Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




20 posts

Geek

Linewize

# 217836 14-Jul-2017 13:06
Send private message

For schools supporting BYOD this may be of interest. We've seen a steadily growing number of students using VPNs to bypass school filtering. In a large student high school we found 15% of students were using VPNs like Hotspot Shield and Ultrasurf to gain unrestricted internet access. If you're interested in learning more about VPN use and identification Linewize has published a technical guide on this: http://www.linewize.com/identification-of-vpn-based-filter-avoidance








Create new topic
1493 posts

Uber Geek


  # 1822480 14-Jul-2017 13:59
Send private message

The Chinese government wants in on this..

 

Beijing has ordered state-run telecommunications firms, which include China Mobile, China Unicom and China Telecom, to bar people from using VPNs, services that skirt censorship restrictions by routing web traffic abroad, the people said, asking not to be identified talking about private government directives.

 

bloomberg.com

 

TLDR: All your VPN's: GTFO

 

 


15329 posts

Uber Geek

Trusted
Subscriber

  # 1822485 14-Jul-2017 14:08
3 people support this post
Send private message

Simple solution: only allow access to specific IPs / websites using a whitelist. This might only be to internal systems and supported educational resources.

 

Students will just use mobile data. There's no way to prevent access to information.


 
 
 
 


Lock him up!
10788 posts

Uber Geek

Lifetime subscriber

  # 1822508 14-Jul-2017 14:46
2 people support this post
Send private message

timmmay:

 

There's no way to prevent access to information.

 

 

This.

 

 





I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 


22591 posts

Uber Geek

Trusted
Subscriber

  # 1822509 14-Jul-2017 14:47
3 people support this post
Send private message

Or they will cluster at the end of the school within range of a phonebox wifi.





Richard rich.ms

436 posts

Ultimate Geek
Inactive user


  # 1824041 17-Jul-2017 20:23
Send private message

ScottNoakes:

 

For schools supporting BYOD this may be of interest. We've seen a steadily growing number of students using VPNs to bypass school filtering. In a large student high school we found 15% of students were using VPNs like Hotspot Shield and Ultrasurf to gain unrestricted internet access. If you're interested in learning more about VPN use and identification Linewize has published a technical guide on this: http://www.linewize.com/identification-of-vpn-based-filter-avoidance

 

 

 

 

Yeah nah. Things we typically do:

 

 - SSL decrypt so we can scan everything

 

 - block access to proxy/bypass websites

 

 - check for URL embedded

 

 - block access to unrated websites

 

 - block unwanted protocols or allow only wanted protocols (e.g. allow only HTTP/HTTPS)

 

 - Application control (with a proper app control engine)

 

 

 

Your description of how SSL decryption functions is way off the mark. Your assumptions around the MITM stuff is completely wrong.

 

The examples you give around Machine Learning and traffic make no sense. Why would someone tunnel traffic via paypal.com when they are not set to do so?

 

The only ways  this could do this is if your DNS was compromised indicating your product did not do DNS protection (such as rebinding protection). Or perhaps given it was SSL but you don't do SSL Decrypt I would assume you were deriving the website being hit by the certificate CN - but then this would indicate you are not doing certificate validation. But at the end of the day your samples make no technical or logical sense.

 

 

 

 

 

 


436 posts

Ultimate Geek
Inactive user


  # 1824043 17-Jul-2017 20:24
Send private message

timmmay:

 

Students will just use mobile data. There's no way to prevent access to information.

 

 

 

 

Schools have a duty of care to fulfill. If the student uses mobile data then the responsibility for what they access falls to the parents.




20 posts

Geek

Linewize

  # 1825156 19-Jul-2017 13:22
Send private message

 

Yeah nah. Things we typically do: 

 

 - SSL decrypt so we can scan everything

 

 - block access to proxy/bypass websites

 

 - check for URL embedded

 

 - block access to unrated websites

 

 - block unwanted protocols or allow only wanted protocols (e.g. allow only HTTP/HTTPS)

 

 - Application control (with a proper app control engine)

 

Your description of how SSL decryption functions is way off the mark. Your assumptions around the MITM stuff is completely wrong.

