Block VPN , Browser Based VPNs

anwar Lv1Posted 19 Jan 2024 15:12

Dear Community,

I have NGAF 5300-I and I am trying to block VPN applications and Browser-Based VPNs i have tried creating denial rule for VPN but it is still not blocking users from connecting VPNs.

Need your technical assistance.

Farina Ahmed has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

To effectively block VPN applications and browser-based VPNs on your NGAF 5300-I firewall, ensure that you've correctly identified and added the necessary application signatures associated with these VPN services in your denial rule. Additionally, consider implementing SSL decryption to inspect encrypted traffic, as some VPNs may use SSL/TLS for obfuscation. Update your firewall signatures regularly to stay current with emerging VPN services. Furthermore, make sure that the denial rule is placed at a higher priority in your rule set, allowing it to take precedence over other rules. Finally, monitor logs and adjust the rule as needed to maintain effective VPN blocking.
Is this answer helpful?
Farina Ahmed Lv5Posted 09 May 2024 13:43
  
Check if the rule is set to block both incoming and outgoing VPN connections, and make sure it's applied to the right interfaces or zones where the VPN traffic is passing through.
Rotring Lv2Posted 09 May 2024 11:21
  
1. Identify VPN Traffic:

Deep Packet Inspection (DPI): If your NGAF 5300-I supports Deep Packet Inspection (DPI), enable it to identify VPN traffic patterns within the data stream. DPI can analyze application data and protocols to recognize VPN usage.
Port Blocking: While not foolproof, blocking common VPN ports like OpenVPN (UDP 1194) and L2TP (UDP 1701) can help prevent some basic VPN connections. However, be aware that some VPNs can use different ports to bypass restrictions.
2. Application Control:

Application Identification: Many NGAF devices have application identification features. Use these to identify and block known VPN applications by name. Consult your NGAF documentation for specific instructions on application control.
3. DNS Filtering:

Block VPN DNS Requests: Some VPNs rely on specific DNS servers to function. You can try blocking known DNS servers associated with popular VPN providers. However, this method can be easily bypassed by users with technical knowledge.
4. Advanced Techniques (if applicable):

URL Filtering: If your NGAF supports URL filtering, you can block access to known VPN download websites. However, this requires maintaining an updated list of such websites.
Threat Intelligence Feeds: Some NGAF devices allow integrating threat intelligence feeds. These feeds can identify and block malicious VPN traffic based on real-time threat data.
Important Considerations:

False Positives: Blocking techniques can sometimes lead to false positives, blocking legitimate applications. Test your rules thoroughly to avoid unintended consequences.
User Needs: Consider if there are legitimate business needs for using VPNs. You might create exceptions for authorized users or implement a more granular control approach.
NGAF Model and Firmware: The specific configuration steps might vary depending on your NGAF 5300-I model and firmware version. Refer to the official Sangfor documentation for detailed instructions on applying these techniques to your device.
Here are some additional tips:

Consult Sangfor Support: If you're still having trouble blocking VPNs after implementing these techniques, consider contacting Sangfor support. They can provide further guidance and troubleshooting assistance specific to your NGAF model and configuration.
Stay Updated: VPN technologies and techniques evolve. Regularly update your NGAF device firmware and threat intelligence feeds (if applicable) to maintain effective blocking capabilities.
Tammee Ong Lv1Posted 08 May 2024 11:43
  
For your information, Sangfor NGAF's main objective is to prevent and block cyber security events. It's important to note that browser-based VPNs typically employ encryption to create secure tunnels for traffic, which poses a challenge for conventional security measures to inspect and identify VPN usage. Additionally, these VPNs often rotate IP addresses, making it challenging for security systems to maintain an updated blacklist of VPN server IPs. Consequently, NGAF may face limitations in effectively blocking browser-based VPNs. Therefore it does not have the good blocking proxy/VPN performance as Sangfor IAM.
Pat Lv4Posted 29 Jan 2024 11:06
  
