Unable to block Hotspot Shield and Betternet VPN

Hi Vineeth Penugonda

Please check by creating the DNS service base firewall rule as shown below and create separate application filter policy  to block high risk application as per link and apply on same  DNS service base firewall rule.

Please try the below steps too in case the application still not getting blocked : 

CLI settings

1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
2. Verify the current configuration by issuing the following commands.
   show advanced-firewall
show ips-settings
3. Issue the following commands for the recommended settings.
   set advanced-firewall midstream-connection-pickup off
set ips maxsesbytes-settings update 0
set ips maxpkts 80
set ips packet-streaming on

GUI settings

Application filter policy settings

Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

• DNS Multiple QNAME
• OpenVPN
• QUIC
• DNSCrypt

Firewall rule settings

The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

For Psiphon Proxy

1. HTTPs scanning needs to be enabled in firewall rule 
2. Web filter policy with below categories denied must be applied to the firewall rule
   1. IPAddress
   2. None
   3. Parked Domains
   4. Spam URLs (Available only in XG)
   5. Anonymizers
   6. Spyware & Malware
3. Please go to PROTECT-->Web --->General Settings under HTTPS decryption and scanning, tick mark  Block Invalid Certificates and Block unrecognized SSL protocols
4. Allow only HTTPS, HTTP, DNS, ICMP, SMPT etc. services (essential services) on LAN→WAN; if Psiphon is connected even after following above 3 steps.

Thanks and Regards

So, in summary the classification is not complete, there is more to this vpn than Sophos appears to have tested.

ian

Yeah. Is there any way we can reach out to the team which works on detecting app IDs and updating the signatures? I would like to report that Hotspot Shield is being misclassified as "Facebook Website" and Betternet VPN is able to bypass the firewall even if it is added to the applications filter.

I did a packet capture of Betternet VPN. It is disguising itself as WhatsApp/Twitter/Facebook. This explains why Hotspot Shield was being detected as Facebook Website by the firewall. I have seen references to Hotspot Shield (Anchorfree) inside Betternet VPN's application folder.

Hi,

thank you for the update, do you have a business licence, if so you can raise a support case and include you data capture?

ian

Hi,

Sure. I will create a support case and share the data capture with the Sophos team. 

Hi,

I had a remote session with Sophos and we were able to block Hotspot Shield and Betternet VPN.

(A) To block Hotspot Shield and Betternet VPN,

(1) Follow Bharat's steps (Link).

(2) To block Hotspot Shield and Betternet VPN, We have to block Invalid Certificates (Which usually used by Such Proxy Application). to do That follow below steps.

(i) In SFOS UI -> Rules and Policies -> SSL/TLS Inspection Rules -> Create a rule with Action "Don't Decrypt" and Profile as "Block Insecure SSL".

(ii) Disable Default rule "Exclusions by website ".

(B) To block Psiphon on iOS,

(1) Block Psiphon Proxy in the application filter.

(2) Block akamai.net, b-cdn.net, and fastly keyword.

Hi,

thank you for the followup report. I only had to make one change and that was to block unrecognised SSL protocols.

Ian

Did you create the tls/ssl inspection rule with the "Block Insecure SSL" profile? Are you using HTTPS decryption on your network?

Ji,

I am using https decryption on my network on devices I can instal the CA on, otherwise  they are on seperate networks. I didn't change any of the ssl/tls settings I have in place.

Ian

Okay. I don't use HTTPS decryption on my network so I had to find a way to block the apps without it.

Okay. I don't use HTTPS decryption on my network so I had to find a way to block the apps without it.