topic Puffin Browser: Bypassing Filtering policies (big loop hole may be ??) in General Topics

Puffin Browser: Bypassing Filtering policies (big loop hole may be ??)

kalyanram.piratla — Wed, 06 Feb 2013 17:13:33 GMT

Greetings,

I was pleasantly surprised when I got to know that I can download Puffin Browser as an app on mobile and tablet devices and browse my way through to otherwise blocked websites / denied applications. Just to confirm what I did:

1. Created a Security policy (IP address based and not User based) "Puffin Browser Test" for my iPad and allowed any application / any URL category. Result: All good, I can browse well. Fair enough

2. I then blocked "flickr" as application. Result: As expected, could not browse through to www.flickr.com using Safari; blocked as an application.

3. Looked at logs and was hitting "Puffin Browser Test". Good.

3. I then downloaded "Puffin Browser" via the apple store. Result: I now have Puffin Browser.

4. Browsed through to www.flickr.com using Safari and as expected was blocked as an application, but when I open up / use Puffin and go to www.flickr.com; I am sweetly allowed to go through.

5. Looked at the logs, and instead of being picked up by "Puffin Browser Test", I am hitting a rule beneath which has open access and application starts of as SSL and ends up web-browsing.

Is there any way this can be stopped as I can bypass the security policies? If it is using Regular Expressions, any heads up on how to do it as I am not very comfortable with RegEx stuff.

I have even raised it with applipedia and submitted it as a request, but I haven't had any acknowledgement from PAN regarding Puffin Browser.

Any suggestions, thoughts will be very helpful.

Many Thanks

Kalyan

Re: Puffin Browser: Bypassing Filtering policies (big loop hole may be ??)

gwesson — Wed, 06 Feb 2013 18:00:32 GMT

Puffin looks like it proxies the traffic to their servers. It might even use a VPN. You may be able to use an SSL decrypt policy, but it would be a challenge to set up without a static destination address. If you have an active support contract, I would recommend opening a case so a full investigation can be done. Submitting it via the app request form is a great first step and may even be enough to get a signature created as well.

Re: Puffin Browser: Bypassing Filtering policies (big loop hole may be ??)

fredallee — Wed, 06 Feb 2013 19:04:03 GMT

Puffin is a cloud browser meaning that they proxy all traffic for the client to the Puffin servers via SSL. You should be able to create a custom App-ID using the hostname of the server cert cloudmosa.com.

Re: Puffin Browser: Bypassing Filtering policies (big loop hole may be ??)

kalyanram.piratla — Tue, 12 Feb 2013 10:14:03 GMT

Hey Guys.. Got a work around for this. Created a custom URL category and blocked *.cloudmosa.* (the servers in the cloud that puffin uses in the background). and then blocked *.puffinbrowser.*. Add the URL category to a rule and deny the traffic. Simple work around. Nevertheless, this app has been submitted to PAN. Hopefully we get to see it at some point of time.

Thank you guys for sharing some insight.

Cheers...

Kalyan