Puffin Browser: Bypassing Filtering policies (big loop hole may be ??)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Puffin Browser: Bypassing Filtering policies (big loop hole may be ??)

L4 Transporter

Greetings,

I was pleasantly surprised when I got to know that I can download Puffin Browser as an app on mobile and tablet devices and browse my way through to otherwise blocked websites / denied applications. Just to confirm what I did:

1.  Created a Security policy (IP address based and not User based) "Puffin Browser Test" for my iPad and allowed any application / any URL category.  Result:  All good, I can browse well.  Fair enough 

2.  I then blocked "flickr" as application.  Result:  As expected, could not browse through to www.flickr.com using Safari; blocked as an application.

3.  Looked at logs and was hitting "Puffin Browser Test".  Good.

3.  I then downloaded "Puffin Browser" via the apple store.  Result:  I now have Puffin Browser.

4.  Browsed through to www.flickr.com using Safari and as expected was blocked as an application, but when I open up / use Puffin and go to www.flickr.com; I am sweetly allowed to go through.

5.  Looked at the logs, and instead of being picked up by "Puffin Browser Test", I am hitting a rule beneath which has open access and application starts of as SSL and ends up web-browsing.

Is there any way this can be stopped as I can bypass the security policies?  If it is using Regular Expressions, any heads up on how to do it as I am not very comfortable with RegEx stuff.

I have even raised it with applipedia and submitted it as a request, but I haven't had any acknowledgement from PAN regarding Puffin Browser.

Any suggestions, thoughts will be very helpful.

Many Thanks

Kalyan

1 accepted solution

Accepted Solutions

L4 Transporter

Puffin is a cloud browser meaning that they proxy all traffic for the client to the Puffin servers via SSL. You should be able to create a custom App-ID using the hostname of the server cert cloudmosa.com.

View solution in original post

3 REPLIES 3

L7 Applicator

Puffin looks like it proxies the traffic to their servers. It might even use a VPN. You may be able to use an SSL decrypt policy, but it would be a challenge to set up without a static destination address. If you have an active support contract, I would recommend opening a case so a full investigation can be done. Submitting it via the app request form is a great first step and may even be enough to get a signature created as well.

L4 Transporter

Puffin is a cloud browser meaning that they proxy all traffic for the client to the Puffin servers via SSL. You should be able to create a custom App-ID using the hostname of the server cert cloudmosa.com.

L4 Transporter

Hey Guys.. Got a work around for this.  Created a custom URL category and blocked *.cloudmosa.* (the servers in the cloud that puffin uses in the background).  and then blocked *.puffinbrowser.*.  Add the URL category to a rule and deny the traffic.  Simple work around.  Nevertheless, this app has been submitted to PAN.  Hopefully we get to see it at some point of time.

Thank you guys for sharing some insight.

Cheers...

Kalyan

  • 1 accepted solution
  • 7438 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!