Block VPN , Browser Based VPNs

views: 1312 | comments: 14 | added to Favorites 0

Lights on | 提示：支持键盘翻页<-左右->

Topic

anwar

Created: 19 Jan 2024 15:12

Summary:

Dear Community, I have NGAF 5300-I and I am trying to block VPN applications and Browser-Based VPNs i have tried creating denial rule for VPN but it is still not blocking users from connecting VPNs. ...

Reply

Farina Ahmed Posted 09 May 2024 13:43

Check if the rule is set to block both incoming and outgoing VPN connections, and make sure it's applied to the right interfaces or zones where the VPN traffic is passing through.

Rotring Posted 09 May 2024 11:21

1. Identify VPN Traffic:

Deep Packet Inspection (DPI): If your NGAF 5300-I supports Deep Packet Inspection (DPI), enable it to identify VPN traffic patterns within the data stream. DPI can analyze application data and protocols to recognize VPN usage.
Port Blocking: While not foolproof, blocking common VPN ports like OpenVPN (UDP 1194) and L2TP (UDP 1701) can help prevent some basic VPN connections. However, be aware that some VPNs can use different ports to bypass restrictions.
2. Application Control:

Application Identification: Many NGAF devices have application identification features. Use these to identify and block known VPN applications by name. Consult your NGAF documentation for specific instructions on application control.
3. DNS Filtering:

Block VPN DNS Requests: Some VPNs rely on specific DNS servers to function. You can try blocking known DNS servers associated with popular VPN providers. However, this method can be easily bypassed by users with technical knowledge.
4. Advanced Techniques (if applicable):

URL Filtering: If your NGAF supports URL filtering, you can block access to known VPN download websites. However, this requires maintaining an updated list of such websites.
Threat Intelligence Feeds: Some NGAF devices allow integrating threat intelligence feeds. These feeds can identify and block malicious VPN traffic based on real-time threat data.
Important Considerations:

False Positives: Blocking techniques can sometimes lead to false positives, blocking legitimate applications. Test your rules thoroughly to avoid unintended consequences.
User Needs: Consider if there are legitimate business needs for using VPNs. You might create exceptions for authorized users or implement a more granular control approach.
NGAF Model and Firmware: The specific configuration steps might vary depending on your NGAF 5300-I model and firmware version. Refer to the official Sangfor documentation for detailed instructions on applying these techniques to your device.
Here are some additional tips:

Consult Sangfor Support: If you're still having trouble blocking VPNs after implementing these techniques, consider contacting Sangfor support. They can provide further guidance and troubleshooting assistance specific to your NGAF model and configuration.
Stay Updated: VPN technologies and techniques evolve. Regularly update your NGAF device firmware and threat intelligence feeds (if applicable) to maintain effective blocking capabilities.

Tammee Ong Posted 08 May 2024 11:43

For your information, Sangfor NGAF's main objective is to prevent and block cyber security events. It's important to note that browser-based VPNs typically employ encryption to create secure tunnels for traffic, which poses a challenge for conventional security measures to inspect and identify VPN usage. Additionally, these VPNs often rotate IP addresses, making it challenging for security systems to maintain an updated blacklist of VPN server IPs. Consequently, NGAF may face limitations in effectively blocking browser-based VPNs. Therefore it does not have the good blocking proxy/VPN performance as Sangfor IAM.

Pat Posted 29 Jan 2024 11:06

While you've tried blocking VPNs with denial rules, consider a multi-layered approach for stronger defense. Enable DPI on your NGAF 5300-I to identify and block VPN traffic patterns. Utilize application control to block known VPN apps by name or signature. Block access to known VPN provider's DNS servers to prevent domain resolution. As a last resort, consider blocking common VPN ports like UDP 1194, TCP 443, and UDP 53. Remember, fine-tuning rules and monitoring logs are key for success. Hope this helps

mdamores Posted 25 Jan 2024 11:01

Here are some considerations that you need to take to troubleshoot and improve your VPN blocking rules:

