Identification of VPN based filter avoidance

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Identification of VPN based filter avoidance

ScottNoakes

20 posts

Geek
+1 received by user: 10

Linewize

#217836 14-Jul-2017 13:06

For schools supporting BYOD this may be of interest. We've seen a steadily growing number of students using VPNs to bypass school filtering. In a large student high school we found 15% of students were using VPNs like Hotspot Shield and Ultrasurf to gain unrestricted internet access. If you're interested in learning more about VPN use and identification Linewize has published a technical guide on this: http://www.linewize.com/identification-of-vpn-based-filter-avoidance

Dairyxox

1595 posts

Uber Geek
+1 received by user: 455

#1822480 14-Jul-2017 13:59

The Chinese government wants in on this..

Beijing has ordered state-run telecommunications firms, which include China Mobile, China Unicom and China Telecom, to bar people from using VPNs, services that skirt censorship restrictions by routing web traffic abroad, the people said, asking not to be identified talking about private government directives.

bloomberg.com

TLDR: All your VPN's: GTFO

timmmay

20858 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#1822485 14-Jul-2017 14:08

Simple solution: only allow access to specific IPs / websites using a whitelist. This might only be to internal systems and supported educational resources.

Students will just use mobile data. There's no way to prevent access to information.

Rikkitic

Awrrr
19062 posts

Uber Geek
+1 received by user: 16302

Lifetime subscriber

#1822508 14-Jul-2017 14:46

timmmay:

There's no way to prevent access to information.

This.

Plesse igmore amd axxept applogies in adbance fir anu typos

richms

29098 posts

Uber Geek
+1 received by user: 10208

Trusted

Lifetime subscriber

#1822509 14-Jul-2017 14:47

Or they will cluster at the end of the school within range of a phonebox wifi.

Richard rich.ms

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#1824041 17-Jul-2017 20:23

ScottNoakes:

For schools supporting BYOD this may be of interest. We've seen a steadily growing number of students using VPNs to bypass school filtering. In a large student high school we found 15% of students were using VPNs like Hotspot Shield and Ultrasurf to gain unrestricted internet access. If you're interested in learning more about VPN use and identification Linewize has published a technical guide on this: http://www.linewize.com/identification-of-vpn-based-filter-avoidance

Yeah nah. Things we typically do:

- SSL decrypt so we can scan everything

- block access to proxy/bypass websites

- check for URL embedded

- block access to unrated websites

- block unwanted protocols or allow only wanted protocols (e.g. allow only HTTP/HTTPS)

- Application control (with a proper app control engine)

Your description of how SSL decryption functions is way off the mark. Your assumptions around the MITM stuff is completely wrong.

The examples you give around Machine Learning and traffic make no sense. Why would someone tunnel traffic via paypal.com when they are not set to do so?

The only ways this could do this is if your DNS was compromised indicating your product did not do DNS protection (such as rebinding protection). Or perhaps given it was SSL but you don't do SSL Decrypt I would assume you were deriving the website being hit by the certificate CN - but then this would indicate you are not doing certificate validation. But at the end of the day your samples make no technical or logical sense.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#1824043 17-Jul-2017 20:24

timmmay:

Students will just use mobile data. There's no way to prevent access to information.

Schools have a duty of care to fulfill. If the student uses mobile data then the responsibility for what they access falls to the parents.

Mighty Ape

Shop now at Mighty Ape (affiliate link).

ScottNoakes

20 posts

Geek
+1 received by user: 10

Linewize

#1825156 19-Jul-2017 13:22

Yeah nah. Things we typically do:

- SSL decrypt so we can scan everything

- block access to proxy/bypass websites

- check for URL embedded

- block access to unrated websites

- block unwanted protocols or allow only wanted protocols (e.g. allow only HTTP/HTTPS)

- Application control (with a proper app control engine)

Your description of how SSL decryption functions is way off the mark. Your assumptions around the MITM stuff is completely wrong.

Thanks for your comments, apologies if our explanation was not clear. Here's a more detailed view of the SSL mechanics involved written by Iceni web proxy:

https://www.opendium.com/node/87

Also worth noting that Hotspot Shield are deliberately using domains that are normally excluded from SSL inspection such as update.microsoft.com, windowsupdate.microsoft.com, mozilla.org etc. (for example Sonicwall's built in SSL inspection exclusions)

The examples you give around Machine Learning and traffic make no sense. Why would someone tunnel traffic via paypal.com when they are not set to do so?

The only ways this could do this is if your DNS was compromised indicating your product did not do DNS protection (such as rebinding protection). Or perhaps given it was SSL but you don't do SSL Decrypt I would assume you were deriving the website being hit by the certificate CN - but then this would indicate you are not doing certificate validation. But at the end of the day your samples make no technical or logical sense.

Most VPN’s use direct connections, avoiding DNS queries at all. To avoid being filtered, Hotspot Shield fakes the SSL transaction and makes direct connections to their server endpoints while masquerading as paypal.com (or similar) using the SNI parameter. Application aware firewalls see the traffic as going to paypal.com and not hotspot shield. The reason that Hotspot Shield has 500 million downloads is that they're really good at evading traditional firewall filtering. Awesome to bypass the great firewall of China, but in a school environment they limit visibility over how students are using the school network.

