Betternet VPN Lemon VPN blocking

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

Betternet VPN Lemon VPN blocking

Anyone know how to block these 2 apps?

 

Betternet VPN

https://www.betternet.co/

 

Lemon VPN

https://play.google.com/store/apps/details?id=org.lemonvpn.android&hl=en_US

 

We have a BYOD at our K-12 education schools, and students are bringing their own devices in with these installed.  I assume there are other VPNs out there coming in too.

 

We have an 'open' BYOD, so no authentication needed, other than agreeing with the AUP.

 

Palo shows no ap-id for either of these and the traffic just pokes right through.  We have proxy sites blocked via Palo URL license, and have SSL decryption enabled and make BYOD users install our ssl-forward-proxy cert if they want to use https websites.

 

Any thoughts?

Dannon

 

Highlighted
Cyber Elite

Hello,

Perhaps block the ports that hey are using outbound? Typically VPN uses 500/udp. Maybe even use a application filter and use encrypted-tunnel, however this could break legit traffic so whatever you put in, I say make it an allow policy to see what else its matching.

Regards,

Highlighted
L2 Linker

Looks like a rather evasive application.

 

"Lemon VPN allows you to unblock websites that are blocked to you by your ISP or goverment through tunnelling via different protocols like SSL, TCP, HTTP."

 

I would suggest the following:

- Either allow only specific, sanctioned apps from the network, or make sure to block: SSH, IPSEC, the common ports used for those apps too, etc.

 

- A rather strict URL Filtering profile, their domain is "parked" btw.

 

- Create a report to find which IP's are used while connecting to the tunneling services, block those IP's

 

- Do not allow unknown-tcp, unknown-udp traffic on the network, if necessary to allow, make sure to investigate the traffic that is required to work, create apps based on that and then go ahead to deny the unknown-tcp,udp.

Highlighted
Cyber Elite

Hello,

Looks like a URL filter policy might be able to help as well. But I agree the kids will try to find a way around stuff. Have daily reports and review the traffic to see what new stuff they are trying any make sure its getting blocked. I'm sure a lot of others would love to see how you are blocking these attempts.

 

Regards,

Highlighted
L0 Member

Greetings from a K-12 private school in Wisconsin,

I'm a school psychologist and very often I ask students to watch videos and lectures on the reliable educational web resources, but they go further than that - they start looking for other stuff, sometimes, it concerns violent scenes and bullying. They are trying to bypass our security measures all the time. What is a sure fire way to block Proxy and VPN tools for good?

Should I perform whitelisting?

Thanks,

Dani

 

 

 

 

Dani Dapo (Omoiyadapo)

Access support: https://live.paloaltonetworks.com/t5/general-topics/how-can-i-stop-vpn-tools-used-to-bypass essaytyper.pro paper generator

Highlighted
Cyber Elite

@Omoiyadapo,

There is no sure fire way to block proxies and VPN solutions across the board, and while a robust whitelisting process can help limit the issue it'll never completely rid the issue. New Proxies and VPN solutions come online all the time, and smart students can spin up their own on any port that you leave open. 

You can create an extremely limited rulebase which only allows access to "approved" resources, but in a school environment that would be extremely time consuming. Students will find a way to get around things unless you completely restrict access. 

Cyber Elite

Hello,

This maybe a case of always being behind the ball. As stated before, Configure your URL filtering as well as the other security policies and objects. Then have the firewall generate reports as to the websites that are getting hit. Review the logs daily and see if you can see a pattern. Also SSL decryption can be a benefit here since the PAN can possibly determine the application and if you have it blocked. Make sure you are sending PAN your telemetry so their algorithms can reprocess and dynamically update their feeds. This not only helps you but everyone attempt's to do the same thing.

 

Let us know which way you go so the rest of the community can follow the leader and do something similar :).

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!