1. ensure that your firewall's application signatures are up to date. VPN applications may frequently update their protocols to bypass firewalls, so it is recommended to always update to the latest.
2. Make sure that your VPN blocking rule is placed correctly in the rule hierarchy. Usually, rules are processed from top to bottom so you need to confirm that the denial rule is above any of the rules that is allowed
3. Enable logging on your denial rule and monitor the logs for traffic that matches the criteria to help you identify whether certain VPN traffic is denied or not.
4. check if the ports and protocols of the specific VPNs you are blocking is correct.
- enable SSL/TLS inspection on your firewall to help identify and block VPN traffic that is encrypted
- use deep packet inspection to inspect contents of the packet and to identify VPN traffic based on the data payload
- implement user authentication in your firewall (if supported), so you can tie VPN blocking rules to specific user accounts
- apply application control policies to block or limit the use of certain applications, including VPNs
- ensure blocking the rules accounted for specific services of browser based VPNs

Enrico Vanzetto Posted 23 Jan 2024 19:33

Hi, you first have to set on NGAF the application signature in order to let NGAF identify vpn traffic properly. If the vpn traffic is encrypted with sl, you have to configure SSL decryption and import SSL certificates on NGAF in order to let it analyze vpn traffic packets properly. After that, yo can define a deny policy to block this vpn traffic.

Tayyab0101 Posted 23 Jan 2024 19:25

hello,
can you please share the policy you have set for this.

Farina Ahmed Posted 23 Jan 2024 17:53

To effectively block VPN applications and browser-based VPNs on your NGAF 5300-I firewall, ensure that you've correctly identified and added the necessary application signatures associated with these VPN services in your denial rule. Additionally, consider implementing SSL decryption to inspect encrypted traffic, as some VPNs may use SSL/TLS for obfuscation. Update your firewall signatures regularly to stay current with emerging VPN services. Furthermore, make sure that the denial rule is placed at a higher priority in your rule set, allowing it to take precedence over other rules. Finally, monitor logs and adjust the rule as needed to maintain effective VPN blocking.

jerome_itable Posted 23 Jan 2024 16:53

Blocking VPN applications and Browser-Based VPNs on a Sangfor NGAF 5300-I can be tricky, as users often find ways to circumvent basic rules. Here are some factors to consider and actions you can take to improve your blocking effectiveness:

Understanding VPN Detection and Techniques:

Deep Packet Inspection (DPI): Most modern NGAFs use DPI to analyze traffic and identify VPN protocols like OpenVPN, PPTP, L2TP, and SSTP. However, advanced VPNs might encrypt their traffic, making DPI ineffective.
Application Recognition: NGAF can also identify VPN applications based on known signatures or behavior patterns. However, new or obfuscated VPN apps might bypass this detection.
DNS filtering: Blocking access to known VPN providers' DNS servers can prevent users from configuring their devices for a VPN connection.

Enhancing your Blocking Rules:

Combine different techniques: Use a combination of DPI, application recognition, and DNS filtering for a multi-layered approach. This makes it harder for users to circumvent the block.
Update your NGAF software: Ensure you're running the latest software version with updated signatures and detection algorithms for current VPN methods.
Target specific applications: Instead of blocking all VPN traffic, identify and block only known VPN applications used by your users. This minimizes disruption for legitimate applications.
Use URL filtering: Block website categories or specific URLs associated with VPN services.
Monitor and adjust: Regularly monitor your logs and network traffic for VPN usage attempts. Refine your rules as needed to address new techniques or bypasses.

Additional Tips:

Educate your users: Communicate the policy on VPN usage and the consequences of circumventing security measures. Encourage users to use authorized VPNs if necessary for business purposes.
Consider user needs: If certain business functions require VPN access, create exceptions or dedicated secure access for authorized users.
Seek expert help: If you're facing significant challenges, consider consulting Sangfor support or a network security specialist for advanced configuration and monitoring strategies.

Adam Suhail Posted 23 Jan 2024 11:28

i think you need to do decryption for the policy to works

Hope this help

Sangfor Community Terms of Use

Last updated: July 2020

Sangfor Technologies ("Sangfor") welcomes you.

The Sangfor Community ("Community"), developed by Sangfor, is provided to enable users to share knowledge, exchange comments and suggestions on Sangfor products.

This Terms of Use is an agreement between you and Sangfor Community on requirements for users during access to the Community and on liability held by Sangfor on managing user's access. Please read the Terms of Use carefully. If you do not agree to all the terms, you may not access the Community. By registering on the Community site, using or visiting the Community, you agree to all the terms in this Terms of Use.

Requirements for Posting Topic

1. Topic Title is Clear
You are expected to write a topic title clearly to make it easy to understand, rather than offering a meaningless or ambiguous title.
2. Question is Specific
The content is specific and detailed when you are posting a topic or reply. The more detailed the topic, the more easily and accurately others can understand.
3. Such a Topic Does Not Exist
Before posting a question or suggestion topic, check whether similar topic already exists. You may post a second one if the existing answers are unsatisfying.
4. Topic Category is Accurate
Check whether the topic is categorized correctly. Choosing a correct category can help you receive a satisfying answer more quickly.
5. Choose A Best Answer
If there is any answer that you think is the best, choose one.
6. Show Gratitude
You are expected to show gratitude to the members who have replied to your question. Pick a best answer and make positive comments on other replies to show your respect for their help.
7. Mutual Respect
Post a topic in a friendly tone, instead of in a blaming or reproaching tone. You may not mock or look down upon repliers but appreciate them in writing answers sincerely.

Contents Approval and Block

1. Blocked Contents
Topics or replies containing any item listed below will be blocked:
a) Content related to product price and specification that are offered through presale hotline or other where online. i.e., How much is an IAM-1200 unit? How high a bandwidth is supported?
b) Contact information, i.e., contact me through QQ account 12345678.
c) Tendency to sell, resell, buy commodities or give gifts, i.e., Any one wants to buy a second-hand device?
d) Misleading or derogatory remarks related to ethnic minorities.
e) Duplicate contents submitted in a short period of time.
f) Job recruitment or hunting contents.
g) Real product information such as customer name, IP address of device, etc. i.e., Customer: XXX Company, Device IP address: 1.1.1.1

2. Prohibited Contents
Postings (topics, posts, comments and articles) containing any items of the following are prohibited and will be deleted.
a) Contents involving pornography, violence or terror, including:
Any content that describes sex organs, behaviors or psychology in detail.
Any content that propagates pornographic images or materials.
Any content that describes violent behaviors, experience and feelings in detail.
Any content that describes terrorist incidents and subjective opinions in detail.
Any content that induces others to meet face to face and have sex or to engage in prostitution.
Any content that tries to hire or induce others to engage in violent activities.
Any content that threatens others.
Any hyperlink linked to any item above.

b) Advertising, massive or duplicate contents linked to a same website, with any of the following purposes:
Boosting web traffic by guiding others to visit certain website or forum.
Engaging in transactions of any item (including virtual commodity, currency, etc.) in the name of certain profit organization or individual.
Advertising or organizing pyramid selling.
Any hyperlink linked to any item above.

c) Reactionary contents, including:
Any content that shows negative views on the current laws and regulations governing the nation.
Any content that disturbs public order or provokes dispute against a nationality, race, religion, region, etc.
Any content that attacks government sectors and officials, propagates feudal superstition and evil cults.
Any hyperlink linked to any item above.

d) Content involves personal attack, defamatory and fraudulent information, including:
Any content that infringes on legal rights of others such as rights of portrait and privacy, humiliates others and cause physical and mental harm to them.
Any content that impairs the reputation of social communities or organizations.
Any hyperlink linked to any item above.

e) Content violates ethics rules, including:
Any content that violates ethics rules and propagates negative values.
Any content that induces others to commit suicide or describes methods of committing suicide in detail.
Any content that discriminates against and disparages the weak, such as the disabled, the elderly and the poor.
Any content that teaches others how to infringe on other's rights, for example, how to hack others' computers, how to cheat others.
Any content that propagates or encourages unethical acts such as teacher-student love affairs, extramarital affairs, incest, etc.
Any content that makes others repulsive or unpleasant.
Any hyperlink linked to any item above.

f) Malicious, meaningless, irrelevant contents, including:
Malicious, meaningless or irrelevant discussion topics.
Replies contain contents or format of contents that make others unable to browse posts.
Duplicate question topics posted in a short period of time.
Duplicate replies to different question topics, which are irrelevant.
Meaningless questions or answers.
Repetitive and valueless coin transfers from one ID to another.
Other irrelevant and meaningless contents.

g) Content involves crime and violation of laws or propagates criminal offenses, including:
Any content that induces or gathers others to engage in gambling activities or propagates bribery.
Any content that contains fraudulent information.
Any content that goes against laws or regulations of the People's Republic of China.
Any hyperlink linked to any item above.

h) Other contents that may violate any law or regulation
Such as content that violates regulations prescribed in Measures for Security Protection Administration of the International Networking of Computer Information Networks, Administrative Measures for Internet Information Services, Management Provisions on Electronic Bulletin Services in Internet, Decision of Preserving Computer Network Security, Administrative Provisions for the Internet News Information Services, or disseminate, spread or transmit any kinds of the following information by other means, including:
Any content that is against the basic principles prescribed and set by the Constitution in the People's Republic of China.
Any content that undermines state security, discloses state secret, subverts government or impairs national unity.
Any content that harms the reputation and interests of the nation.
Any content that incites ethnic hatred or ethnic discrimination or harms the national unity.
Any content that destructs the state's religious policies or propagates evil cult and feudal superstition.
Any content that spreads rumors, disrupts public order, or endangers social stability.
Any content that spreads obscenity, pornography, gambling, violence, murder and terror, or instigates others to commit any crime.
Any content that insults or slanders others or infringes upon legal rights of others.
Any content that incites unlawful assembly, association, procession, demonstration, or gather crowds to disturb public order.
Any act of participating in or organizing activities in the name of unlawful non-government organizations.
Any fraudulent, harmful, threatening, harassing, slandering, vulgar, obscene, or repulsive content.
Other contents restricted or prohibited by any or applicable laws or regulations and effective conventions in the People's Republic of China.

i) Other improper contents

Account Management

Sangfor reserves the right to delete accounts with which users conduct any of the following inappropriate acts:
1. Posting topic or reply that contains any item listed in Blocked Contents or in Prohibited Contents.
2. Discourteous acts, including but not limited to copying, personal attack, disguising as administrator or damaging administrator's reputation, disguising as other members or stealing others' accounts, or using others' signatures, or contents or format of contents in post that make others unable to browse posts properly, or other acts that disturb public order.

Criticisms and Suggestions

Sangfor strives to create an open and integrated platform with joint efforts of all the members and welcomes valuable suggestions and advice, as well as criticisms on Sangfor and Sangfor products. Your feedback in the Community will be replied in time and forwarded to specific department of Sangfor and be solved as soon as possible. However, prohibited contents of deliberate attack against Sangfor and Sangfor products, once discovered, will be deleted immediately.

1. Constructive Suggestions and Criticisms
a) Point out existing bugs or issues of a certain product.
b) List strengths and weaknesses of Sangfor product by comparing with other vendors' products and give rational comments or suggestions.
c) File complaints against Sangfor products.
d) Describe emotional disappointment on Sangfor product because of issues or defects in that product.
2. Non-constructive Suggestions and Criticisms
a) Valueless and subjective attacks against Sangfor and Sangfor products.
b) Compare Sangfor products with those of other vendors in an unfair, unjust and unopen manner, with a purpose of deliberately denigrating Sangfor and Sangfor products or promoting other vendors' products.
c) Attack Sangfor and Sangfor products for other commercial purposes.

