VPN to bypass Mx security

cyriel95
Getting noticed

VPN to bypass Mx security

Hi everyone 🤗, I am having a new problem. My network users have leaked they are using a vpn to access blocked sites.
No, I only have the Enterprise. I intend to buy an Advanced and integrated Cisco Umbrulla security license but I do not have the budget yet (it is very soon).
In the meantime tell me what to do to block VPN.

 

thank you in advance 😉

11 REPLIES 11
UCcert
Kind of a big deal

What about a Layer 3 firewall rule blocking ports 500 and 4500 from your internal user subnets?

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
UCcert
Kind of a big deal

Both UDP

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

HIi @UCcert, please could you be more specific? I can't understand you

UCcert
Kind of a big deal

Hi @cyriel95 , something along the lines of the below config.  Lets say your internal users subnet is 10.10.10.0/24 the rule should block any traffic from that subnet using ports 500 and 4500 which are the typical VPN ports.

 

UCcert_0-1601995282698.png

 

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

12.JPGdon't understand

UCcert
Kind of a big deal

is this your office firewall?

 

That rule after rule 26 is an explicit Allow Any Any.  You're pretty much wide open with that still in place.  Would be worth adding in an explicit Deny Any Any rule in before it.

 

As you have access to the Outbound Firewall rules below your inbound I would also apply the vpn rules to your outbound rules also.  Where you've configure Any for Source subnet can you not be more specific and tie this down just to your internal data subnet?

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

@UCcert  I assume they are using something like hotspot shield which doesn't use conventional VPN ports. These are a nightmare to block as they use HTTPS and they add and decomission servers on a daily basis making it very hard for vendors to keep up.

 

I have found they often spoof being other traffic i.e. Paypal, snapchat, facebook.

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI

Hi @BlakeRichardson , I guess tighter admin controls on the end user machines to stop them utilising/installing such features?

Darren O'Connor | uccert.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.

@UCcert  Yea the the best method. Only issue if its user owned devices i.e. students. 

Meraki CMNO, Ruckus WISE, Sonicwall CSSA, Allied Telesis CASE & CAI

hi @UCcert & @BlakeRichardson 

 

the administrative contract is strict, users do not have to install any program. But they filter through web browsers. What calls into question our safety rules.

CptnCrnch
Kind of a big deal

This is something that will have to be defined on a higher (management) level:

Either you're further controlling your client infrastructure (technologically better decision) or try to control it via (network / security) infrastructure built around those clients (which will fail in the long run).

 

Best way of course would be having controls on both sides of that table. 🙂

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels