Security Orchestration Use Case: How to Automate VPN Checks?

An organization can have innumerable VPN access attempts from within or outside its facility. In the world of globalization and cloud computing, even these attempts can be made from outside the country. Checking each attempt manually is a daunting task for enterprises as it consumes a lot of time and engages more security professionals. The basic VPN checks involve DNS Leaks, IP Address Leaks (e.g., IPv4 and IPv6), and WebRTC Leaks. Two types of manual VPN checks are Basic Test which is performed online through a VPN test website such as and the second one is Advanced Test that utilizes more advanced tools for this purpose. To automate these tests, security orchestration plays a pivotal role.

How to Automate VPN Checks Using Security Orchestration?

Security orchestration uses a VPN check playbook to check VPN anomalies. The playbook involves both reactive and proactive approaches. With the reactive approach, the playbook responds immediately as soon as a malicious VPN access attempt is made. On the other hand, the proactive approach is used to periodically check the expected VPN anomalies within a network. If any suspicious VPN attempt is identified, the security team is intimated for further examination. In this scenario, the actual attempt can be foiled and concerned IP is blocked for future reference.

VPN checks are performed in two ways, either checking IPs from outside the country or testing them within the organization’s geolocation—termed as GeoIP or IP-based Geolocation. IP-based geolocation is used to map the IP address of the real-world geographic location of internet-connected mobile or computing device. GeoIP captures all IP related information such country, city, region, code, ZIP, ISP, and time-zone.

The VPN playbook first checks non-US IPs and tests their GeoIPs. After that, the playbook checks Active Directory (AD) for all E-mail addresses and queries them against a CASB to retrieve IPs. Lastly, the playbook detects malicious VPN using a cross-reference IPs, which are collected from a VPN service along with IPs collected from a CASB. If US-based CASP IP and non-US VPN IP are noticed, the playbook generates an automated E-mail for the affected person to confirm his/her location. The user then responds either with confirming the attack or denying its occurrence. If the attack is confirmed, the playbook blocks the concerned IP address. After this process, the playbook is closed.

Automating VPN checks can efficiently avert many VPN attacks including Session Hijacking, Man-in-the-Middle Attack, Denial of Service (DoS), Spoofing, Virus or Malware, as well as improve organization’s Threat Intelligence.


Leave a Reply

Your email address will not be published. Required fields are marked *