Privacy Policy

Sangfor Technologies (Hong Kong) Limited (collectively, "We" and "our") attaches great importance to the security of your personal data seriously. Collecting, using, sharing or transferring of your personal data may be conducted upon you visit our website, use our products and/or services based on your consent, contract relationship or any applicable legal ground.

SANGFOR Privacy Policy (hereinafter referred to as "this Policy") represents how we collect, use, store, transfer your personal data as well as your legitimate rights to access, update, delete, and protect your personal data.

You are required to get fully understanding of this Policy before submitting your personal data to SANGFOR. This Policy applies to SANGFOR websites, products, services that display or provide links to this Policy.

SANGFOR will ensure that any personal data we collect about you will be held and processed strictly in accordance with the European General Data Protection Regulation (GDPR) which become effective on 25th May 2018.

Considering SANGFOR provides various kinds of products and services, this Policy may not cover all possible scenarios for personal data processing. Any specific data relating to the processing of personal data in the context of SANGFOR's products or services may be described in the privacy policy of related products or services or may be released in any notice that is given during the collection of data.

1. Collection and use your personal data.

"Personal data" means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The aforementioned personal data maybe be collected by your behavior of using of our products, services, or when you interact with us, such as visiting our website, registering relevant accounts, participating in our events. Besides, by using cookie and other similar technologies, our websites may indirectly record your personal data. When you use SANGFOR website, we may collect certain data automatically from your computers or devices (including mobile devices). The data we collect automatically may include your IP address, device type, operating system, unique device identifiers, browser-type, browser language, geographic location and other technical information. We may also collect data about how your device has communicated with SANGFOR Website, including the pages viewed, the links clicked, the amount of time spent on particular pages, mouse hovers, the date and time of the interaction, error logs, referring and exit pages and URLs, and similar information. We use this information only for our analytical purposes, and to improve the quality, relevance, and security of SANGFOR website.

Our website collects and uses personal data through the following methods:

1) Tracking

Our website uses analytics tool such as Google Analytics (GA) to track user interaction. We use this data to determine the number of people using our site, to better understand how you found us, how you are using our website and to see the journey you took through the website. All of these are used only in the purpose of improving our website to provide you with the best user experience. Disabling cookies on your internet browser will stop Google Analytics from tracking any part of your visit to pages within this website.

2) Registration Form

When you choose to use SANGFOR community rather than just browsing, you are required to fill in a registration form to create a community account, the data that you supply includes names, usernames, phone numbers, email addresses and region information associated with your account, will be submitted to our database on AWS and under full protection of AWS encryption. AWS is based in the USA and is EU-US Privacy Shield compliant. A backup server of SANGFOR Community is based in Hong Kong only for the sake of disaster recovery.
AWS (Privacy Policy)

3) Email Newsletters

If you choose to join our email newsletter or if provided with your email during an event or other circumstances, the email address that you submit to us will be forwarded and stored in MailChimp which provide us with email marketing services. The email address that you submit will not be stored within this website's own database or in any of our internal computer systems, except for the purpose of importing the data into Mailchimp.

Your email address will remain within MailChimp's database for as long as we continue to use MailChimp's services for email marketing or until you specifically request removal from the list. You can do this by unsubscribing using the unsubscribe links contained in any email newsletters that we send you or by requesting removal via email. If you are under 16 years of age you MUST obtain parental consent before joining our email newsletter. While your email address remains within the MailChimp database, you may receive periodic newsletter emails from us.

We use several third parties to process personal data on our behalf. These third parties have been carefully chosen and all of them comply with the GDPR legislation. All two of these third parties are based in the USA and are EU-US Privacy Shield compliant.
1) Mailchimp (Privacy policy)
2) SurveyMonkey (Privacy policy)

We may collect your personal data for the business purposes such as sending solicited information about a specific item or information about products or Company, perform market research & analytics to improve our services & product offerings. Besides, we may supply such above personal data to third parties for business purposes or marketing based on your consent.

