VPN (Virtual Private Network) applications can provide encrypted tunnels for network traffic, but when installed without authorization, they pose security and compliance risks. Unauthorized VPNs can:
- Bypass corporate firewalls and monitoring solutions.
- Enable unmonitored data transfers.
- Provide attackers a potential entry or exit channel.
The Saner CVEM platform helps administrators detect, analyze, and block VPN software across enterprise devices.
Detecting VPN Software
Saner CVEM continuously monitors endpoints and raises Posture Anomalies when VPN applications are found.
Steps to Detect:
- Navigate to the Posture Anomaly (PA) Dashboard.
- Locate the anomaly PA-2022-1058 – VPN Software is installed.
- This rule triggers whenever known VPN packages are detected on endpoints.
- This rule triggers whenever known VPN packages are detected on endpoints.
- Review the Summary Section:
- OS family with the most anomalies (e.g., Unix).
- Group with the most anomalies (e.g., Ubuntu).
- Operating System version with the highest anomalies (e.g., Ubuntu 24.04).
- Check Posture Anomaly by Device:
- Lists affected hostnames, OS family, and anomaly counts.
- Example: support (Unix) – 3 anomalies, node6-standard-pc-i440fx… (Unix) – 3 anomalies.
- Check Posture Anomaly by Incidence:
- Lists specific VPN applications detected.
- Example:
- network-manager-openvpn – 2 devices
- network-manager-openvpn-gnome – 2 devices
- openvpn – 2 devices
- Use Group, Family, OS dashboards to visualize spread across environments.
2. Investigating the Risk
After detection:
- Validate if the VPN is corporate-approved or unauthorized.
- Check if VPN usage is violating compliance policies.
- Investigate which teams or users installed the VPN.
- Assess if the VPN poses a risk of data leakage or policy evasion.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article