04-29-2013 10:11 AM
We are a private high school with a growing laptop population but these kids work hard trying to circumvent our security. They have found using 3rd party VPN tools, mostly single exe's they hide in their recucle bin when they fear exposure. This tool comes with statements telling the user it is illegal and it will get them around the "best security systems your school has".
How can I detect and prevent this type of process from running on our network.
04-29-2013 11:03 AM
The PAN does have AppID signatures for most common ones like ultrasurf/TOR etc.You can start off by blocking some of the more common ones as 'umphmharding' mentioned (Some of these are SSL based so to make sure the signature works you may also have to configure SSL decryption). If the PA does not have signatures for some new application, it will show up as 'unknown-tcp/udp'. You can block 'unknown-tcp/udp' in the interim and then contact PA to have a signature created/updated for traffic that shows as 'unknown-tcp/udp'
04-29-2013 10:52 AM
I would check the traffic logs to see if any of these VPN or Proxy tools are already classified in the AppID database. If so, it's an easy block rule.
04-29-2013 11:03 AM
The PAN does have AppID signatures for most common ones like ultrasurf/TOR etc.You can start off by blocking some of the more common ones as 'umphmharding' mentioned (Some of these are SSL based so to make sure the signature works you may also have to configure SSL decryption). If the PA does not have signatures for some new application, it will show up as 'unknown-tcp/udp'. You can block 'unknown-tcp/udp' in the interim and then contact PA to have a signature created/updated for traffic that shows as 'unknown-tcp/udp'
04-30-2013 05:42 AM
Another thing is to perform whitelisting and make that hole as narrow as possible.
For example:
1) Enable ssl-termination (not allowing traffic that cannot be terminated).
2) Blacklist appid's and app-groups you dont want to allow.
3) Blacklist url-categories you dont want to allow.
4) Whitelist appid's and app-groups you wish to allow.
5) Whitelist url-categories you wish to allow.
6) Default deny and log on session end.
Using PANDB will most likely be more granular than the Brightcloud DB (that is not only domain but also part of the URI/URL aswell).
The blacklists should be as large/broad as possible while the whitelists should be as narrow as possible.
The point of placing whitelist AFTER blacklist is if you for example end up with a sitation such as: you wish to block www.example.com/badside but allow www.example.com in general.
Since PA uses top-down first-match the url with www.example.com/badside would be blocked with above.
If you had whitelist first then the badside would have been allowed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
