Blocking VPN outbound/ IPVanish

SOLVED
ZDonaldson
Getting noticed

Blocking VPN outbound/ IPVanish

Hi All,

 

we have discovered that employee use of VPN software to anonymize internet usage may be an issue.

 

I've created outbound deny rules for ports 500, 1701, 4500, and 1723

 

beyond that, does anyone have further recommendations for blocking these types of apps?  Specifically, i'm worried about IPVanish, which claims to use 443 to connect, which obviously I can't block

 

Does Meraki have any deep inspection tools that will recognize a traffic signature rather than just blocking ports?

Zane D - IT Manager in Sin City NV
1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Use content filtering and block "Proxy avoidance and anonymizers".

 

Screenshot from 2018-03-14 12-51-38.png

View solution in original post

9 REPLIES 9
PhilipDAth
Kind of a big deal
Kind of a big deal

Use content filtering and block "Proxy avoidance and anonymizers".

 

Screenshot from 2018-03-14 12-51-38.png

awesome, I have had that turned on for several weeks.

 

Also, when I created the outbound rule to block tcp 1723, I saw lots of hits on that rule at first, so I don't think the content filter was blocking all of it.

 

The hits on that rule have stopped which makes me think the clients for some of these products are smart enough to recognize the port being blocked and are changing ports.  

 

At this point, I'm not super confident we have stopped it, but I'm going to try some packet captures to verify that.

 

On a side note, a newbie question: how do I see which traffic is hitting/being blocked by a specific rule?

Zane D - IT Manager in Sin City NV


On a side note, a newbie question: how do I see which traffic is hitting/being blocked by a specific rule?


Alas you can't, without setting up a Syslog server.

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

That is a good rule, but remember that if a machine has a proxy avoidance app like Psiphon then that rule will not work.  The VPN app like this one hides the port traffic from the firewall because it cannot fully inspect traffic in the SSL/HTTPS channel.

 

Thanks,

Barry O

jared_f
Kind of a big deal

@ZDonaldson Just curoius, are these SM managed devices? 

Find this helpful? Click the kudos button. Thanks!

I don't know what SM is, so probably not

Zane D - IT Manager in Sin City NV
jared_f
Kind of a big deal

@ZDonaldson If they were company owned devices managed by an MDM you could search for the VPN apps and remove them.

Find this helpful? Click the kudos button. Thanks!

I understand, they are internal PCs and MS Surface devices for the most part...we don't use an MDM solution.

 

I'm very disappointed to learn that I can't track sources of traffic based on either the firewall rule that is denying the traffic or the content filter.  

 

How is thing considered a next-gen security device when it doesn't include features that were included in the last 2 generations of other vendors' products? 

 

It's not very secure when there isn't enough logging to track down the source of unwanted traffic on the network.

 

Thus endeth the rant.

Zane D - IT Manager in Sin City NV
jared_f
Kind of a big deal

@ZDonaldson

 

I also did this from the network side, but some VPN apps could still tunnel out if it got past the block.

 

Luckily all of our devices are managed my Meraki MDM (Meraki SM), I created a policy on my end that looks for any apps that contain anything to do with VPNs, Proxy, Annomizer, Etc. and then have it alert me on compliance. The user will loose access to must of the functionality until they remove the VPN and see me (or wait until the device checks in and remove the VPN profile making it compliant).

 

I know Meraki MDM (SM) offers PC managment, might be something to think about for the future. 

Find this helpful? Click the kudos button. Thanks!
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels