Viewing the Connection Status

Recall that after the VPN tunnel is established with the remote device, a closed lock icon appears at the bottom of the screen in the Windows systray. To view the connection status properties, you can either double-click on the icon or right-click on the icon and select the Status option. This brings up another window with two or three tabs (depending on whether firewall policies are activated). Furthermore, the bottom of these tabs include buttons to view concentrator notifications, reset statistics (does not reset actual sessions), and disconnect the connection. The next few sections look into these three tabs to explore what connection statistics they provide.

Similar to the connection property tabs, these three tabs are also particularly important to recognize and comprehend. Be sure to form a thorough understanding of these three status tabs for the exam.

The General Tab

The first tab that is displayed when you view a connection status is the General tab (Figure 10.10). This tab displays general statistics concerning the connection. Specifically, it displays the name of the connection and the assigned internal IP address. Additionally, it shows the IP address of the concentrator and the negotiated encryption settings for the session. Because this example is using concentrator and client software versions 3.6 or above, both tunnel endpoints support and are using AES symmetric encryption.

In instances where transparent tunneling is active, the General tab displays the status of this feature and the UDP or TCP port that is being utilized by the client. Notice in this example that the UDP port specified is UDP port 4500. This output indicates that the client is passing through a NAT or PAT device to communicate with the concentrator, as well as that NAT-T was negotiated as the NAT transparency method. Directly below these statistics, you can see whether you have Lempel-Ziv compression enabled for this session as per the configuration on the central concentrator.

The last few statistics entail the security features that might be enabled for this active connection. Namely, if local LAN access split tunneling is permitted on the concentrator and the client, the status reflects as enabled. Finally, the last two items reflect the current firewall in use on the client's session and what firewall policy is in place for that firewall client. In this particular example, the Unity Clients internal CIC firewall is receiving parameters from the concentrator to utilize the networks CPP firewall policy.

The Statistics Tab

The Statistics tab shown in Figure 10.11 provides information on the types of networks that are connected to the client and the packets that are being transported to and from those networks. These packet statistics include a total number of packets, packets encrypted over the secure tunnels, packets bypassed (ARP and DHCP requests, which do not need to be encrypted), and packets dropped that are not for any of the routes. Keep in mind that the Unity Client intercepts traffic to and from the networks listed in the table and encrypts or decrypts the packets accordingly. The networks listed in the table are not recognized by the Windows operating system network properties such as the stations' routing table or the IP statistics output of the ipconfig or winipcfg command. To verify these properties, you must use the Statistics tab of the Unity Client discussed in this section.

The Secured Routes section displays traffic that has a secure IPSec tunnel associated with it. The key icon to the left of these tunnels means that the SA for this tunnel is active and a session key has been generated for it. If the key is not present, it appears as soon as data is sent to that specific network listed.

The Local LAN Routes section is populated only if "Local LAN Access" is enabled and functioning. In these instances, the local networks show up in the table to illustrate the local networks that the client is allowed to access with clear text data. This is useful when you need to access resources on the local LAN, such as servers or printers.

The Firewall Tab

The Firewall tab is an optional tab that displays only if you have a personal firewall in place and an active firewall policy being pushed from the concentrator. The top of this tab informs you of the active firewall client and the type of policy that is implemented for this session. The remainder of the tab displays the active rules learned from the firewall and split tunneling policies, as demonstrated in Figure 10.12. This output illustrates the rules to which the client must adhere when forwarding packets to and from specific networks. These rules are applied depending on the direction of the packets, as well as the type of protocol and the source and destination of the packets.

This particular example shows the receipt of a set of firewall rules that are formed from the split tunneling policy as well as a CPP firewall policy, which have been expanded into Table 10.1.

The exam is likely to ask you about an output of firewall rules similar to the table above. You must be able to decipher the rules from the filter and determine what action is being taken for a specific rule set.

The first four rules are designated from the split tunneling policy that is in place. In these rules, all inbound and outbound traffic that is destined to and from the concentrator's IP address and the private network is forwarded. The next two rules were pushed to the Unity Client via the CPP firewall policy. These rules enable Web traffic originating from the local client and returning from the Internet back to the client to be forwarded. In this fashion, when split tunneling is enabled, you can access Web pages from the client by bypassing the tunnel and sending traffic to the Internet in clear text.

The final two rules are determined by the default filter rule if there is not a specific match. In the example, the default rule is to drop traffic when there is no match. By implementing this last rule, the only traffic that is allowed to get to the client is traffic permitted by the previous rules. Thus, if an attacker is trying to compromise the client, its packets are dropped because there is no rule granting it access.