Unable to block Hotspot Shield and Betternet VPN

Hi guys,

I have been trying to block the hotspot shield and Betternet VPN. I have included them in the Applications Filter.

I created a support ticket with Sophos and we were able to block the said applications by decrypting HTTPS using web proxy. It is also blocking other applications like Facebook, Instagram, etc. I can't deploy CA certificates on the end devices for HTTPS decryption. 

The client is able to download the applications and use them. The firewall isn't blocking the hotspot shield and Betternet VPN traffic.

I am looking for a way to block those applications using DPI/Applications Filter. These apps use TCP, 443 port. 

I am using an XGS 136.



Edited TAGs
[edited by: emmosophos at 12:32 AM (GMT -7) on 23 Jun 2022]

Top Replies

Parents
  • Hi Vineeth Penugonda

    Please check by creating the DNS service base firewall rule as shown below and create separate application filter policy  to block high risk application as per link and apply on same  DNS service base firewall rule.

    Please try the below steps too in case the application still not getting blocked : 

    CLI settings

    1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
    2. Verify the current configuration by issuing the following commands.
      show advanced-firewall
      show ips-settings
    3. Issue the following commands for the recommended settings.
      set advanced-firewall midstream-connection-pickup off
      set ips maxsesbytes-settings update 0
      set ips maxpkts 80
      set ips packet-streaming on

    GUI settings

    Application filter policy settings

    Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

    • DNS Multiple QNAME
    • OpenVPN
    • QUIC
    • DNSCrypt

    Firewall rule settings

    The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

    For Psiphon Proxy

    1. HTTPs scanning needs to be enabled in firewall rule 
    2. Web filter policy with below categories denied must be applied to the firewall rule
      1. IPAddress
      2. None
      3. Parked Domains
      4. Spam URLs (Available only in XG)
      5. Anonymizers
      6. Spyware & Malware
    3. Please go to PROTECT-->Web --->General Settings under HTTPS decryption and scanning, tick mark  Block Invalid Certificates and Block unrecognized SSL protocols
    4. Allow only HTTPS, HTTP, DNS, ICMP, SMPT etc. services (essential services) on LAN→WAN; if Psiphon is connected even after following above 3 steps.

    Thanks and Regards

  • Hi Bharat,

    I tested with all the settings you provided. I am able to block "Hotspot Shield" by blocking "www.hsselite.com" and blocking "Risk 4 and Risk 5 apps" in the applications filter. 

    Interestingly, the Applications Filter detects the Hostspot Shield as "Facebook Website". (Attached Screenshot). 

    Sometimes, Psiphon Proxy is detected by the Applications Filter and blocks it. Users are still able to use "Psiphon Proxy" and "Betternet VPN".



    Enlarged the screenshot
    [edited by: Vineeth Penugonda at 5:42 PM (GMT -7) on 23 Jun 2022]
Reply
  • Hi Bharat,

    I tested with all the settings you provided. I am able to block "Hotspot Shield" by blocking "www.hsselite.com" and blocking "Risk 4 and Risk 5 apps" in the applications filter. 

    Interestingly, the Applications Filter detects the Hostspot Shield as "Facebook Website". (Attached Screenshot). 

    Sometimes, Psiphon Proxy is detected by the Applications Filter and blocks it. Users are still able to use "Psiphon Proxy" and "Betternet VPN".



    Enlarged the screenshot
    [edited by: Vineeth Penugonda at 5:42 PM (GMT -7) on 23 Jun 2022]
Children
No Data