Hope this helps clarify things somewhat.

Cheers Scott.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#1825279 19-Jul-2017 14:45

ScottNoakes:

Most VPN’s use direct connections, avoiding DNS queries at all. To avoid being filtered, Hotspot Shield fakes the SSL transaction and makes direct connections to their server endpoints while masquerading as paypal.com (or similar) using the SNI parameter. Application aware firewalls see the traffic as going to paypal.com and not hotspot shield. The reason that Hotspot Shield has 500 million downloads is that they're really good at evading traditional firewall filtering. Awesome to bypass the great firewall of China, but in a school environment they limit visibility over how students are using the school network.

Hope this helps clarify things somewhat.

Cheers Scott.

When doing SSL Decryption we validate the server certificate (ie if it is a paypal certificate is this a paypal site), especially for exclusions. Not to mention we are inspecting the SSL content (URL or streaming data etc).

Hence my point your understanding of enterprise level SSL decryption seems to be wrong.

ScottNoakes

20 posts

Geek
+1 received by user: 10

Linewize

#1825344 19-Jul-2017 16:01

When doing SSL Decryption we validate the server certificate (ie if it is a paypal certificate is this a paypal site), especially for exclusions. Not to mention we are inspecting the SSL content (URL or streaming data etc).

All well and good, but from the Sonicwall Application Database regarding Hotspot Shield:

For these reasons, to block Hotspot Shield VPN you must:

(1) enable our Encrypted Key Exchange (EKE) application signatures, SID 5 (TCP) and SID 7 (UDP); and (2) enable DPI-SSL Client Inspection (DPI-SSL CI); and (3) also enable the Hotspot Shield VPN application signatures. (Note: there may be side effects to enabling EKE signatures, namely, applications like Skype and others may also be blocked. There is no work-around, other than adding private IPs to the exclusion lists for this application, or individually by EKE signature.)

We've found such things don't fly in schools for a number of reasons. The schools we work with find the overhead of deploying and maintaining SSLs certs untenable. Doing SSL traffic inspection across all students and websites either turns the network to glue or requires hardware that is out of reach of most school budgets. The above approach will also break useful applications (like video conferencing) that are lesson relevant. The workaround of manually adding IP's is just not practical.

As previously said we don't portray ourselves as a traditional enterprise grade firewall, rather as a vendor of network access management services for schools. While the above requirements may work in a corporate environment we've found them to be too limiting in an educational one (especially BYOD). As always this is a horses for courses discussion. In regards to VPNs we can identify student's that are contravening their Internet Usage Agreement by using VPNs. We can do this without breaking useful apps and believe we are unique in this.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#1825365 19-Jul-2017 16:32

ScottNoakes:

All well and good, but from the Sonicwall Application Database regarding Hotspot Shield:

For these reasons, to block Hotspot Shield VPN you must:

(1) enable our Encrypted Key Exchange (EKE) application signatures, SID 5 (TCP) and SID 7 (UDP); and (2) enable DPI-SSL Client Inspection (DPI-SSL CI); and (3) also enable the Hotspot Shield VPN application signatures. (Note: there may be side effects to enabling EKE signatures, namely, applications like Skype and others may also be blocked. There is no work-around, other than adding private IPs to the exclusion lists for this application, or individually by EKE signature.)

We've found such things don't fly in schools for a number of reasons. The schools we work with find the overhead of deploying and maintaining SSLs certs untenable. Doing SSL traffic inspection across all students and websites either turns the network to glue or requires hardware that is out of reach of most school budgets. The above approach will also break useful applications (like video conferencing) that are lesson relevant. The workaround of manually adding IP's is just not practical.

As previously said we don't portray ourselves as a traditional enterprise grade firewall, rather as a vendor of network access management services for schools. While the above requirements may work in a corporate environment we've found them to be too limiting in an educational one (especially BYOD). As always this is a horses for courses discussion. In regards to VPNs we can identify student's that are contravening their Internet Usage Agreement by using VPNs. We can do this without breaking useful apps and believe we are unique in this.

That is kind of old app info and doesn't take into account how the DPI-SSL engine works these days. Certificate validation is the Achilles heel of such apps - we added this in about 2 years ago.

I'm not really sure why you keep going back to the management of an SSL cert. There is little management, you issue a self generated resigning cert (easy if you have Active Directory).

Maybe SSL Decrypt would turn your hardware to glue, but a lot of firewall vendors have hardware acceleration for SSL handling, so it's not a huge issue.

It doesn't break video conferencing- most use UDP, and if they did use an SSL session its simply to exclude that based on CN or AN (not IP address).

I don't know why you think SSL decrypt breaks apps, I have a household with 3 boys - we do SSL decrypt just fine without breaking apps. They use all sorts of strange apps, as well as being avid gamers.

Can you tell me specifically which enterprise firewalls you found too limiting in an educational environment? And why?