topic How can I detect and stop 3rd party VPN tools used to bypass my network security in General Topics

How can I detect and stop 3rd party VPN tools used to bypass my network security

MemphisBrothers — Mon, 29 Apr 2013 17:11:24 GMT

We are a private high school with a growing laptop population but these kids work hard trying to circumvent our security. They have found using 3rd party VPN tools, mostly single exe's they hide in their recucle bin when they fear exposure. This tool comes with statements telling the user it is illegal and it will get them around the "best security systems your school has".

How can I detect and prevent this type of process from running on our network.

Re: How can I detect and stop 3rd party VPN tools used to bypass my network security

mharding — Mon, 29 Apr 2013 17:52:19 GMT

I would check the traffic logs to see if any of these VPN or Proxy tools are already classified in the AppID database. If so, it's an easy block rule.

Re: How can I detect and stop 3rd party VPN tools used to bypass my network security

goku123 — Mon, 29 Apr 2013 18:03:15 GMT

The PAN does have AppID signatures for most common ones like ultrasurf/TOR etc.You can start off by blocking some of the more common ones as 'umphmharding' mentioned (Some of these are SSL based so to make sure the signature works you may also have to configure SSL decryption). If the PA does not have signatures for some new application, it will show up as 'unknown-tcp/udp'. You can block 'unknown-tcp/udp' in the interim and then contact PA to have a signature created/updated for traffic that shows as 'unknown-tcp/udp'

Re: How can I detect and stop 3rd party VPN tools used to bypass my network security

mikand — Tue, 30 Apr 2013 12:42:10 GMT

Another thing is to perform whitelisting and make that hole as narrow as possible.

For example:

1) Enable ssl-termination (not allowing traffic that cannot be terminated).

2) Blacklist appid's and app-groups you dont want to allow.

3) Blacklist url-categories you dont want to allow.

4) Whitelist appid's and app-groups you wish to allow.

5) Whitelist url-categories you wish to allow.

6) Default deny and log on session end.

Using PANDB will most likely be more granular than the Brightcloud DB (that is not only domain but also part of the URI/URL aswell).

The blacklists should be as large/broad as possible while the whitelists should be as narrow as possible.

The point of placing whitelist AFTER blacklist is if you for example end up with a sitation such as: you wish to block www.example.com/badside but allow www.example.com in general.

Since PA uses top-down first-match the url with www.example.com/badside would be blocked with above.

If you had whitelist first then the badside would have been allowed.