topic Re: How to combat VPN’s that use spoofed SNI? in General Topics https://live.paloaltonetworks.com/t5/general-topics/how-to-combat-vpn-s-that-use-spoofed-sni/m-p/157127#M51563 <P>Just a crazy idea, not sure it's possible but...</P><P>&nbsp;</P><P>Custom IPS signature where SNI matches paypal.com and URL doesn't match paypal.com on block?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 18 May 2017 07:53:25 GMT santonic 2017-05-18T07:53:25Z How to combat VPN’s that use spoofed SNI? https://live.paloaltonetworks.com/t5/general-topics/how-to-combat-vpn-s-that-use-spoofed-sni/m-p/157008#M51539 <P>Hi all,</P><P>&nbsp;</P><P>My environment has a large fleet of iPads in an educational institution. We have restricted internet (no social media and so on) so the students spend time finding ways around it. We thought that bringing the PA unit in and enabling decryption had stopped issues with students using VPN services however we found recently that they are working again. (Disclaimer; this is probably not news to other people, but it is to me. I have searched for this issue but could find an appropriate post. I am also using 7.1.7).</P><P>&nbsp;</P><P>Long story short; the VPN's are using spoofed Server Name Indication's (SNI) to avoid decryption. I assume that PA use SNI's to identify the URL category of SSL traffic and because the VPN service uses a fake address they can manipulate the rules to not be decrypted. I did a packetcapture and found they were using a few URL's including&nbsp;paypal.com, cloudfront.net, mozilla.org, twitter.com, facebook.com, whatsapp.com and get.adobe.com. The main issue for us is paypal.com as it is in the Financial Services category and therefore not decrypted.</P><P>&nbsp;</P><P>I have fixed this by removing the students from the category based no-decrypt rule however, I would like other people's opinions on what is a good way to combat this. Our staff have a little more leeway however they should not really be using VPN's and if administration ask we can't say with certainty that they are not as the URL reports will see it as something like "ssl traffic to paypal.com, not decrypted".&#157; Is there another way to combat this? It is only a matter of time before malware use this loophole to avoid decryption as well!</P><P>&nbsp;</P> Wed, 17 May 2017 08:17:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-combat-vpn-s-that-use-spoofed-sni/m-p/157008#M51539 stuart.l 2017-05-17T08:17:32Z Re: How to combat VPN’s that use spoofed SNI? https://live.paloaltonetworks.com/t5/general-topics/how-to-combat-vpn-s-that-use-spoofed-sni/m-p/157127#M51563 <P>Just a crazy idea, not sure it's possible but...</P><P>&nbsp;</P><P>Custom IPS signature where SNI matches paypal.com and URL doesn't match paypal.com on block?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 18 May 2017 07:53:25 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-combat-vpn-s-that-use-spoofed-sni/m-p/157127#M51563 santonic 2017-05-18T07:53:25Z