05-13-2019 02:14 PM
Anyone know how to block these 2 apps?
Betternet VPN
Lemon VPN
https://play.google.com/store/apps/details?id=org.lemonvpn.android&hl=en_US
We have a BYOD at our K-12 education schools, and students are bringing their own devices in with these installed. I assume there are other VPNs out there coming in too.
We have an 'open' BYOD, so no authentication needed, other than agreeing with the AUP.
Palo shows no ap-id for either of these and the traffic just pokes right through. We have proxy sites blocked via Palo URL license, and have SSL decryption enabled and make BYOD users install our ssl-forward-proxy cert if they want to use https websites.
Any thoughts?
Dannon
05-13-2019 02:57 PM
Hello,
Perhaps block the ports that hey are using outbound? Typically VPN uses 500/udp. Maybe even use a application filter and use encrypted-tunnel, however this could break legit traffic so whatever you put in, I say make it an allow policy to see what else its matching.
Regards,
06-10-2019 04:19 AM
Looks like a rather evasive application.
"Lemon VPN allows you to unblock websites that are blocked to you by your ISP or goverment through tunnelling via different protocols like SSL, TCP, HTTP."
I would suggest the following:
- Either allow only specific, sanctioned apps from the network, or make sure to block: SSH, IPSEC, the common ports used for those apps too, etc.
- A rather strict URL Filtering profile, their domain is "parked" btw.
- Create a report to find which IP's are used while connecting to the tunneling services, block those IP's
- Do not allow unknown-tcp, unknown-udp traffic on the network, if necessary to allow, make sure to investigate the traffic that is required to work, create apps based on that and then go ahead to deny the unknown-tcp,udp.
06-10-2019 06:10 AM
Hello,
Looks like a URL filter policy might be able to help as well. But I agree the kids will try to find a way around stuff. Have daily reports and review the traffic to see what new stuff they are trying any make sure its getting blocked. I'm sure a lot of others would love to see how you are blocking these attempts.
Regards,
08-13-2020 09:42 PM - edited 08-13-2020 09:46 PM
Greetings from a K-12 private school in Wisconsin,
I'm a school psychologist and very often I ask students to watch videos and lectures on the reliable educational web resources, but they go further than that - they start looking for other stuff, sometimes, it concerns violent scenes and bullying. They are trying to bypass our security measures all the time. What is a sure fire way to block Proxy and VPN tools for good?
Should I perform whitelisting?
Thanks,
Dani
Dani Dapo (Omoiyadapo)
Access support: https://live.paloaltonetworks.com/t5/general-topics/how-can-i-stop-vpn-tools-used-to-bypass essaytyper.pro paper generator
08-14-2020 08:30 PM
There is no sure fire way to block proxies and VPN solutions across the board, and while a robust whitelisting process can help limit the issue it'll never completely rid the issue. New Proxies and VPN solutions come online all the time, and smart students can spin up their own on any port that you leave open.
You can create an extremely limited rulebase which only allows access to "approved" resources, but in a school environment that would be extremely time consuming. Students will find a way to get around things unless you completely restrict access.
08-17-2020 02:27 PM
Hello,
This maybe a case of always being behind the ball. As stated before, Configure your URL filtering as well as the other security policies and objects. Then have the firewall generate reports as to the websites that are getting hit. Review the logs daily and see if you can see a pattern. Also SSL decryption can be a benefit here since the PAN can possibly determine the application and if you have it blocked. Make sure you are sending PAN your telemetry so their algorithms can reprocess and dynamically update their feeds. This not only helps you but everyone attempt's to do the same thing.
Let us know which way you go so the rest of the community can follow the leader and do something similar :).
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
