In order to address a specific concern in the way the IP Layer Enforcement features work, and also to improve reporting so you can be aware of specific security incidents, OpenDNS is introducing a new security category: Unauthorized IP Tunnel access. This feature will provide entries in your Activity Search or Security Activity reports if traffic to unauthorized IPs is blocked.
Unauthorized IPs are unexpected addresses which are not flagged by the OpenDNS IP Layer Enforcement solution. This traffic can originate from routes being set on the client side by a user or a process and may indicate malicious activity interfering with the device’s routing table, or a user trying to bypass the organization’s security infrastructure to gain access to the Internet.
This category differs from other security categories, such as Malware or Command and Control Callback, in these ways:
- This security category will only appear in your reporting, it won't show as a block page or be configurable in policy.
- By default all traffic matching this category is blocked and cannot be allowed in your policy. This is as designed—no traffic that isn't directed by the Roaming Client's list of IP addresses should be using this tunnel.
- Only identities with the Roaming Client installed and the IP Layer Enforcement feature enabled will ever see this category blocked in the reports.
To filter for this traffic, pick the Unauthorized IP Tunnel access category when running a report:
Viewing the Unauthorized IP Tunnel Access in Reports
With the filter, you can see activity similar to this in your reports:
If an endpoint is exhibiting this kind of behavior in your report, a good suggestion is to scan the endpoint with an anti-virus scanner, check for any unknown processes running and, if possible, determine if the end user is attempting to actively circumvent protection at your gateway (or another gateway, if off-network).
Another thing to check is whether the activity is happening during the connection (or disconnection) of a VPN client—there are instances of when the IP Layer Enforcement 'backing off' during VPN establishment can result in certain IPs being blocked in this way.
The reason a process or a user might try to use the Roaming Client's VPN for IP Layer Enforcement is for the purposes of creating a tunnel to a remote server and from there, exfiltrate data from your endpoints, so it's definitely something to keep an eye out for.