Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 3037 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block XVPN servers

Hugo José Gongora Lozano

Good morning

We have an end customer (a school) where students use iPads.
It turns out that there are several students who have caught the bad habit of getting IPs from proxy servers thanks to the XVPN application. They do not use it on the iPads, but they use the mobile and get them there. Then in the iPad configuration they use them as a proxy server and thus circumvent the XG firewall.
The firewall is not able to detect those connections as proxy nor as VPN. I have followed the recommendations here:
support.sophos.com/.../KB-000038258
I also saw the thread already opened some time ago in this forum:
community.sophos.com/.../do-you-have-a-defence-against-vpn-applications-with-sophos-utm
The only thing I have been able to do is to install the program on Windows, connect and disconnect to the VPN and write down the public IPs I get. But I have seen that they were never repeated (so there must be an infinite number of them).

Can anyone give me a hand on this?

Thank you very much in advance



This thread was automatically locked due to age.

Top Replies

  • in reply to Hugo José Gongora Lozano +1 suggested

    I found a combination of blocking zwfgygpztq.com and using the SSL/TLS profile of "Block Insecure SSL" did the trick. Blocking the first site I believe makes the X-VPN client fall back to using spoofed certificates from sites like Google, Amazon, Facebook which that Profile will block. The client will either not connect or connects but can't pass any data.

    Regards

    Jump to answer
Parents Reply
  • 0 in reply to Hugo José Gongora Lozano

    It is a nightmare getting the decryption certificate out there, the XG could really do with it in the user portal (like the old SG UTM had) so users can sort themselves out.

    Do you have any other firewall rules outbound to ANY? things like DNS and NTP are exploited as a way for these types of clients to get out. As a matter of course we always restrict these types of rules, there's nothing like seeing 5gb of DNS over a couple of days to tell you there's a problem.

    You can also look at the log files while starting the XVPN client and see what it does and block accordingly.

Children
No Data