While you've tried blocking VPNs with denial rules, consider a multi-layered approach for stronger defense. Enable DPI on your NGAF 5300-I to identify and block VPN traffic patterns. Utilize application control to block known VPN apps by name or signature. Block access to known VPN provider's DNS servers to prevent domain resolution. As a last resort, consider blocking common VPN ports like UDP 1194, TCP 443, and UDP 53. Remember, fine-tuning rules and monitoring logs are key for success. Hope this helps
mdamores Posted 25 Jan 2024 11:01
  
Here are some considerations that you need to take to troubleshoot and improve your VPN blocking rules:

1. ensure that your firewall's application signatures are up to date. VPN applications may frequently update their protocols to bypass firewalls, so it is recommended to always update to the latest.
2. Make sure that your VPN blocking rule is placed correctly in the rule hierarchy. Usually, rules are processed from top to bottom so you need to confirm that the denial rule is above any of the rules that is allowed
3. Enable logging on your denial rule and monitor the logs for traffic that matches the criteria to help you identify whether certain VPN traffic is denied or not.
4. check if the ports and protocols of the specific VPNs you are blocking is correct.
   - enable SSL/TLS inspection on your firewall to help identify and block VPN traffic that is encrypted
   - use deep packet inspection to inspect contents of the packet and to identify VPN traffic based on the data payload
   - implement user authentication in your firewall (if supported), so you can tie VPN blocking rules to specific user accounts
   - apply application control policies to block or limit the use of certain applications, including VPNs
   - ensure blocking the rules accounted for specific services of browser based VPNs

Enrico Vanzetto Lv4Posted 23 Jan 2024 19:33
  
Hi, you first have to set on NGAF the application signature in order to let NGAF identify vpn traffic properly. If the vpn traffic is encrypted with sl, you have to configure SSL decryption and import SSL certificates on NGAF in order to let it analyze vpn traffic packets properly. After that, yo can define a deny policy to block this vpn traffic.
Tayyab0101 Lv2Posted 23 Jan 2024 19:25
  
hello,
can you please share the policy you have set for this.
jerome_itable Lv3Posted 23 Jan 2024 16:53
  
Blocking VPN applications and Browser-Based VPNs on a Sangfor NGAF 5300-I can be tricky, as users often find ways to circumvent basic rules. Here are some factors to consider and actions you can take to improve your blocking effectiveness:

Understanding VPN Detection and Techniques:

    Deep Packet Inspection (DPI): Most modern NGAFs use DPI to analyze traffic and identify VPN protocols like OpenVPN, PPTP, L2TP, and SSTP. However, advanced VPNs might encrypt their traffic, making DPI ineffective.
    Application Recognition: NGAF can also identify VPN applications based on known signatures or behavior patterns. However, new or obfuscated VPN apps might bypass this detection.
    DNS filtering: Blocking access to known VPN providers' DNS servers can prevent users from configuring their devices for a VPN connection.

Enhancing your Blocking Rules:

    Combine different techniques: Use a combination of DPI, application recognition, and DNS filtering for a multi-layered approach. This makes it harder for users to circumvent the block.
    Update your NGAF software: Ensure you're running the latest software version with updated signatures and detection algorithms for current VPN methods.
    Target specific applications: Instead of blocking all VPN traffic, identify and block only known VPN applications used by your users. This minimizes disruption for legitimate applications.
    Use URL filtering: Block website categories or specific URLs associated with VPN services.
    Monitor and adjust: Regularly monitor your logs and network traffic for VPN usage attempts. Refine your rules as needed to address new techniques or bypasses.

Additional Tips:

    Educate your users: Communicate the policy on VPN usage and the consequences of circumventing security measures. Encourage users to use authorized VPNs if necessary for business purposes.
    Consider user needs: If certain business functions require VPN access, create exceptions or dedicated secure access for authorized users.
    Seek expert help: If you're facing significant challenges, consider consulting Sangfor support or a network security specialist for advanced configuration and monitoring strategies.
Adam Suhail Lv1Posted 23 Jan 2024 11:28
  
i think you need to do decryption for the policy to works

Hope this help

I Can Help:

Change

Moderator on This Board

11
7
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
137
3

Started Topics

Followers

Follow

Board Leaders