How can I detect and stop 3rd party VPN tools used to bypass my network security

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How can I detect and stop 3rd party VPN tools used to bypass my network security

L3 Networker

We are a private high school with a growing laptop population but these kids work hard trying to circumvent our security.  They have found using 3rd party VPN tools, mostly single exe's they hide in their recucle bin when they fear exposure.  This tool comes with statements telling the user it is illegal and it will get them around the "best security systems your school has".

How can I detect and prevent this type of process from running on our network.

1 accepted solution

Accepted Solutions

L7 Applicator

The PAN does have AppID signatures for most common ones like ultrasurf/TOR etc.You can start off by blocking some of the more common ones as 'umphmharding' mentioned (Some of these are SSL based so to make sure the signature works you may also have to configure SSL decryption). If the PA does not have signatures for some new application, it will show up as 'unknown-tcp/udp'. You can block 'unknown-tcp/udp' in the interim and then contact PA to have a signature created/updated for traffic that shows as 'unknown-tcp/udp'

View solution in original post

3 REPLIES 3

L4 Transporter

I would check the traffic logs to see if any of these VPN or Proxy tools are already classified in the AppID database. If so, it's an easy block rule.

L7 Applicator

The PAN does have AppID signatures for most common ones like ultrasurf/TOR etc.You can start off by blocking some of the more common ones as 'umphmharding' mentioned (Some of these are SSL based so to make sure the signature works you may also have to configure SSL decryption). If the PA does not have signatures for some new application, it will show up as 'unknown-tcp/udp'. You can block 'unknown-tcp/udp' in the interim and then contact PA to have a signature created/updated for traffic that shows as 'unknown-tcp/udp'

Another thing is to perform whitelisting and make that hole as narrow as possible.

For example:

1) Enable ssl-termination (not allowing traffic that cannot be terminated).

2) Blacklist appid's and app-groups you dont want to allow.

3) Blacklist url-categories you dont want to allow.

4) Whitelist appid's and app-groups you wish to allow.

5) Whitelist url-categories you wish to allow.

6) Default deny and log on session end.

Using PANDB will most likely be more granular than the Brightcloud DB (that is not only domain but also part of the URI/URL aswell).

The blacklists should be as large/broad as possible while the whitelists should be as narrow as possible.

The point of placing whitelist AFTER blacklist is if you for example end up with a sitation such as: you wish to block www.example.com/badside but allow www.example.com in general.

Since PA uses top-down first-match the url with www.example.com/badside would be blocked with above.

If you had whitelist first then the badside would have been allowed.

  • 1 accepted solution
  • 7346 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!