This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to block Hoxx VPN

Hi guys,

I am unable to block the Hoxx VPN extension on firefox. I followed the Application filter recommended settings for better application detection (https://soph.so/WtpQzU). The application uses port 80/443 for VPN servers. Sophos XGS is unable to block the VPN.

Web Filter:




This thread was automatically locked due to age.
Parents Reply Children
  • Hi,

    you are not using DPI in the rule you have shown above as I explained. You will need to deploy CAs to enable scanning. You have don't decrepit enabled on your SSL/TLS rule so you can't see the applications inside the encrypted packets.

    What are the external IP addresses you are using on your internal network and where are they assigned from?

    Ian

    XG115W - v19.5 GA - Home

    Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Regarding external IP Addresses, I have a /24 which I am announcing using BGP and using them in my network. They are assigned by my router which has the DHCP server. 

    Regarding application blocking, I meant applications filter which uses IPS app signatures for "Non-SSL/TLS traffic on port 443" and "VPN Over 443" should be blocking the traffic.

  • A few months ago, I had a client who tried to access VPN over TCP/443 once using OpenVPN. IPS was able to detect it and block it. Not sure what happened after I upgraded it to the latest version of the firmware. It never worked after that. 

  • You need a combination of ips and application policies at the very minimum and maybe web policies. Ips alone will identify  the application/web traffic but will not block it, that is a function of the application and web policies.

    ian

    XG115W - v19.5 GA - Home

    Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • IPS is unable to detect it. Earlier, OpenVPN wasn't detected when running it on TCP/80, and TCP/443 but after a signature update IPS started detecting it. I think the app signature is broken and needs to be fixed for "Non-SSL/TLS traffic on port 443" and "VPN Over 443".

  • IPS will not be able to detect it unless it can look inside the encrypted packets because the encryption starts on your client PC and the data within the packet is opaque to the xg unless you install a CA which will allow the XG to examine the packet contents. All IPS will see is a source and destination connection using 443.

    Ian

    XG115W - v19.5 GA - Home

    Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I have done limited investigation of the vpn, the free version is not very secure, the paid version is more secure. All usage is logged.

    a suggestion would. Be to block their servers there are 50

    ian.

    XG115W - v19.5 GA - Home

    Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I downloaded packet capture software on my Mac and I am trying to check if IPS signatures can be created for it. The problem with blocking servers is that the IPs can change anytime. But it is a good temporary solution Slight smile

  • Depends on which review you read whether it has 50 or 247 servers. Very insecure package and offers no privacy.

    ian

    XG115W - v19.5 GA - Home

    Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA

    If a post solves your question please use the 'Verify Answer' button.

  • It's like most of the other VPNs in the market but it uses Squid Proxy I think. Still investigating the traffic.