Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




20 posts

Geek

Linewize

#217836 14-Jul-2017 13:06
Send private message

For schools supporting BYOD this may be of interest. We've seen a steadily growing number of students using VPNs to bypass school filtering. In a large student high school we found 15% of students were using VPNs like Hotspot Shield and Ultrasurf to gain unrestricted internet access. If you're interested in learning more about VPN use and identification Linewize has published a technical guide on this: http://www.linewize.com/identification-of-vpn-based-filter-avoidance








Create new topic
1515 posts

Uber Geek


  #1822480 14-Jul-2017 13:59
Send private message

The Chinese government wants in on this..

 

Beijing has ordered state-run telecommunications firms, which include China Mobile, China Unicom and China Telecom, to bar people from using VPNs, services that skirt censorship restrictions by routing web traffic abroad, the people said, asking not to be identified talking about private government directives.

 

bloomberg.com

 

TLDR: All your VPN's: GTFO

 

 


16108 posts

Uber Geek

Trusted
Subscriber

  #1822485 14-Jul-2017 14:08
Send private message

Simple solution: only allow access to specific IPs / websites using a whitelist. This might only be to internal systems and supported educational resources.

 

Students will just use mobile data. There's no way to prevent access to information.


 
 
 
 


Devastation by stupidity
12293 posts

Uber Geek

Lifetime subscriber

  #1822508 14-Jul-2017 14:46
Send private message

timmmay:

 

There's no way to prevent access to information.

 

 

This.

 

 





I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 


23397 posts

Uber Geek

Trusted
Subscriber

  #1822509 14-Jul-2017 14:47
Send private message

Or they will cluster at the end of the school within range of a phonebox wifi.





Richard rich.ms

436 posts

Ultimate Geek
Inactive user


  #1824041 17-Jul-2017 20:23
Send private message

ScottNoakes:

 

For schools supporting BYOD this may be of interest. We've seen a steadily growing number of students using VPNs to bypass school filtering. In a large student high school we found 15% of students were using VPNs like Hotspot Shield and Ultrasurf to gain unrestricted internet access. If you're interested in learning more about VPN use and identification Linewize has published a technical guide on this: http://www.linewize.com/identification-of-vpn-based-filter-avoidance

 

 

 

 

Yeah nah. Things we typically do:

 

 - SSL decrypt so we can scan everything

 

 - block access to proxy/bypass websites

 

 - check for URL embedded

 

 - block access to unrated websites

 

 - block unwanted protocols or allow only wanted protocols (e.g. allow only HTTP/HTTPS)

 

 - Application control (with a proper app control engine)

 

 

 

Your description of how SSL decryption functions is way off the mark. Your assumptions around the MITM stuff is completely wrong.

 

The examples you give around Machine Learning and traffic make no sense. Why would someone tunnel traffic via paypal.com when they are not set to do so?

 

The only ways  this could do this is if your DNS was compromised indicating your product did not do DNS protection (such as rebinding protection). Or perhaps given it was SSL but you don't do SSL Decrypt I would assume you were deriving the website being hit by the certificate CN - but then this would indicate you are not doing certificate validation. But at the end of the day your samples make no technical or logical sense.

 

 

 

 

 

 


436 posts

Ultimate Geek
Inactive user


  #1824043 17-Jul-2017 20:24
Send private message

timmmay:

 

Students will just use mobile data. There's no way to prevent access to information.

 

 

 

 

Schools have a duty of care to fulfill. If the student uses mobile data then the responsibility for what they access falls to the parents.




20 posts

Geek

Linewize

  #1825156 19-Jul-2017 13:22
Send private message

 

Yeah nah. Things we typically do: 

 

 - SSL decrypt so we can scan everything

 

 - block access to proxy/bypass websites

 

 - check for URL embedded

 

 - block access to unrated websites

 

 - block unwanted protocols or allow only wanted protocols (e.g. allow only HTTP/HTTPS)

 

 - Application control (with a proper app control engine)

 

Your description of how SSL decryption functions is way off the mark. Your assumptions around the MITM stuff is completely wrong.

 

 

Thanks for your comments, apologies if our explanation was not clear. Here's a more detailed view of the SSL mechanics involved written by Iceni web proxy: 

 

https://www.opendium.com/node/87

 

Also worth noting that Hotspot Shield are deliberately using domains that are normally excluded from SSL inspection such as update.microsoft.com, windowsupdate.microsoft.com, mozilla.org etc. (for example Sonicwall's built in SSL inspection exclusions)

 

 

The examples you give around Machine Learning and traffic make no sense. Why would someone tunnel traffic via paypal.com when they are not set to do so?

 

The only ways  this could do this is if your DNS was compromised indicating your product did not do DNS protection (such as rebinding protection). Or perhaps given it was SSL but you don't do SSL Decrypt I would assume you were deriving the website being hit by the certificate CN - but then this would indicate you are not doing certificate validation. But at the end of the day your samples make no technical or logical sense.

 

 

Most VPN’s use direct connections, avoiding DNS queries at all. To avoid being filtered, Hotspot Shield fakes the SSL transaction and makes direct connections to their server endpoints while masquerading as paypal.com (or similar) using the SNI parameter. Application aware firewalls see the traffic as going to paypal.com and not hotspot shield. The reason that Hotspot Shield has 500 million downloads is that they're really good at evading traditional firewall filtering. Awesome to bypass the great firewall of China, but in a school environment they limit visibility over how students are using the school network.

