Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 6533 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to see traffic from devices using unauthorized vpn/proxy apps

mysterioustranger

Hi Everyone,

I have a BYOD wireless environment and I'm attempting to secure the network using UTM 9.5 , SG105. There are some phone users with a vpn app enabled and are bypassing all web filtering. I have the application filter enabled to block all the apps it knows of and am using transparent web filtering to block anonymizing traffic. Both of these features are limited as it only applies to a small handful of apps.

The only thing I can think of at this point is to capture the traffic from the hosts and I should see all traffic routing through some IP space and then I can block that traffic from the firewall. My tcpdump from the SG box doesn't capture  anything for some reason , I just see the device broadcasting for a googlecast or airplay device. The capture works fine for devices without a vpn app turned on.

I also tried to create an allow firewall rule with log enabled for anything the devices tries to contact. However, for whatever reason, nothing shows under logging and reporting > firewall except for unrelated denied traffic. The live firewall log has the same problem.

Network usage bandwidth doesn't reveal anything useful either.

 

Any suggestions are very welcome!

 

Thank You!

 



This thread was automatically locked due to age.
Parents
  • 0

    Well, if nothing shows on tcpdump, then the package is not going through the UTM. You should at least see the encrypted traffic going through. Are you sure they are not using their data plan instead of the wifi?

    Regards,

    Giovani

  • 0 in reply to giomoda

    Hi Giovani,

     

    Thank you for your quick reply! That is a good thought. The odd thing is that the wifi shows connected on the device and I see the device connected on the UTM but can only see those broadcast packets for some reason from a tcpdump. When I observe the device I see it accessing restricted services/sites. When the device is not connected and is using wireless it doesn't seem to function too well through this vpn app. 

    Since, this is more of a testing, learning environment I guess I will next try to block enough traffic that would cripple the device to verify. 

     

  • 0 in reply to mysterioustranger

    Are you also at least doing URL Filtering of HTTPS?

     Did your Allow firewall rule have logging enabled?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thank you for the reply! Yes, I am filtering all the HTTPS categories (including anonymizing) that I can get away with without breaking too many legit mobile apps. I am have logging any any on the firewall rules but nothing shows up in the firewall logs except for denies. It does log some  unrelates accepts for the webadmin traffic .

     

    I think I may have had some success for now with deny entires on the firewall for IPSEC related ports and L2TP and PPTP . I'm not sure I can kill all access to SSL VPNs . It's also difficult to find any server ips that these vpn apps use when I look them manually. 

    Cheers

     

     

     

Reply
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thank you for the reply! Yes, I am filtering all the HTTPS categories (including anonymizing) that I can get away with without breaking too many legit mobile apps. I am have logging any any on the firewall rules but nothing shows up in the firewall logs except for denies. It does log some  unrelates accepts for the webadmin traffic .

     

    I think I may have had some success for now with deny entires on the firewall for IPSEC related ports and L2TP and PPTP . I'm not sure I can kill all access to SSL VPNs . It's also difficult to find any server ips that these vpn apps use when I look them manually. 

    Cheers

     

     

     

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?