This is a question that you may hear during a typical compliance audit. This question applies to many types of IT audits: PCI DSS, HIPAA, SOX, ISO, FERC, NERC, and more.
Why the auditor is asking this question:
Properly monitoring your network perimeter is a fundamental approach to network monitoring and security. If only network connection is to be monitored then that should be the perimeter as this is where your ingress and egress traffic points are along with exposed services such as business applications like e-commerce, email and extranets. Without monitoring these external connections or remote working VPNs, you cannot properly manage the security of the network and the risk the organisation is exposed to.
How to answer this question:
Monitoring remote connections such as Internet connections, remote site network connections and remote working helps fulfill management of the network security and compliance requirements. But how can this be achieved? With a single external connection you may be able to perform some fundamental monitoring using tools that came with you firewall or gateway. However, in practice these tools rarely have the capability to allow for reporting and trending of information over any reasonable period of time, say the last month. The sometimes very limited reporting they provide is unlikely to be sufficient for audit requirements, further they do not tend to have any real time alerting or anomaly detection that could detect events such as VPN logins from different countries within a few hours.
A better solution is to use long-term reporting found in log management products, and real-time alerting and log management found in Security Information Event Management (SIEM) solutions. This will enable you to have timely access to your audit information so that it can be presented in such a manner that value can be extracted for the auditor. The example below is from a custom dashboard within AccelOps that is showing VPN logons and firewall traffic, presenting similar dashboards and reports to an auditor will provide evidence of in depth monitoring.
Let us show you how the AccelOps dashboard can provide you with long-term reporting, real-time alerting, and log management all in a single product. Request a live demo here.