About Logging and data collection

VPN companies like to say they don’t log anything.  My favorite is the one that displays their configuration file logging section as set to none.

Logging is something programs do for various reasons including logins, warnings, errors, and debugging.  In general, these are single lines of text that include various pieces of information depending on the event that generated the log entry.  Log files can grow to huge sizes and usually require the need to be rotated as they grow larger then they can be reasonably managed.  This presents a problem in that the program often needs to be restarted or reloaded in order to empty the log file and start fresh.  Most programs do this once a day.  In the case of a running VPN for literally thousands of connections and users, this could result in dropped connections and angry customers and so it becomes important to shut logging off and skip the log rotation altogether.

The problem then becomes how to monitor the server for attacks and other abuse that could cause degraded services for the customers.   There are several ways to monitor this mostly including login log’s but without those logs, the administrator is left looking at the network traffic using traffic monitoring programs.  These programs TAP the only network interface and listen for “failure” messages followed by a response to block the offender(s).

At this point logging of traffic has almost not been mentioned.  That is because a log entry only supplies a tiny bit of information.  basically, time, IP, and maybe destination and not things like the username and password you used to login to a website with. They might have a record of what URLs you visited but not the details you want to protect.  The good news is there are a couple of ways around this and since we now have a TAP on the network connection we can record everything passing through.

Data logging.

There are a variety of ways to do this and most of them are as old as the Internet itself. Without going into all the different programs that network and system administrators, cybersecurity threat hunters, and the kid’s in-school use, there is a complete distribution that showcases all the programs we use to investigate network traffic.  This distribution is called the Security Onion and it has nothing to do with the Tor network.  The Security Onion can be found here.  The programs contained in this system allow for the recording of all traffic passing by its sensor exactly as it happened such that a person can recreate and examine exactly what happened and so on.  These types of programs don’t make log’s they make records in databases.  Little fun with words huh?

Data collection.

Now that we have a way to monitor the network there are a couple of ways to add records to the database.  Because this is every bit and byte that you sent, things like usernames and passwords can be scraped from the data as well as everything you did online.

“But I use SSL”

SSL certainly does make things more difficult but not impossible,  Suffice it to say that if you installed a VPN package there is a chance that your private key was taken, an additional one installed, and every bit and byte of your data can be decrypted not just thereafter, but before.  This can be a standard practice to improve network quality for a group of users or done maliciously.

What we do.

We monitor our networks and collect data as needed towards the goal of network and customer protection.  We do not maintain any form of records long term, nor do we sell any customer data.  In general, our monitoring is 24×7 with a retention time of 24 hours and only if you have that class of service.


%d bloggers like this: