Verification of boundary policies: how to control access and encryption with the help of GREYCORTEX Mendel

To maintain network visibility and ensure compliance, following the segmentation and control of key network services, we can shift our focus to enforcing user behavior policies and controlling encryption protocols. Controlling these network elements is essential for mitigating internal risks and maintaining a high level of security for the network infrastructure.

GREYCORTEX Mendel provides automation in infrastructure maintenance by delivering a clear view of events, alerting on policy violations, and helping specialist teams monitor the enforcement of network policies in practice.

User access policies and behavioral rule violations

Even trusted users and devices can pose a risk if policies are not applied properly. Monitoring permitted and prohibited traffic helps identify non-compliance with internal network policies that might otherwise go unnoticed.

Prohibited protocols and applications

To reduce risks and maintain control over the IT environment, some organizations prohibit the use of remote access or file-sharing applications. Consequently, the use of unauthorized protocols creates additional risks, introduces new attack vectors, and opens up opportunities for the remote exploitation of vulnerabilities.

By analyzing network traffic, Mendel detects the use of unauthorized protocols and applications. Network analysts can perform network session analysis at the level of network protocols and other traffic characteristics to confirm whether communication via these protocols took place and whether it was successful, including session duration, volume of transferred data, communication content, etc. This helps verify whether network policy violations occurred, whether Next-Generation Firewalls (NGFW) are handling traffic filtering effectively, and the correctness of NGFW policy triggers. It is also possible to create an exception list to avoid further alerts for those network elements allowed to perform the respective communications.

In our case, Mendel detected and flagged several devices that downloaded and used TeamViewer. Analysts can verify if these hosts were authorized, and if so, add their IP addresses to the whitelist to prevent future alerts.

FIGURE 1: Detection of TeamViewer download and usage by devices in the Mendel interface

In another example, Mendel captured a potential RDP (Remote Desktop Protocol) session. By drilling down into the event, analysts can identify the user involved and review the session duration.

FIGURE 2: Breakdown of a potential RDP session in the Mendel interface

FIGURE 3: Reviewing the duration of a captured RDP session in Mendel

Communication with prohibited hosts or services

Communications with specific internet hosts, possibly with IPs from other countries, low-reputation or blacklisted IP addresses, or unauthorized services, are often restricted to mitigate risks. Detecting such traffic allows for the discovery of overlooked flaws in policies or configurations of traffic management systems, as well as the identification of malicious tools attempting to bypass security controls.

Mendel detects and alerts on communications with blacklisted IP addresses. Utilizing a flexible network traffic data filtering mechanism, analysts can verify sessions by source or destination IP, transferred data volumes, number of transmitted packets, etc. The Network Analysis tab provides extensive filtering and search capabilities for network data, allowing specialists to conduct deep investigations into network incidents.

For example, Mendel recorded a DNS request to TeamViewer originating from the host mx.local (192.168.2.42). Upon close inspection, we can see that the connection was successfully established, which may indicate a policy violation or unauthorized remote access.

FIGURE 4: Connection graph of host mx.local to prohibited resources

Mendel enables network analysts to determine which user stands behind the suspicious traffic. This helps verify whether access to prohibited hosts or applications was legitimate and whether a network policy violation occurred.

FIGURE 5: User identification card in the Mendel interface

Excessive number of sessions between nodes

Certain devices, such as industrial controllers or telephony (PBX), typically communicate only with a limited number of nodes. New or unusual connections can indicate configuration errors or unauthorized activity.

Mendel allows analysts to define connection limits for individual hosts or entire subnets, helping to ensure control and compliance with expected communication volumes. For instance, if a PBX server starts communicating with more nodes than its known SIP trunks and internal phones, while inbound internet traffic is restricted, Mendel will report this activity for further review.

FIGURE 6: Connection limits configuration for subnets and individual hosts in Mendel

Unauthorized communication with honeypot systems

Honeypot systems are intentionally exposed systems designed to detect suspicious activity inside the network. Normally, only specified systems, such as administrative tools or security scanners, should interact with them. Any other connection attempt can indicate lateral movement or internal scanning.

Mendel allows technical specialists to define which systems have the right to communicate with the honeypot and alerts on unauthorized attempts. In the example below, only the management PC has permission to communicate with the honeypot at 192.168.2.36. When another device (192.168.2.28) initiates a connection, Mendel generates an alert.

FIGURE 7: Unauthorized connection event to a Honeypot system in Mendel

The peer graph confirms and visualizes that both authorized and unauthorized devices were accessing the honeypot.

FIGURE 8: Peer graph visualization of device interactions with the honeypot

Encryption standards and TLS usage

The use of encryption is critical to the security of the network infrastructure. Monitoring certificate validity and protocol versions helps identify deficiencies in traffic encryption before they turn into vulnerabilities.

Expired TLS certificates

TLS certificates are a vital component of trusted communication. If a certificate is expired, systems may refuse to connect, users may be exposed to attacks via spoofed services, or confidential data may be transmitted without proper encryption.

Mendel notifies you when expired certificates are detected or when a certificate is approaching its expiration date. For example, Mendel identified an internal server using a certificate that expired back in May 2021.

FIGURE 9: Notification regarding the use of an expired certificate

FIGURE 10: Detailed parameters analysis of an expired TLS certificate

In another case, Mendel flagged an approaching certificate expiration date several days in advance, giving administrators time to take action before any disruptions occurred.

FIGURE 11: Alert in Mendel regarding an upcoming certificate expiration date

FIGURE 12: Technical information concerning a certificate about to expire

Deprecated TLS versions and cipher suites

Outdated TLS versions leave encrypted traffic vulnerable. Regulatory standards, such as NIS2, call on organizations to phase out TLS versions below 1.2 to reduce the attack surface and ensure strong encryption.

Mendel allows you to configure alerts for the use of deprecated TLS versions. It is highly recommended to use TLS 1.2 or 1.3. Remediation typically requires updating the OS, browser, or client software. For instance, one of the logged events indicates that a device was still communicating using TLSv1.0.

FIGURE 13: Traffic detection event of deprecated TLSv1.0 in the Mendel system

FIGURE 14: Reviewing session parameters with the outdated TLSv1.0 protocol

Information security requires strict compliance

Information security policies do more than just reduce risks. They help demonstrate compliance with regulatory requirements, accountability to clients, and business owners. As ISMS requirements grow more complex, such as with NIS2, proving that internal rules are applied consistently becomes a cornerstone of modern cybersecurity management. It is no longer enough to set policies on security systems and NGFWs — transparency and verifiable evidence are required.

Mendel helps organizations move from assumptions to reliable evidence. It continuously validates how security policies are applied to network traffic — from encryption and access control to segmentation and protocol usage, providing the technical team with the visibility needed to take clear, well-founded actions.

Softprom, the official distributor of GREYCORTEX, possesses deep technical expertise and provides qualified assistance in project implementation. Our experts accompany the client at every stage of integration, ensuring the correct configuration of monitoring systems to meet the individual requirements of the business and IT infrastructure.