I'm hoping someone might have an answer for me. I'm trying to see if there is a way to block any traffic coming from a Student IPad or Laptop when they try and use a VPN Client or more so a VPN Add-On in Firefox or Chrome. I'm hoping there is a way on the firewall that it can detect that the client is using some type of VPN and it will block that traffic. Thanks for any help in this issue.
I imagine these are mostly web-based if they're a plugin. Beyond enforcing what plugins users could install outside the firewall, you could use URL filtering to specfically allow the sites necessary. Additionally alerting on all categories and then blocking what you'd like to accordingly is also an option.
There are various app-ID's for different VPN's like you've described if you know specifically what you're trying to enforce that you could also leverage.
First you will want to perform SSL decryption. This way you have visibility into these tunneling applications. We have a DENY all policy and allow by exception. Meaning if we dont allow the application at layer7 the app never makes it through. However THere is a list of applications that do vpn connections (currently at 65), just filter for 'encrypted-tunnel'. Just make sure you dont break something that is currently allowed.
Hope that helps.
Decryption is the ultimate solution, but there are other things you can do.
For Windows domain-joined, use the Google schema add-on, you can whitelist approved extensions in Chrome and IE which will knock down a good chunk of offenders. The rest will go to Firefox, or chromium, or Brave, or WebDiscovery Browser, or..., in which case you'll need a group policy and/or a way to block those executables. I see Firefox with Zenmate used mostly.
Students will rdp to their home networks, or even a hosted server, so see if you are allowing rdp externally.
For other devices, it depends if you manage them with a central tool designed for client management. If you do, there should be similar ways to do the above. For BYOD you can run a report on the firewall for vpn/anonymous proxy hits and using a script mass-block the devices in your wifi controller. This can get the word out that IT means business.
I'd also suggust adding to your 'anonymous' tips form (like schoolmessenger) the subject, 'network use violation' or similar. That, along with some face time in front of students to address their responsibility as digital citizens of your network can cut down on vpn activity. The fact is, kids don't think they're doing anything bad (wrong, yes), once they're confronted with the seriousness of violating this policy most will get it.
I could go on...
You might need to rethink is it essential to block VPN's as Netflix does the same thing to block IP addresses accessing through VPN's. But the internet community came with a solution to overcome it. As a result, you will find that people have found ways to bypass the VPN ban by using Australia based VPNs, smart DNS server, or Personal Cloud VPN. So at least be cautious to close all the possible ways from accessing through VPN's.
There are so many different VPN apps it is hardly to imagine a software that will be able to indicate all devices using VPN and even with installing such a soft type situation will hardly be solved.
My recommendation is that you do 4 things.
1) Block application 'quic' at the top of your policy set.
2) Find a way to force students to deploy your Trusted root CA certificate for decryption, and implement SSL Decryption
3) Create an Application Filter with CATEGORY: networking and SUBCATEGORY: encrypted-tunnel, and proxy. Then define the Application Filter as an application in a 'deny' Security Policy rule.
4) Add an URL Filtering profile to your 'allow' Security Policy rule that has the URL Category proxy-avoidance-and-anonymizers set to 'block'.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!