 

Hope this helps clarify things somewhat.

 

Cheers Scott.


 
 
 
 


436 posts

Ultimate Geek
Inactive user


  #1825279 19-Jul-2017 14:45
Send private message

ScottNoakes:

 

 

 

Most VPN’s use direct connections, avoiding DNS queries at all. To avoid being filtered, Hotspot Shield fakes the SSL transaction and makes direct connections to their server endpoints while masquerading as paypal.com (or similar) using the SNI parameter. Application aware firewalls see the traffic as going to paypal.com and not hotspot shield. The reason that Hotspot Shield has 500 million downloads is that they're really good at evading traditional firewall filtering. Awesome to bypass the great firewall of China, but in a school environment they limit visibility over how students are using the school network.

 

Hope this helps clarify things somewhat.

 

Cheers Scott.

 

 

 

 

When doing SSL Decryption we validate the server certificate (ie if it is a paypal certificate is this a paypal site), especially for exclusions. Not to mention we are inspecting the SSL content (URL or streaming data etc).

 

Hence my point your understanding of enterprise level SSL decryption seems to be wrong.

 

 




20 posts

Geek

Linewize

  #1825344 19-Jul-2017 16:01
Send private message

 

When doing SSL Decryption we validate the server certificate (ie if it is a paypal certificate is this a paypal site), especially for exclusions. Not to mention we are inspecting the SSL content (URL or streaming data etc).

 

 

All well and good, but from the Sonicwall Application Database regarding Hotspot Shield:

 

For these reasons, to block Hotspot Shield VPN you must:

 

(1) enable our Encrypted Key Exchange (EKE) application signatures, SID 5 (TCP) and SID 7 (UDP); and (2) enable DPI-SSL Client Inspection (DPI-SSL CI); and (3) also enable the Hotspot Shield VPN application signatures. (Note: there may be side effects to enabling EKE signatures, namely, applications like Skype and others may also be blocked. There is no work-around, other than adding private IPs to the exclusion lists for this application, or individually by EKE signature.)

 

We've found such things don't fly in schools for a number of reasons. The schools we work with find the overhead of deploying and maintaining SSLs certs untenable. Doing SSL traffic inspection across all students and websites either turns the network to glue or requires hardware that is out of reach of most school budgets. The above approach will also break useful applications (like video conferencing) that are lesson relevant. The workaround of manually adding IP's is just not practical.

 

As previously said we don't portray ourselves as a traditional enterprise grade firewall, rather as a vendor of network access management services for schools. While the above requirements may work in a corporate environment we've found them to be too limiting in an educational one (especially BYOD). As always this is a horses for courses discussion. In regards to VPNs we can identify student's that are contravening their Internet Usage Agreement by using VPNs. We can do this without breaking useful apps and believe we are unique in this.


436 posts

Ultimate Geek
Inactive user


  #1825365 19-Jul-2017 16:32
Send private message

ScottNoakes:

 

 

 

All well and good, but from the Sonicwall Application Database regarding Hotspot Shield:

 

For these reasons, to block Hotspot Shield VPN you must:

 

(1) enable our Encrypted Key Exchange (EKE) application signatures, SID 5 (TCP) and SID 7 (UDP); and (2) enable DPI-SSL Client Inspection (DPI-SSL CI); and (3) also enable the Hotspot Shield VPN application signatures. (Note: there may be side effects to enabling EKE signatures, namely, applications like Skype and others may also be blocked. There is no work-around, other than adding private IPs to the exclusion lists for this application, or individually by EKE signature.)

 

 

We've found such things don't fly in schools for a number of reasons. The schools we work with find the overhead of deploying and maintaining SSLs certs untenable. Doing SSL traffic inspection across all students and websites either turns the network to glue or requires hardware that is out of reach of most school budgets. The above approach will also break useful applications (like video conferencing) that are lesson relevant. The workaround of manually adding IP's is just not practical.

 

 As previously said we don't portray ourselves as a traditional enterprise grade firewall, rather as a vendor of network access management services for schools. While the above requirements may work in a corporate environment we've found them to be too limiting in an educational one (especially BYOD). As always this is a horses for courses discussion. In regards to VPNs we can identify student's that are contravening their Internet Usage Agreement by using VPNs. We can do this without breaking useful apps and believe we are unique in this.

 

 

 

That is kind of old app info and doesn't take into account how the DPI-SSL engine works these days. Certificate validation is the Achilles heel of such apps - we added this in about 2 years ago.

 

I'm not really sure why you keep going back to the management of an SSL cert. There is little management, you issue a self generated resigning cert (easy if you have Active Directory).

 

Maybe SSL Decrypt would turn your hardware to glue, but a lot of firewall vendors have hardware acceleration for SSL handling, so it's not a huge issue.

 

It doesn't break video conferencing- most use UDP, and if they did use an SSL session its simply to exclude that based on CN or AN (not IP address).

 

I don't know why you think SSL decrypt breaks apps, I have a household with 3 boys - we do SSL decrypt just fine without breaking apps. They use all sorts of strange apps, as well as being avid gamers.

 

Can you tell me specifically which enterprise firewalls you found too limiting in an educational environment? And why?

 

 

 

 

 

 


Create new topic





Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Chorus completes the build and commissioning of two new core Ethernet switches
Posted 8-Jul-2020 09:48


National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25


Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30


Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17


Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56


Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.