1. Field
The invention disclosed and claimed herein is generally directed to a method and system for detecting malicious or other unwanted circumvention of a virtual private network (VPN).
2. Description of the Related Art
In the current work environment employees of an enterprise or other organization often need to connect to vital enterprise resources while they are not in a traditional office environment. Instead, they may have to connect from home, from a hotel room, from a customer location, or from a mobile device while traveling, by way of example. As these resources are typically protected by firewall the access is often realized through the use of a virtual private network (VPN) that allows the employee to securely access the resources from his client device (e.g., laptop, tablet, phone, and the like). VPN, as is known by those of skill in the art, is a private network which is extended across a public network, such as the Internet. Thus, a client device can send and receive data across the public network, as though the client device was directly connected to the enterprise network.
Various authentication and encryption methods are used to control who can establish a VPN connection, and are also used to protect the data that is exchanged over the VPN connection. The VPN plays a role of protecting resources from external attacks, by adding an additional layer of defense that needs to be circumvented before the resources can be accessed. The VPN has a further role of protecting against wiretapping, as data is transferred to and from a client.
After establishing the VPN connection, the employee can often access all enterprise resources with connectivity similar to the connectivity available while in an enterprise location. This access is typically achieved by installing various “IP routes” on the client device that direct the traffic which is intended for an enterprise server through the VPN. Traffic for third parties which are not enterprise controlled servers (e.g. traffic to a publicly accessible information website) may either flow directly from the client device to the third party server, or may in certain configurations also be routed through the enterprise VPN servers.
A problem of existing technology is that it does not protect against maliciously created routes that may disrupt or intercept the intended traffic flow patterns. By using various technologies (e.g., additional routes or specifically crafted IP address assignments distributed by a malicious WiFi hotspot) an attacker can intercept and manipulate traffic that is intended to be sent to the enterprise using the VPN. If the attacker can gain access to another VPN account (e.g., through a malicious or careless insider) the obtained access can be used to intercept communication from a privileged user (e.g. a system administrator or high-level employee) without being noticed, such as by using VPN credentials obtained from an unprivileged enterprise account.