Hi everyone 🤗, I am having a new problem. My network users have leaked they are using a vpn to access blocked sites.
No, I only have the Enterprise. I intend to buy an Advanced and integrated Cisco Umbrulla security license but I do not have the budget yet (it is very soon).
In the meantime tell me what to do to block VPN.
thank you in advance 😉
What about a Layer 3 firewall rule blocking ports 500 and 4500 from your internal user subnets?
Hi @cyriel95 , something along the lines of the below config. Lets say your internal users subnet is 10.10.10.0/24 the rule should block any traffic from that subnet using ports 500 and 4500 which are the typical VPN ports.
is this your office firewall?
That rule after rule 26 is an explicit Allow Any Any. You're pretty much wide open with that still in place. Would be worth adding in an explicit Deny Any Any rule in before it.
As you have access to the Outbound Firewall rules below your inbound I would also apply the vpn rules to your outbound rules also. Where you've configure Any for Source subnet can you not be more specific and tie this down just to your internal data subnet?
@UCcert I assume they are using something like hotspot shield which doesn't use conventional VPN ports. These are a nightmare to block as they use HTTPS and they add and decomission servers on a daily basis making it very hard for vendors to keep up.
I have found they often spoof being other traffic i.e. Paypal, snapchat, facebook.
Hi @BlakeRichardson , I guess tighter admin controls on the end user machines to stop them utilising/installing such features?
This is something that will have to be defined on a higher (management) level:
Either you're further controlling your client infrastructure (technologically better decision) or try to control it via (network / security) infrastructure built around those clients (which will fail in the long run).
Best way of course would be having controls on both sides of that table. 🙂