NF – ISAKMP VPN Connection setup from host to outbound destination – Windows Server 2003
This alert is triggered when an outbound ISAKMP VPN connection attempt is made from an internal host. ISAKMP traffic on UDP port 500 is typically associated with VPN setups, and this alert specifically flags Windows Server 2003 hosts initiating such connections.
ID Number
5027203
Signature
alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"NF - ISAKMP VPN Connection setup from host to outbound destination - Windows Server 2003"; content:"|00 00 00 04|"; reference:url,networkforensic.dk; metadata:29112018; classtype:policy-violation; sid:5027203; rev:1;)
Severity
High
Recommendations/Investigative actions
Restrict or prevent VPN traffic if VPN use is not allowed in the network policy.
Identify the device initiating the VPN connection and Investigate the device for unauthorized VPN software.
Windows Server 2003 is outdated and presents security vulnerabilities; it is highly recommended to update to the latest version. If updating is not possible, consider isolating this server.