VPN Detection
VPN Detection Intelligence
The following page provides information on the VPN Detection indicator drivers included in Netify's Intelligence engine.
Overview
While VPN technology is a staple for secure remote access, its ability to encapsulate and encrypt traffic makes it a primary vector for stealthy data exfiltration. By tunneling sensitive information through an encrypted VPN session, an insider or malicious actor can move data off-site without triggering traditional firewall alerts.
Other Intelligence Info
Intelligence OverviewIntelligence Catalog
Intelligence Categories
Intelligence Release Log
| Score | Description |
|---|---|
| 0 | Informational |
| 1-25 | Low Risk |
| 26-50 | Medium Risk |
| 51-75 | High Risk |
| 76-100 | Critical Risk |
VPN and Compliance
This lack of visibility directly conflicts with NIST 800-53 and SOC 2 requirements for continuous monitoring and the principle of least privilege, making it essential to identify and restrict unauthorized VPN tunnels.
Indicator Drivers
Business VPN Application Driver
Much like consumer VPN services, business VPNs like Zscaler and ZeroTier play an essential role in protecting enterprise networks. However, these VPNs can still pose compliance and control issues if this type of traffic is unwanted.
The Business VPN indicator driver is triggered when a busines VPN application is detected on the network.
| Tag | Default Score |
|---|---|
| vpn_application_business | 45 - Medium Risk |
Consumer VPN Application Driver
Consumer VPNs like ExpressVPN and Mullvad VPN play an essential role in protecting users' privacy. On the other hand, businesses need to protect their networks to maintain security, compliance, and control over their environments.
The Consumer VPN indicator driver is triggered when a consumer VPN application is detected on the network. You can find a list of supported VPNs on our VPN Resources page.
| Tag | Default Score |
|---|---|
| vpn_application_consumer | 70 - High Risk |
VPN Protocol Driver
The VPN Protocol indicator driver is triggered when any protocol is detected by the Netify DPI engine.
- IPsec
- OpenVPN
- PPTP
- Tailscale
- Wireguard
WiFi Calling is a popular feature that allows mobile phones to use local WiFi for mobile connectivity. This application uses the IPsec VPN protocol, so you may want to make an exception in the configuration for this type of traffic.
| Tag | Default Score |
|---|---|
| vpn_protocol | 60 - High Risk |
"vpn_protocol": {
"enabled": true,
"indicator_driver": "vpn_protocol",
"criteria": {
"flow_expr": "application_id != 'netify.3gpp-network';"
}
}Consumer VPN Server Driver
The Consumer VPN Server indicator driver activates when a connection is made to any of thousands of known VPN servers across the Internet. It complements the Consumer VPN Application indicator driver by broadening detection to include more obfuscated and less easily identifiable VPN services.
| Tag | Default Score |
|---|---|
| vpn_server_consumer | 70 - High Risk |