This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to combat VPN’s that use spoofed SNI?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to combat VPN’s that use spoofed SNI?

stuart.l
L2 Linker

‎05-17-2017 01:09 AM - edited ‎05-17-2017 01:17 AM

Hi all,

 

My environment has a large fleet of iPads in an educational institution. We have restricted internet (no social media and so on) so the students spend time finding ways around it. We thought that bringing the PA unit in and enabling decryption had stopped issues with students using VPN services however we found recently that they are working again. (Disclaimer; this is probably not news to other people, but it is to me. I have searched for this issue but could find an appropriate post. I am also using 7.1.7).

 

Long story short; the VPN's are using spoofed Server Name Indication's (SNI) to avoid decryption. I assume that PA use SNI's to identify the URL category of SSL traffic and because the VPN service uses a fake address they can manipulate the rules to not be decrypted. I did a packetcapture and found they were using a few URL's including paypal.com, cloudfront.net, mozilla.org, twitter.com, facebook.com, whatsapp.com and get.adobe.com. The main issue for us is paypal.com as it is in the Financial Services category and therefore not decrypted.

 

I have fixed this by removing the students from the category based no-decrypt rule however, I would like other people's opinions on what is a good way to combat this. Our staff have a little more leeway however they should not really be using VPN's and if administration ask we can't say with certainty that they are not as the URL reports will see it as something like "ssl traffic to paypal.com, not decrypted". Is there another way to combat this? It is only a matter of time before malware use this loophole to avoid decryption as well!

 

0 Likes Likes
1 REPLY 1

santonic
L6 Presenter

‎05-18-2017 12:53 AM

Just a crazy idea, not sure it's possible but...

 

Custom IPS signature where SNI matches paypal.com and URL doesn't match paypal.com on block?

 

 

0 Likes Likes
  • 3014 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks