Manage client SSL VPN use

Reply
Highlighted
L1 Bithead

Manage client SSL VPN use

Hi PAN Community,

 

I work for a school and we have issues with student VPN use - specifically x-vpn, hotspot shield etc. We have rules in place that take care of the proxies and standard VPN applications and have SSL decryption and URL blocks in place for stuff we don't want students to access ie, pornography.

 

I found the following reddit post which details similar issues:

https://www.reddit.com/r/paloaltonetworks/comments/6ydcw7/how_are_you_all_blocking_personal_vpns_lik...

 

Which seems to suggest blocking ip ranges. Before I go that far, I thought I'd ask the community to see if anyone else has encountered something similar.

 

Cheers!

Highlighted
Cyber Elite

Hello,

Sounds like you have a good approach to blocking the traffic. Are you noticing they are somehow bypassing what you already have in place?

 

Regards,

Highlighted
Cyber Elite

@mgillette,

Thing is, you'll likely never be able to block everything. X-VPN (no experiance with hotspot shield) you pretty much need to block IP Ranges to get it to stop functioning; but students will always fine some up-and-coming way that you don't know about to bypass filtering. 

The best you can do is keep an eye/ear out and identify any access violations as quickly as you can, and from there turn down access as best you can. It sounds like you are doing everything right; the only thing that I might recommend if you haven't done so already is blocking by application filters. 

 

This is one of those things though that they'll always find a way around if they are dedicated enough. Newly spun up proxy sites can take a bit to be identified, VPN applications are coming out constantly, and you'll always have that one student that simply sets up their own solution that can bypass whatever blocks you have in place that is extremely hard to identify unless more students start using it. 

Highlighted
L1 Bithead

Appreciate the feedback, we do actually have application filters in place in addition to URL categorisation. This takes care of most casual bypass attempts via the usual proxies/L2tp/ipsec etc. I fully understand that this is largely a futile exercise that needs to be dealt with outside of IT.

 

My personal view is that this should be a catalyst of sorts for management to make it clear to students what the policy is and to take disciplinary action - just like what would happen in a business. Additioanlly, this is a great opportunity for the school to educate the student/s better on how to be good digital citizens - kinda ironic really.

 

 

 

 

Tags (1)
Highlighted
Cyber Elite

Hello,

So potentailly another thing to consider is secure DNS servers, meaning a service like OpenDNS and have their systems also helping block these types of connections. Its a paid service for getting very specific with your DNS resolution. But for their basic, I think its available to everyone.

 

I also would like to hear what others are doing because its not only good for stopping students, but also bad guys who use those services.

 

Regards,

Highlighted
Cyber Elite

@mgillette,

In some of the schools I've managed the policy was setup to lock students out if they attempted to utilize a proxy or a VPN to bypass filtering. First attempt would get your account blocked for 48 hours, next attempt would be 72 hours, next attempt would be 7 days, next attempt you would lose access all together. 

What this meant is that they would have no wireless access, the computer labs wouldn't allow the student access to any external resources outside of a few select sites (like wikipedia). They could still technically do all of the school work they needed to, it just simply made it harder and they generally never made it past needing to utilize the 72 hour option. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!