
Sekar ChinnakannuStaff EngineerCommented:
If its windows server then you can check the event logs for all the system related changes.
0
 
curAuthor Commented:
this is referring to remote  access from out side to the internal network .
0
 
Sekar ChinnakannuStaff EngineerCommented:
then there should be some log created for all the activity on the tool which ever you use, because most of the network tools have logs.
0
 
curAuthor Commented:
I am asking the tool or the firewall based solution address my requirement
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.