 

 

Thanks for your comments, apologies if our explanation was not clear. Here's a more detailed view of the SSL mechanics involved written by Iceni web proxy: 

 

https://www.opendium.com/node/87

 

Also worth noting that Hotspot Shield are deliberately using domains that are normally excluded from SSL inspection such as update.microsoft.com, windowsupdate.microsoft.com, mozilla.org etc. (for example Sonicwall's built in SSL inspection exclusions)

 

 

The examples you give around Machine Learning and traffic make no sense. Why would someone tunnel traffic via paypal.com when they are not set to do so?

 

The only ways  this could do this is if your DNS was compromised indicating your product did not do DNS protection (such as rebinding protection). Or perhaps given it was SSL but you don't do SSL Decrypt I would assume you were deriving the website being hit by the certificate CN - but then this would indicate you are not doing certificate validation. But at the end of the day your samples make no technical or logical sense.

 

 

Most VPN’s use direct connections, avoiding DNS queries at all. To avoid being filtered, Hotspot Shield fakes the SSL transaction and makes direct connections to their server endpoints while masquerading as paypal.com (or similar) using the SNI parameter. Application aware firewalls see the traffic as going to paypal.com and not hotspot shield. The reason that Hotspot Shield has 500 million downloads is that they're really good at evading traditional firewall filtering. Awesome to bypass the great firewall of China, but in a school environment they limit visibility over how students are using the school network.

 

Hope this helps clarify things somewhat.

 

Cheers Scott.


 
 
 
 


436 posts

Ultimate Geek
Inactive user


  # 1825279 19-Jul-2017 14:45
Send private message

ScottNoakes:

 

 

 

Most VPN’s use direct connections, avoiding DNS queries at all. To avoid being filtered, Hotspot Shield fakes the SSL transaction and makes direct connections to their server endpoints while masquerading as paypal.com (or similar) using the SNI parameter. Application aware firewalls see the traffic as going to paypal.com and not hotspot shield. The reason that Hotspot Shield has 500 million downloads is that they're really good at evading traditional firewall filtering. Awesome to bypass the great firewall of China, but in a school environment they limit visibility over how students are using the school network.

 

Hope this helps clarify things somewhat.

 

Cheers Scott.

 

 

 

 

When doing SSL Decryption we validate the server certificate (ie if it is a paypal certificate is this a paypal site), especially for exclusions. Not to mention we are inspecting the SSL content (URL or streaming data etc).

 

Hence my point your understanding of enterprise level SSL decryption seems to be wrong.

 

 




20 posts

Geek

Linewize

  # 1825344 19-Jul-2017 16:01
Send private message

 

When doing SSL Decryption we validate the server certificate (ie if it is a paypal certificate is this a paypal site), especially for exclusions. Not to mention we are inspecting the SSL content (URL or streaming data etc).

 

 

All well and good, but from the Sonicwall Application Database regarding Hotspot Shield:

 

For these reasons, to block Hotspot Shield VPN you must:

 

(1) enable our Encrypted Key Exchange (EKE) application signatures, SID 5 (TCP) and SID 7 (UDP); and (2) enable DPI-SSL Client Inspection (DPI-SSL CI); and (3) also enable the Hotspot Shield VPN application signatures. (Note: there may be side effects to enabling EKE signatures, namely, applications like Skype and others may also be blocked. There is no work-around, other than adding private IPs to the exclusion lists for this application, or individually by EKE signature.)

 

We've found such things don't fly in schools for a number of reasons. The schools we work with find the overhead of deploying and maintaining SSLs certs untenable. Doing SSL traffic inspection across all students and websites either turns the network to glue or requires hardware that is out of reach of most school budgets. The above approach will also break useful applications (like video conferencing) that are lesson relevant. The workaround of manually adding IP's is just not practical.

