Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 2430 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block VPN Traffic with Drop All Traffic as Fallback

Connor Gwilliam

Hello all,

 

I'm trying to figure out how to resolve a situation with our client. We're currently going through a big rebuild with them which includes some significant changes to the Sophos they have. They own a pair of Sophos XG430 Rev.2 in HA. They currently have a single one onsite whilst we have the other in our office to aid in staging + testing of their new environment.

 

I've previously explored the blocking of VPNs which I achieved with HTTPS Decryption and Scanning + application blocking. Whilst the testing wasn't comprehensive, I was able to block Betternet VPN from establishing a connection which was very positive.

 

The problem I'm having is that the majority of the devices connected are BYOD. I'm having trouble enough as is circulating the root CA and Sophos CA certs to the users to get this working properly, but given that the users will essentially be in control of installing the certificate, it does make a backup plan necessary in this case.

 

We think the best course of action is to block prohibited + VPN traffic whilst the cert is installed, but then block ALL traffic if the cert is not installed and the user tries to bypass the XG filtering. The problem is that my experience with this suggests that once the cert is removed, a user will be able to establish a VPN connection and bypass everything. Once that's established, the Sophos becomes about as useful as a chocolate kettle. Essentially, my question is twofold:

 

  1. How have people circulated certificates to devices with BYOD? I've considered MDM, but given how intrusive it is (and the cost) I don't think this is a viable solution.
  2. Can something akin to HTTPS Decryption and Scanning be used to intercept all HTTPS traffic, along with HSTS, block all HTTPS traffic if the cert is installed? If the end user cannot process the cert given the Sophos is performing MITM, then surely the use of HSTS can essentially block all access entirely?

 

I understand this is a fairly pointed request so if this is not achievable, then the closest thing would be appreciated.

 

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    please do a search of the forums for how to configure the XG to block TOR and Psiphon. Then if you users delete the CA they will be blocked.

    There are some side effects with the VPN blocking and that is you will possibly need to create specific exceptions.

    Ian

  • 0 in reply to rfcat_vk

    Thanks for the response, Ian.

     

    Do you have any comment on presenting a cert for users to deploy? I've looked around and can't find an appropriate way to achieve this.

     

    For reference, we need to deploy the cert to users connecting to a Ruckus wireless system, authentication via Windows NPS with Sophos used for RADIUS Accounting.

Reply
  • 0 in reply to rfcat_vk

    Thanks for the response, Ian.

     

    Do you have any comment on presenting a cert for users to deploy? I've looked around and can't find an appropriate way to achieve this.

     

    For reference, we need to deploy the cert to users connecting to a Ruckus wireless system, authentication via Windows NPS with Sophos used for RADIUS Accounting.

Children