Log Analysis – VPN & Radius Logs

VPN & Radius Logs
May  9 03:02:32 66.71.0.3  312 05/09/2005 03:34:52 tEvtLgMgr 0 : Security [12] Session: IPSEC[jhatefield]:19656 physical addresses: remote 212.72.147.6 local 100.100.100.2
May  9 03:02:32 66.71.0.3  312 05/09/2005 03:34:52 tEvtLgMgr 0 : Security [12] Session: IPSEC[jhatefield]:19656 assigned IP address 66.71.16.253, mask 255.255.0.0
********************************************************************************
May 15 22:41:23 test400-1  15639 05/15/2005 22:02:22 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176811 authentication failed using RADIUS
May 15 22:41:42 test400-1  15639 05/15/2005 22:02:49 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176815 authentication failed using RADIUS
May 15 22:42:35 test400-1  15639 05/15/2005 22:03:39 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176823 authentication failed using RADIUS
May 15 22:42:37 test400-1  15639 05/15/2005 22:03:47 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176829 authentication failed using RADIUS
May 15 22:43:12 test400-1  15639 05/15/2005 22:04:12 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176833 authentication failed using RADIUS
May 15 22:43:29 test400-1  15639 05/15/2005 22:04:28 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176836 authentication failed using RADIUS
May 15 22:43:47 test400-1  15639 05/15/2005 22:04:57 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176838 authentication failed using RADIUS

May  9 03:02:32 66.71.0.3  312 05/09/2005 03:34:52 tEvtLgMgr 0 : Security [12] Session: IPSEC[jhatefield]:19656 physical addresses: remote 212.72.147.6 local 100.100.100.2
May  9 03:02:32 66.71.0.3  312 05/09/2005 03:34:52 tEvtLgMgr 0 : Security [12] Session: IPSEC[jhatefield]:19656 assigned IP address 66.71.16.253, mask 255.255.0.0

***********************************
What does this tell you?
How can this be helpful to an investigation?


VPN & Radius Logs – Identification of External IP

May  9 03:02:32 66.71.0.3  312 05/09/2005 03:34:52 tEvtLgMgr 0 : Security [12] Session: IPSEC[jhatefield]:19656 physical addresses: remote 212.72.147.6 local 100.100.100.2
May  9 03:02:32 66.71.0.3  312 05/09/2005 03:34:52 tEvtLgMgr 0 : Security [12] Session: IPSEC[jhatefield]:19656 assigned IP address 66.71.16.253, mask 255.255.0.0
**************************************************************************

Example #1 – Identification of External IP

Now that you have determined what the internal IP address was used to compromise the server, how would you be able to determine where from the external internet this person was coming in from?


VPN & Radius Logs – Brute Force Attacks

May 15 22:41:23 test400-1  15639 05/15/2005 22:02:22 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176811 authentication failed using RADIUS
May 15 22:41:42 test400-1  15639 05/15/2005 22:02:49 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176815 authentication failed using RADIUS
May 15 22:42:35 test400-1  15639 05/15/2005 22:03:39 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176823 authentication failed using RADIUS
May 15 22:42:37 test400-1  15639 05/15/2005 22:03:47 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176829 authentication failed using RADIUS
May 15 22:43:12 test400-1  15639 05/15/2005 22:04:12 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176833 authentication failed using RADIUS
May 15 22:43:29 test400-1  15639 05/15/2005 22:04:28 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176836 authentication failed using RADIUS
May 15 22:43:47 test400-1  15639 05/15/2005 22:04:57 tEvtLgMgr 0 : Security [13] Session: IPSEC[mbushe]:1176838 authentication failed using RADIUS
**************************************************************************

Example #2 – Detection of Brute Force Attack

In the course of the investigation, you have determined that the VPN was the point of entry.  How would the VPN Logs help you determine HOW the intruder was able to access the system?


VPN & Radius Logs – Patterns of Behavior

May  9 09:14:47 test400-1 15639 05/09/2005 08:35:36 tEvtLgMgr 0 : Security [12] Session: IPSEC[sbclark]:1160001 assigned IP address 66.51.1.60, mask 255.255.0.0
May  9 09:14:47 test400-1  15639 05/09/2005 08:35:36 tEvtLgMgr 0 : Security [12] Session: IPSEC[sbclark]:1160001 physical addresses: remote 12.65.67.244 local 66.196.147.3

**************************************************************************

Example #3 – Detection of abnormal patterns of behavior

How would you be able to utilize the VPN & Radius logs to determine abnormal patterns of behavior for a suspect employee?  

For example, if the employee is at work, however his account is being utilized for VPN from outside the company during his normal work hours, it might be suspected that somebody had compromised his account and was utilizing it without authorization.