Should the purposes of using your personal data are not included in this Policy, we will obtain your prior consent before we implementing the relevant purpose. Moreover, you are entitled to withdraw your consent at any time in compliance with the laws and regulations, but this maybe cause the function limitation of the website, product or service.

Please be fully noted that we are entitled to collect and use your personal data without your prior consent under any of the corresponding circumstances in compliance with any applicable laws and regulations.

2. Cookies and Other Similar Technologies

Like most sites, we use technologies that are essentially small data files placed on your computer, tablet, mobile phone, or other devices (referred to collectively as a "device") that allow us to record certain pieces of data whenever you visit or interact with our sites, services, applications, messaging, and tools, and to recognize you across devices.

The specific names and types of the cookies, unique identifiers, and similar technologies we use to collect data (e.g. about the pages you view, the links you click, and other actions you take on our Services, within our advertising or e-mail content) may change from time to time. To help you better understand this Policy and our use of such technologies we have provided the following limited terminology and definitions:

Cookies - Small text files (typically made up of letters and numbers) placed in the memory of your browser or device when you visit a website or view a message. Cookies allow a website to recognize a particular device or browser.

Similar technologies - Technologies that store personal data in your browser or device utilizing local shared objects or local storage, such as flash cookies, HTML 5 cookies, and other web application software methods. These technologies can operate across all your browsers, and in some instances may not be fully managed by your browser and may require management directly through your installed applications or device. We do not use these technologies for storing personal data to target advertising to you on or off our sites.

We may use the terms "cookies" or "similar technologies" interchangeably in our policies to refer to all technologies that we may use to store data in your browser or device or that collect data or help us identify you in the manners described above.

3. Rights to your personal data

If you submit your personal data to us, please ensure the accuracy of such data. If your personal data has changed (for instance, your address has been changed), you are obliged to update your personal data in a timely manner.

For requirements by applicable laws, you may: (1) have access to your personal data we have held; (2) update or correct any of your inaccurate personal data; (3) restrict or object to allow us to process your personal data; and (4) require us to erase your personal data, and (5) require us to comply with your request for data portability (6) withdraw your consent at any time which will not affect the lawfulness of processing based on consent before (7) lodge a complaint with the corresponding supervisory authority.

When you claim the said rights, we may require you to submit a written request and may verify your identity. Usually, we do not charge anything for such processes unless your request goes beyond the limit of conventional requirements.

4. Protection and Storage of Personal data

We recognize the need to ensure that personal information gathered via this website remains secure. Our site has security measures in place to protect against the loss, misuse, and alteration of the personal information under our control. Our security measures include the use of a hardware firewall to prevent unauthorized access. You acknowledge that although we exercise adequate care and security, there remains a risk that information transmitted over the Internet and stored by computer may be intercepted or accessed by an unauthorized third-party.

Your Personal Data will be stored on our database as long as you continuing use your community account. With your consent, any data we use for lawful purpose(s) for which it was obtained will be kept with us until you notify us that you no longer wish to use the functions of SANGFOR community and would like to delete your account permanently.

5. Cross-border Transfer of Personal data

Generally, we will process your personal data in the country/region where you use our products or services. However, we may transfer your personal data to Hong Kong China, Malaysia and USA that may have different laws for the protection of personal data.

6. Breach Notification

In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant Data Protection Authority (DPA) will be informed within 72 hours, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, Sangfor informs the supervisory authority of the reasons for the delay. This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.

7. Update of this Policy

This privacy policy may change from time to time in line with legislation or industry developments. We will not explicitly inform our clients or website users of these changes. Instead, we recommend that you check this page occasionally for any policy changes.

8. Contact Us
If you have any question about this Policy or have any request or query for your personal data, please send an email to community@sangfor.com to contact us.