Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 16 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 7373 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block Psiphon VPN

dbachour

Greetings All,

Let me get directly into the point. My question is about blocking Psiphon application using Sophos XG firewall. I have followed a lot of tutorials and ended up with the following configurations:

  1. On the web filtration I have blocked access to the following categories:
    1. IPAddress
    2. None
    3. Parked Domains
    4. Spam URLs (Available only in XG)
    5. Anonymizers
    6. Spyware & Malware
  2. On the application filtration I have blocked access to:
    1. VPN
    2. SSH
    3. Proxy
    4. Tunnel
    5. DNS
    6. P2P
    7. QUIC
    8. PPTP
  3. On the firewall rule I have applied Decrypt & Scan HTTP
  4. I have following (community.sophos.com/.../132436) to make configurations on Sophos from console

After all this, Psiphon is still able to connect. Any ideas how to block this application? I am currently using SFOS 17.5.4 MR-4-1

 

Regards,



This thread was automatically locked due to age.
  • 0

    Hi,

    in your firewall rules do you have any rule with allow all for ports? In you general access rule you should only allow http/https, maybe ping, icmp. In the web tab have you enabled block invalid certificates and unrecognised SSL protocols?

     

    Ian

  • 0 in reply to rfcat_vk

    Hey,

    I have different firewall rules for different subnets. So, I am testing one rule on one particular IP address. Even after limiting the services from ANY to HTTP, HTTPS and ICMP in the Destination & services, Psiphon is still able to connect. And, as you mentioned Block unrecognized SSL protocols and Block invalid certificates are ticked.

    Also, I am sure that the testing device is using only that firewall rule (In case some one will ask/tell that the device might be using another rules)

    Regards,

     
     
  • 0

    Hey again,

    I have managed to block Psiphos finally, but still maintaining device access to the network is not as easy as expected. As I mentioned in the main post, I have applied web filtration and application filtration which wasn't enough. On the destination services I have added apart from HTTP, HTTPS and ICMP the following services:

    1. DNS
    2. SMTP

    But, Psiphon and other VPN applications were still working. The only way I found is:

    1. Enabling Decrypt & scan HTTPS which is giving a headache when a mobile phone is connected (Even after installing Sophos agent, my mobile couldn't connect to the internet)
    2. Enabling Identity > Match known user which will force the users to sign-in using Sophos Network Agent. In this case, if a VPN application will launch, the agent will disconnect and the user won't be able to access network.

     

    Please, if you have any other idea, kindly share.

     

    Regards,

  • 0 in reply to dbachour

    Hi,

    I don't have an AD. I built a seperate firewall rule for my phones until I could workout how to get hem to work with the https scanning. I have one iPhone and an iPad working with https scanning at this stage.

    I have beem working o how to block TOR browser.

    You might want to put the DNS and SMTP into separate rules where the destination is a specific site, also the SMTP you might use the mail business rule. The device DNS need to be pointing at the XG so it is part of the application verification path otherwise the XG has no idea about the classification of the application  you are using.

    Ian

  • 0 in reply to rfcat_vk

    Hey,

    Can you provide me with little bit more details? Most of the phones here are running Android.

     

    Regards,

  • 0

    I have just noticed, if you exclude Sophos Agent from applications in Psiphon, it will be able to communicate...

  • 0 in reply to dbachour

    Nasty application. I have been able to stop it using DNS ports, but it passes the http/https decrypt and scan by using un-cataloged sites.

    So why is Psiphon not detected by the XG and blocked? If I look at my reports it shows blcked, that was because I disabled the clientless user.

    Ian

     

    this investigation is becoming very interesting. Not showing blocked firewall and web log viewer entries, shows blocked in application logviewer entries.

    I have changed its maxpkts to 100 as suggested in one of the previous threads and slowed it down but still allowed connections.

     

    Looks like a restart is required

  • 0 in reply to rfcat_vk

    Further testing this morning. after the XG was restarted on a W10 tablet and if you allow PsiPhon to be installed it will connect.

    So you need to run a block install on your devices which IO am not sure how you achieve this on portable devices like iPhones or android phones and then block in the XG.

    The XG application blocks Psiphone from connecting, but not from establishing a connection to a destination site. I block DNS unless using the XG DNS.

    So there must be another setting that stops the Psiphon communication package from connecting but what and how to find it?

    Ian

     

    The communication package sets up connections via the proxy using both port 80 and 443. I have made additional changes to my web policies to see if that helps block it.

  • 0

    Hi,

    Sincerely, I am almost giving up. I have noticed, that with other VPN applications if you exclude Sophos Agent from them, they will still be able to connect (Some applications).  Also, not all devices are allowing the installation of Sophos certificate (Mobile devices and tablets), which means either you switch off Decrypt & scan HTTPS or you keep the device disconnected.

    Honestly, Sophos XG is not totally blocking VPN, tunnel and proxy applications.

     

    Regards,

  • 0 in reply to dbachour

    Hi,

    I have installed CAs on my iPad and iPhone successfully, but that doesn't stop Psiphon. Tor I can stop. The problem with using the firewall only is that people can take their phones and tablets outside of your secure network and install the software where as devices fixed to your network cannot install the software.

    Looking at the Psiphon KBA to see what I have missed.

    Ian