How to combat VPN’s that use spoofed SNI?

cancel
Showing results for 
Search instead for 
Did you mean: 

How to combat VPN’s that use spoofed SNI?

L2 Linker

Hi all,

 

My environment has a large fleet of iPads in an educational institution. We have restricted internet (no social media and so on) so the students spend time finding ways around it. We thought that bringing the PA unit in and enabling decryption had stopped issues with students using VPN services however we found recently that they are working again. (Disclaimer; this is probably not news to other people, but it is to me. I have searched for this issue but could find an appropriate post. I am also using 7.1.7).

 

Long story short; the VPN's are using spoofed Server Name Indication's (SNI) to avoid decryption. I assume that PA use SNI's to identify the URL category of SSL traffic and because the VPN service uses a fake address they can manipulate the rules to not be decrypted. I did a packetcapture and found they were using a few URL's including paypal.com, cloudfront.net, mozilla.org, twitter.com, facebook.com, whatsapp.com and get.adobe.com. The main issue for us is paypal.com as it is in the Financial Services category and therefore not decrypted.

 

I have fixed this by removing the students from the category based no-decrypt rule however, I would like other people's opinions on what is a good way to combat this. Our staff have a little more leeway however they should not really be using VPN's and if administration ask we can't say with certainty that they are not as the URL reports will see it as something like "ssl traffic to paypal.com, not decrypted". Is there another way to combat this? It is only a matter of time before malware use this loophole to avoid decryption as well!

 

1 REPLY 1

L5 Sessionator

Just a crazy idea, not sure it's possible but...

 

Custom IPS signature where SNI matches paypal.com and URL doesn't match paypal.com on block?

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!