Using VPN to bypass security

Comments

6 comments

  • Avatar
    Firewalla

    First, there is no solution in the world that can block all VPNs. Even at the nation-state level, blocking VPN has always been a cat + mouse game. But with a small bit of work, it may be possible in a small network.

    Some VPNs are fairly easy, you can block ports like 1194, or you can use the built-in blocker like "family mode", when that is on, some of the well-known VPN services may be blocked. 

    Now, since the home network is small, it should be possible to block these things, but ... may involve you to look at the flows a bit. The best tutorial is using something like this, what you need to do is find the flow that's pretty large and just cut that off. https://help.firewalla.com/hc/en-us/articles/360050863873-How-to-block-an-application-using-Firewalla-Network-Flows-

    0
    Comment actions Permalink
  • Avatar
    Charlie

    Thanks for quick response! I understand it is a cat + mouse game. But are you even in the game at this time? If yes, I would expect you to block some of the common VPN sites. I see that you have a Beta for "All VPN Sites". I tried using that to block. That did not help. You need to release VPN blocking soon and keep constantly updating it (chase those mice hard!! Keep catching as many as you can quickly!!)

    Look here is where I am coming from. If it is so easy to defeat or bypass the security, why even bother. I might as well return your equipment. I am unnecessarily slowing down the "good" traffic.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Yes, we constantly trying to make things better for sure. 

    In your case, have you tried "family mode"? this mode actually blocks some of the well-known VPN services. If that does not work, can you use the method here and look at the flows? https://help.firewalla.com/hc/en-us/articles/360050863873-How-to-block-an-application-using-Firewalla-Network-Flows-

    If you see something let us know, we can make a signature to block 

    0
    Comment actions Permalink
  • Avatar
    Charlie

    Just tried. I got a whole bunch of IP addresses (no domain) from all over the world. Not easy to block all of those. How about port? Is there another way to detect VPN tunnel?

    0
    Comment actions Permalink
  • Avatar
    Charlie

    Wait! I noticed all those IP addresses are connecting to ports higher than 50000. Can we block all ports higher than 50000? Looks like you are giving the ability to block a single port not a range or higher-than/lower-than feature. Well you have some serious catching to do with the mice. You should be able to come up with an algorithm that can block VPN tunnels. Please make that high priority for your engineering team.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    You can use 6881-6889, this will block a range. 

    I'll forward this to our engineering team. If you see a whole bunch of random IP addresses, then this VPN is trying to elude detection ... 

    0
    Comment actions Permalink

Please sign in to leave a comment.