Monitoring Azure VPN access with Azure OMS

A routine part of my job is receiving inquiries about solving business problems. Not all problems can be solved via Office 365 or Azure, but as a rule of practice I always challenge myself to answer that question. Whether or not the solution is one the customer ends up selecting, it’s worthwhile experience in the never ending journey of learning the platform(s). Recently, a customer noted that the ability to report on VPN network access was a particularly important part of their compliance. Specifically, they needed to know who logged in, when, and from which IP address the request originated. Naturally, I wanted to see if I could solve for this request using Azure components, and as it turns out, the answer was yes!

 

Discovery

The first steps involved some research to determine if the goal is even feasible using Azure based tools. I’ve covered Azure Point-to-Site VPNs using RADIUS authentication via a Windows Network Policy Server (NPS) in the past, so these items were already a known quantity. There is no native logging associated with the Azure VPN Gateway itself, at least in terms of users connecting and from where. You can see connections and which IP (on the Azure VPN Subnet) is assigned during a connection, but that doesn’t come close to giving me the data I am looking for. Next, I turned to the NPS server itself and noted that it does log RADIUS requests, noting the user attempting to login, the time the event occured, and the Azure VPN Gateway also passes along the originating IP of the connection. Additionally, there are events for both logon successes and failures (6272 and 6273, respectively). Awesome! This is the data I needed.

 

Knowing the information I need can be sourced from a log within the NPS, I look to Operations Management Suite (OMS) to power the final solution. Now, most of the logs in a Windows VM can be ingested and monitored using Log Analytics by itself, but doing so with the Windows Security log requires the use of the OMS Security & Audit solution. This does come with a monthly fee, so if you look to utilize the solution ensure you understand the pricing implications. I deployed the Security & Audit solution and connected the NPS server to the OMS Workspace.

 

Building the Solution

OMS Solutions are formed in two parts. The first part is a tile used for the Overview or Dashboard screen which gives some quick glance information. Clicking through that tile will reveal the full solution dashboard with all of the other tiles associated with the solution. For the overview tile I selected a dual query donut chart that simply shows allowed vs denied VPN logons.

 

The request called for a list of VPN access attempts showing username, timestamp and originating IP; I wanted to provide that information but also go a little but further. On the full solution dashboard, the first 2 tiles display logons over time (both allowed and denied) and also logon counts per user. This information is important in routine security reviews to ensure there are no accounts showing strange activity, such as excessive failed logon attempts. For failed attempts, I added thresholds that display a warning dot in yellow if failed logons for that user equal 5 or more in the selected time frame. Failed logons equaling 10 or more will show as a red critical dot. These tiles provide important security details at a glance. As requested, the next two tiles provide a direct list of logon attempts (sorted by most recent) with corresponding IP and timestamp.

 

 

The two tiles to the right also serve to fill out the remainder of the solution request. The customer can drill down into the query by clicking the See All… button.

 

 

In the new window, they can either export the list of logons to an Excel CSV for delivery to their auditor, or they can configure alert rules should they want to be notified when logon failures occur.

 

 

 

 

Conclusion

Compliance is a never-ending bear for businesses to deal with. Utilizing the cloud to solve for compliance and security needs can be an affordable and effective strategy. Today, I demonstrated a solution that provides the following:

  • Log VPN access, including the following factors:
    • Username
    • IP of origin
    • Timestamp
    • Logon Allowed or Denied
  • Generate reports on the results of the logs
  • Bonus: visualized security information at a glance