 

As previously said we don't portray ourselves as a traditional enterprise grade firewall, rather as a vendor of network access management services for schools. While the above requirements may work in a corporate environment we've found them to be too limiting in an educational one (especially BYOD). As always this is a horses for courses discussion. In regards to VPNs we can identify student's that are contravening their Internet Usage Agreement by using VPNs. We can do this without breaking useful apps and believe we are unique in this.


436 posts

Ultimate Geek
Inactive user


  # 1825365 19-Jul-2017 16:32
Send private message

ScottNoakes:

 

 

 

All well and good, but from the Sonicwall Application Database regarding Hotspot Shield:

 

For these reasons, to block Hotspot Shield VPN you must:

 

(1) enable our Encrypted Key Exchange (EKE) application signatures, SID 5 (TCP) and SID 7 (UDP); and (2) enable DPI-SSL Client Inspection (DPI-SSL CI); and (3) also enable the Hotspot Shield VPN application signatures. (Note: there may be side effects to enabling EKE signatures, namely, applications like Skype and others may also be blocked. There is no work-around, other than adding private IPs to the exclusion lists for this application, or individually by EKE signature.)

 

 

We've found such things don't fly in schools for a number of reasons. The schools we work with find the overhead of deploying and maintaining SSLs certs untenable. Doing SSL traffic inspection across all students and websites either turns the network to glue or requires hardware that is out of reach of most school budgets. The above approach will also break useful applications (like video conferencing) that are lesson relevant. The workaround of manually adding IP's is just not practical.

 

 As previously said we don't portray ourselves as a traditional enterprise grade firewall, rather as a vendor of network access management services for schools. While the above requirements may work in a corporate environment we've found them to be too limiting in an educational one (especially BYOD). As always this is a horses for courses discussion. In regards to VPNs we can identify student's that are contravening their Internet Usage Agreement by using VPNs. We can do this without breaking useful apps and believe we are unique in this.

 

 

 

That is kind of old app info and doesn't take into account how the DPI-SSL engine works these days. Certificate validation is the Achilles heel of such apps - we added this in about 2 years ago.

 

I'm not really sure why you keep going back to the management of an SSL cert. There is little management, you issue a self generated resigning cert (easy if you have Active Directory).

 

Maybe SSL Decrypt would turn your hardware to glue, but a lot of firewall vendors have hardware acceleration for SSL handling, so it's not a huge issue.

 

It doesn't break video conferencing- most use UDP, and if they did use an SSL session its simply to exclude that based on CN or AN (not IP address).

 

I don't know why you think SSL decrypt breaks apps, I have a household with 3 boys - we do SSL decrypt just fine without breaking apps. They use all sorts of strange apps, as well as being avid gamers.

 

Can you tell me specifically which enterprise firewalls you found too limiting in an educational environment? And why?

 

 

 

 

 

 


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48


CarbonClick launches into Digital Marketplaces
Posted 6-Nov-2019 11:42


Kordia offers Microsoft Azure Peering Service
Posted 6-Nov-2019 11:41


Spark 5G live on Auckland Harbour for Emirates Team New Zealand
Posted 4-Nov-2019 17:30


BNZ and Vodafone partner to boost NZ Tech for SME
Posted 31-Oct-2019 17:14


Nokia 7.2 available in New Zealand
Posted 31-Oct-2019 16:24


2talk launches Microsoft Teams Direct Routing product
Posted 29-Oct-2019 10:35


New Breast Cancer Foundation app puts power in Kiwi women's hands
Posted 25-Oct-2019 16:13


OPPO Reno2 Series lands, alongside hybrid noise-cancelling Wireless Headphones
Posted 24-Oct-2019 15:32


Waikato Data Scientists awarded $13 million from the Government
Posted 24-Oct-2019 15:27


D-Link launches Wave 2 Unified Access Points
Posted 24-Oct-2019 15:07


LG Electronics begins distributing the G8X THINQ
Posted 24-Oct-2019 10:58


Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27


New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.