Monitoring key performance indicators, and deflecting attacks is critical to maintaining VPN availability and performance in today’s locked down, telecommuting workplace.

Dark Reading Staff, Dark Reading

August 10, 2020

6 Min Read

The current pandemic has spurred a revolutionary shift to remote work environments, and triggered a huge increase in Internet traffic. According to OpenVault’s Q12020 Broadband Insights Report, averagebandwidth consumption has jumped 47% since the same time last year, much of that traffic being outbound, signifying VPN usage.

Amazingly, though, the Internet hasn’t broken. “It’s running hot, but stable,” is the way one Internet backbone engineer put it. But the hidden truth in these statistics is that business in a pandemic world is depending on the Internet more than ever, in particular in business use of VPNs. VPNs are the best-practice technology for safe distance working and learning. And now they’re essential to most every job.

Keep in mind that Internet consumption statistics are spread across all use cases, with some applications spiking higher than others. In particular, multiple US ISPs reported an increase in VPN traffic of 60 to 90 percent, with weekend reductions that flag this as remote worker activity.

High usage leads to new risks: reduced network maintenance due to worker isolation, unplanned capacity exhaustion, and malicious attacks. The only way to effectively mitigate these risks is by close VPN monitoring, not just of up/down status, but detailed performance statistics.

Tracking Application Failures
Packet loss often presages a more serious outage, and is worth watching. The best place for monitoring performance degradation is not at the circuit level, as you might think, but at the application level, where gradual network congestion first shows up as loss-induced application errors.

Some applications are more sensitive to lost packets than others. For example, a streaming video application might experience a few “glitches” on the screen, while a remote control application, such as Citrix, might freeze up completely. Thus, it’s critical to monitor applications separately, first establishing a normal performance baseline, and then setting thresholds for each application to report excessive errors.

Unthinkable Exploitations
As if the pandemic’s worldwide depression of business isn’t bad enough, unethical third parties are exploiting this diversion of attention to force data breaches and other intrusions. The most common tool for this is the DDoS – Distributed Denial of Service – attack, where an intruder marshals an army of “bot” computers across the Internet to drive increasingly high transaction levels against a company or application in order to crash it, and hopefully gain illicit access to the target network.

NETSCOUT has reported nearly 4.6 million DDoS attacks in the first half of 2020, as compared to 8.4 million attacks over the entirety of 2019. Attackers can be expected to pay special attention to VPNs, because with one endpoint typically being a less-heavily secured residential broadband connection, the “attack surface” is much larger than the fortified enterprise firewall at corporate headquarters.  Malicious “VPN help” websites abound, and can dupe many a home worker into infecting their computer with botware, or worse.

Often, DDoS attacks start out slowly, and step up over time before they become debilitating. By monitoring key performance indicators, you get an early warning that a DDoS attack may be in progress, giving you time to mitigate it using inline protection tools.

An important adjunct to monitoring is threat intelligencea set of processes that includes situational awareness about which of a business’s assets hackers see as low-hanging fruit, as well as trend analysis and alerting to new and innovative techniques that have been observed ‘in the wild’. The best threat intelligence services are not just monthly or weekly reports, but real-time portals that give you immediate notification for any nefarious activity.

The Root of the Problem
Just finding a problem is only half the battle. Any monitoring or alerting software should also help you identify the cause of the problem, either by identifying choke points in an application’s data flow, or by revealing anomalies in the types of transactions. The former might signal an impending circuit failure, while the latter may foretell a DDoS attack.

Called root cause analysis, this process requires specific tools, such as transaction logs, traffic history charts, and the ability to compare trends across your network. Today’s best tools employ machine learning to rapidly recognize deviations from baselines that can’t be explained by normal application activity. By analyzing workflow context, these ML engines can isolate a problem to a specific application or server.

The NETSCOUT Pandemic VPN Protection Toolkit
You can assemble your own toolkit of applications that perform application monitoring, service level tracking, DDoS detection, threat intelligence, and root cause analysis. But they likely won’t be integrated, leaving you to manage an armful of web portals and reporting systems. NETSCOUT offers a complete VPN Protection Toolkit, in the form of its nGeniusONE service assurance platform and Arbor Edge Defense (AED). The comprehensive application monitoring console lets you view performance statistics across the enterprise, with the ability to drill down to any application or location. nGeniusONE also gives you at-a-glance status of your entire company in a single pane of glass. AED provides in-line DDoS protection in front of the firewall protecting not only the applications, but the security stack as well.

Because nGeniusONE extracts application data from multiple locations across your network, it’s able to correlate events and provide predictive data about impending network failures so that you can fix them before users feel them. When DDoS attacks are suspected, AED by NETSCOUT delivers DDoS mitigation to secure application performance and prevent future DDoS attacks.

Through its deep intelligence and analysis features, nGeniusONE can quickly – and precisely -- identify a problem’s root cause and AED can block DDoS attacks before they impact the business. Even better, the nGeniusONE dashboard, lets you create proactive views to head off problem recurrence, letting you address a repeating failure before customers notice.

Comprehensive monitoring, single-pane-of-glass visibility, bulletproof DDoS protection, and solid root cause analysis make nGeniusONE a toolkit worth investing in. For more information, check out:

About the Author: Hardik Modi, AVP, Threat and Migitation Products, NETSCOUT

Hardik Modi oversees the teams responsible for mitigation products as well as the creation of security content for NETSCOUTs products, enabling best-in-class protection for users, as well as the continuous delivery and publication of impactful research across the DDoS and Intrusion landscapes. Prior to joining NETSCOUT, Hardik was Vice President Threat Research at a network security vendor. He has nearly 20 years of experience in networks, product design and security research. He is a frequent author of blogs and speaker at security events. Hardik holds a Bachelor of Engineering degree from Gujarat University, India.

 

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights