Remote access with the accountability

we have users doing remote access daily to support our system apart from the other service  vendor support . and also we have standards-based IPSec VPN  connectivity . we do not know the way to get the accountability to see the user that login and what type of activity he has done in the network . this solution can be combination of hardware firewall and remote access software .
curAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sekar ChinnakannuStaff EngineerCommented:
If its windows server then you can check the event logs for all the system related changes.
0
curAuthor Commented:
this is referring to remote  access from out side to the internal network .
0
Sekar ChinnakannuStaff EngineerCommented:
then there should be some log created for all the activity on the tool which ever you use, because most of the network tools have logs.
0
curAuthor Commented:
I am asking the tool or the firewall based solution address my requirement
0
btanExec ConsultantCommented:
For Windows - To view these IKE events, enable success and failure auditing for the Audit logon events audit policy for your domain or local computer. The IKE event category is also used for auditing user logon events in services other than IPsec. Keep in mind that enabling this type of auditing can cause the security log to fill with IKE events. Check out the event id which will be handy in reviewing the event log
http://www.isaserver.org/blogs/pouseele/isa-corner/basic-troubleshooting-for-ipsec-based-vpns-53.html

It is also a good indicator that logon type of 10 is of remote login type, see more info below
https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

Otherwise for FW, besides enabling I will say the packet capture and logging with pcap (or some has debug log to enabled for ipsec e.g. in sonciwall is using ipsec_debug=10, DumpIpsecSadb, PrintIpsecSas) can help to surface such connectivity esp if the remote app are using specific ports on top of the IPSec and some VPN client has trace that can be enabled too.

Using wireshark for analysis - https://wiki.wireshark.org/ESP_Preferences
decrypting https://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.