This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to block Hoxx VPN

Hi guys,

I am unable to block the Hoxx VPN extension on firefox. I followed the Application filter recommended settings for better application detection (https://soph.so/WtpQzU). The application uses port 80/443 for VPN servers. Sophos XGS is unable to block the VPN.

Web Filter:




This thread was automatically locked due to age.
Parents Reply Children
  • Hi Vineeth,

    Can you check the IPS  signature version?

    "The resolution has been included in app signature version x.15.63"

    Also, can you do a test FW rule on top, allowing HTTP,HTTPS,SMTP,ICMP  then turn on the " Scan HTTP" and put the application Filter.

    then try to connect the VPN again.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi,

    which firewall rule is it using?

    Do you have https scanning enabled with decryption and CA installed on the end device? Do you limit the ports on the firewall rule?

    Ian

    XG115W - v19.5 GA - Home

    Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Erick,

    The application signature version is 18.19.54

    I added a test FW rule on top. Hoxx VPN is still working. 

  • Hi rfcat_vk,

    Yes, I have HTTPS scanning enabled. I can't install CA on end devices. I have a decryption rule for TLS/SSL inspection to block invalid certificates to block Hotspot Shield and Betternet VPN.

  • Gi, what are your public IPs? Also the firewall rules use the web proxy by the ticking of the scan boxes. At this stage ssl/tls does not scan UDP traffic, so what type of traffic is shown for the VPNs?

    ian

    XG115W - v19.5 GA - Home

    Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • The VPN is using TCP/80, and TCP/443. I think at this point DPI should be blocking the traffic. I enabled "Non-SSL/TLS traffic on port 443" and "VPN Over 443" blocking in the applications filter. Hoxx VPN is somehow able to evade the detection.

  • Hi,

    you are not using DPI in the rule you have shown above as I explained. You will need to deploy CAs to enable scanning. You have don't decrepit enabled on your SSL/TLS rule so you can't see the applications inside the encrypted packets.

    What are the external IP addresses you are using on your internal network and where are they assigned from?

    Ian

    XG115W - v19.5 GA - Home

    Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Regarding external IP Addresses, I have a /24 which I am announcing using BGP and using them in my network. They are assigned by my router which has the DHCP server. 

    Regarding application blocking, I meant applications filter which uses IPS app signatures for "Non-SSL/TLS traffic on port 443" and "VPN Over 443" should be blocking the traffic.

  • A few months ago, I had a client who tried to access VPN over TCP/443 once using OpenVPN. IPS was able to detect it and block it. Not sure what happened after I upgraded it to the latest version of the firmware. It never worked after that. 

  • You need a combination of ips and application policies at the very minimum and maybe web policies. Ips alone will identify  the application/web traffic but will not block it, that is a function of the application and web policies.

    ian

    XG115W - v19.5 GA - Home

    Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA

    If a post solves your question please use the 'Verify Answer' button.