cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking VPN outbound/ IPVanish

SOLVED
Highlighted
Getting noticed

Blocking VPN outbound/ IPVanish

Hi All,

 

we have discovered that employee use of VPN software to anonymize internet usage may be an issue.

 

I've created outbound deny rules for ports 500, 1701, 4500, and 1723

 

beyond that, does anyone have further recommendations for blocking these types of apps?  Specifically, i'm worried about IPVanish, which claims to use 443 to connect, which obviously I can't block

 

Does Meraki have any deep inspection tools that will recognize a traffic signature rather than just blocking ports?

Zane D - IT Manager in Sin City NV
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: Blocking VPN outbound/ IPVanish

Use content filtering and block "Proxy avoidance and anonymizers".

 

Screenshot from 2018-03-14 12-51-38.png

View solution in original post

8 REPLIES 8
Highlighted
Kind of a big deal

Re: Blocking VPN outbound/ IPVanish

Use content filtering and block "Proxy avoidance and anonymizers".

 

Screenshot from 2018-03-14 12-51-38.png

View solution in original post

Highlighted
Getting noticed

Re: Blocking VPN outbound/ IPVanish

awesome, I have had that turned on for several weeks.

 

Also, when I created the outbound rule to block tcp 1723, I saw lots of hits on that rule at first, so I don't think the content filter was blocking all of it.

 

The hits on that rule have stopped which makes me think the clients for some of these products are smart enough to recognize the port being blocked and are changing ports.  

 

At this point, I'm not super confident we have stopped it, but I'm going to try some packet captures to verify that.

 

On a side note, a newbie question: how do I see which traffic is hitting/being blocked by a specific rule?

Zane D - IT Manager in Sin City NV
Highlighted
Kind of a big deal

Re: Blocking VPN outbound/ IPVanish


On a side note, a newbie question: how do I see which traffic is hitting/being blocked by a specific rule?


Alas you can't, without setting up a Syslog server.

https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Over...

Kind of a big deal

Re: Blocking VPN outbound/ IPVanish

@ZDonaldson Just curoius, are these SM managed devices? 

Find this helpful? Click the kudos button. Thanks!
Highlighted
Getting noticed

Re: Blocking VPN outbound/ IPVanish

I don't know what SM is, so probably not

Zane D - IT Manager in Sin City NV
Highlighted
Kind of a big deal

Re: Blocking VPN outbound/ IPVanish

@ZDonaldson If they were company owned devices managed by an MDM you could search for the VPN apps and remove them.

Find this helpful? Click the kudos button. Thanks!
Highlighted
Getting noticed

Re: Blocking VPN outbound/ IPVanish

I understand, they are internal PCs and MS Surface devices for the most part...we don't use an MDM solution.

 

I'm very disappointed to learn that I can't track sources of traffic based on either the firewall rule that is denying the traffic or the content filter.  

 

How is thing considered a next-gen security device when it doesn't include features that were included in the last 2 generations of other vendors' products? 

 

It's not very secure when there isn't enough logging to track down the source of unwanted traffic on the network.

 

Thus endeth the rant.

Zane D - IT Manager in Sin City NV
Highlighted
Kind of a big deal

Re: Blocking VPN outbound/ IPVanish

@ZDonaldson

 

I also did this from the network side, but some VPN apps could still tunnel out if it got past the block.

 

Luckily all of our devices are managed my Meraki MDM (Meraki SM), I created a policy on my end that looks for any apps that contain anything to do with VPNs, Proxy, Annomizer, Etc. and then have it alert me on compliance. The user will loose access to must of the functionality until they remove the VPN and see me (or wait until the device checks in and remove the VPN profile making it compliant).

 

I know Meraki MDM (SM) offers PC managment, might be something to think about for the future. 

Find this helpful? Click the kudos button. Thanks!
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.