Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Betternet VPN Lemon VPN blocking

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Betternet VPN Lemon VPN blocking

L3 Networker

Anyone know how to block these 2 apps?

 

Betternet VPN

https://www.betternet.co/

 

Lemon VPN

https://play.google.com/store/apps/details?id=org.lemonvpn.android&hl=en_US

 

We have a BYOD at our K-12 education schools, and students are bringing their own devices in with these installed.  I assume there are other VPNs out there coming in too.

 

We have an 'open' BYOD, so no authentication needed, other than agreeing with the AUP.

 

Palo shows no ap-id for either of these and the traffic just pokes right through.  We have proxy sites blocked via Palo URL license, and have SSL decryption enabled and make BYOD users install our ssl-forward-proxy cert if they want to use https websites.

 

Any thoughts?

Dannon

 

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello,

Perhaps block the ports that hey are using outbound? Typically VPN uses 500/udp. Maybe even use a application filter and use encrypted-tunnel, however this could break legit traffic so whatever you put in, I say make it an allow policy to see what else its matching.

Regards,

Looks like a rather evasive application.

 

"Lemon VPN allows you to unblock websites that are blocked to you by your ISP or goverment through tunnelling via different protocols like SSL, TCP, HTTP."

 

I would suggest the following:

- Either allow only specific, sanctioned apps from the network, or make sure to block: SSH, IPSEC, the common ports used for those apps too, etc.

 

- A rather strict URL Filtering profile, their domain is "parked" btw.

 

- Create a report to find which IP's are used while connecting to the tunneling services, block those IP's

 

- Do not allow unknown-tcp, unknown-udp traffic on the network, if necessary to allow, make sure to investigate the traffic that is required to work, create apps based on that and then go ahead to deny the unknown-tcp,udp.

Hello,

Looks like a URL filter policy might be able to help as well. But I agree the kids will try to find a way around stuff. Have daily reports and review the traffic to see what new stuff they are trying any make sure its getting blocked. I'm sure a lot of others would love to see how you are blocking these attempts.

 

Regards,

L0 Member

Greetings from a K-12 private school in Wisconsin,

I'm a school psychologist and very often I ask students to watch videos and lectures on the reliable educational web resources, but they go further than that - they start looking for other stuff, sometimes, it concerns violent scenes and bullying. They are trying to bypass our security measures all the time. What is a sure fire way to block Proxy and VPN tools for good?

Should I perform whitelisting?

Thanks,

Dani

 

 

 

 

Dani Dapo (Omoiyadapo)

Access support: https://live.paloaltonetworks.com/t5/general-topics/how-can-i-stop-vpn-tools-used-to-bypass essaytyper.pro paper generator

@Omoiyadapo,

There is no sure fire way to block proxies and VPN solutions across the board, and while a robust whitelisting process can help limit the issue it'll never completely rid the issue. New Proxies and VPN solutions come online all the time, and smart students can spin up their own on any port that you leave open. 

You can create an extremely limited rulebase which only allows access to "approved" resources, but in a school environment that would be extremely time consuming. Students will find a way to get around things unless you completely restrict access. 

Hello,

This maybe a case of always being behind the ball. As stated before, Configure your URL filtering as well as the other security policies and objects. Then have the firewall generate reports as to the websites that are getting hit. Review the logs daily and see if you can see a pattern. Also SSL decryption can be a benefit here since the PAN can possibly determine the application and if you have it blocked. Make sure you are sending PAN your telemetry so their algorithms can reprocess and dynamically update their feeds. This not only helps you but everyone attempt's to do the same thing.

 

Let us know which way you go so the rest of the community can follow the leader and do something similar :).

 

Regards,

  • 6926 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!