Find location of VPN connection

Question

We have a web application firewall in place with GEO IP protect enabled. The GEO IP protection allows only traffic within Canada to our site. In Google analytics, it shows a connection from Asia. We tracked down that these connections are related to a client in Canada based on login name. We believe that the connection in Asia is bypassing the GEO IP protection using a VPN to this client’s network. Is there a method of proving this? Finding the VPN origin? Is there another way other than VPN? Any suggestions welcome. Thanks

Answer 1

To determine whether a VPN or another method is being used to bypass GEO IP restrictions, here’s a structured approach, involving both analysis and specific action steps:

Step 1: Audit Network Logs

• Access Web Application Firewall and Server Logs: Review all logs, especially entries from Asian IP addresses.
• Identify Anomalies or Inconsistencies: Look for sudden spikes in traffic, IP addresses from outside of Canada, or IP addresses known to belong to VPN providers.

Step 2: Perform IP Trace Analysis

• Use Tracing Tools: Tools like tracert or ping can show the route packets take to reach your server.
• IP Address Lookup: Use online services such as ipinfo.io or IPLocation to gather information about the suspicious IPs.

.

Step 3: Check for DNS Leaks

• Use Online DNS Leak Test Tools: Tools like dnsleaktest.com can help determine if DNS requests are revealing the actual physical location despite the use of a VPN.

Step 4: Communicate with the Client

• Inquire About Network Configurations: Understand whether the client is aware of any VPN or other proxy services being used within their network.
• Discuss Legitimate Reasons: Such as the need for remote access by international branches or employees.

Step 5: Deploy VPN Detection Tools

• Implement VPN Detection Services: Services like MaxMind or IP2Proxy can help identify the use of VPNs, proxies, and TOR exit nodes.

Step 6: Behavioral Analysis

• Analyze Access Patterns: Check if the timing, frequency, and behaviors of sessions align with typical user activity patterns for Canada.
• Analyze Device and Browser Fingerprints: To identify if access is coming from unconventional devices or configurations.

Step 7: Consider Other Bypass Methods

• Understand Common Bypass Techniques: Such as SSH tunneling, proxy servers, and the TOR network.
• Look for Signatures of These Technologies: In network traffic for specific signs or identifiers.

Step 8: Enhance GEO IP Protection

• Evaluate and Optimize Current GEO IP Protection Measures: Consider adopting more advanced geolocation detection technologies.
• Implement Behavioral Analysis and Machine Learning: To help identify and block sophisticated attempts to bypass restrictions.

By following these steps, you will gain a comprehensive understanding of the traffic origins and validate whether there is the use of a VPN or other techniques to circumvent GEO IP protection. This will aid in making more informed network security decisions.

Best Regards,

Rosy

Answer 2

Hi Rosy this list is excellent and has provided me with a better knowledge of my scenrio.

1. Checking network logs and nothing was found for IP addresses in Asia.
2. Unable to perform this since no IP address found.
3. DNS leaks show nothing unusual.
4. Communicated with client and they tell me that they are not aware of any unusual activity.
5. VPN detection tools show no VPN activity other than my own. I need to connect remotely with a VPN. This was confirmed with my Server vendor and firewall monitoring service.
6. There is an event analyzer we monitor for several weeks since the incident. Nothing found.
7. Server vendor and firewall monitoring service does not suspect any other bypass methods. Only several ports opened at firewall.
8. We have a third part WAF service in place that manages GEO IP protect. Have reached out to them to see if there are any enhancements.

Appreciate you assistance.

Answer 3

Hello Friends,

Hope you have a lovely day!

Thank you for providing such a detailed reply!It appears you have already taken thorough steps to investigate and secure your network. Based on what you've described, here are a few additional suggestions you might consider to further ensure security and address your concerns:

1. Review and Audit Firewall Rules: Since only a few ports are open, ensure that these ports are essential for your operations and that they are secured with proper rules. Regular audits can help avoid any misconfigurations or outdated rules that could be exploited.

2. Enhance Monitoring and Alerting: While your event analyzer hasn't found anything over several weeks, enhancing the sensitivity of monitoring tools or incorporating additional metrics might help detect subtle anomalies. Consider tools that utilize machine learning to detect unusual patterns that typical rule-based systems might miss.

3. Regularly Update and Patch Systems: Ensure that all your systems, especially those exposed to the internet, are regularly updated with the latest security patches. This reduces the risk of vulnerabilities being exploited.

4. VPN Security Practices: Since you need to use a VPN to connect remotely, ensure that you're using strong encryption, secure VPN protocols, and multi-factor authentication to access the network.

**5. Conduct Regular Security Training:**Regular training for all employees on the importance of security and how to recognize potential threats like phishing can help safeguard against human errors that might lead to security breaches.

Reaching out to your WAF service for potential enhancements is a good move. It’s crucial to stay proactive in updating and enhancing security measures to adapt to evolving threats.

If you have any further questions or need additional details on implementing these suggestions, feel free to ask. Your proactive approach is commendable, and staying vigilant is key to maintaining security.

Best regards

Rosy