3CX DLL-Sideloading attack: What you need to know
Hi guys,
I am unable to block the Hoxx VPN extension on firefox. I followed the Application filter recommended settings for better application detection (https://soph.so/WtpQzU). The application uses port 80/443 for VPN servers. Sophos XGS is unable to block the VPN.
Web Filter:
Hi Vineeth,
Can you check the application rule, based on the Screenshot, the policy is allowed.
Erick JanCommunity Support Engineer | Sophos Technical SupportSophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Hi Eric,
It is already blocked in the applications filter. The VPN is using URLs (General Business category) for evading detection.
You need a combination of ips and application policies at the very minimum and maybe web policies. Ips alone will identify the application/web traffic but will not block it, that is a function of the application and web policies.
ian
XG115W - v19.5.1 mr-1 - Home
If a post solves your question please use the 'Verify Answer' button.
IPS is unable to detect it. Earlier, OpenVPN wasn't detected when running it on TCP/80, and TCP/443 but after a signature update IPS started detecting it. I think the app signature is broken and needs to be fixed for "Non-SSL/TLS traffic on port 443" and "VPN Over 443".
IPS will not be able to detect it unless it can look inside the encrypted packets because the encryption starts on your client PC and the data within the packet is opaque to the xg unless you install a CA which will allow the XG to examine the packet contents. All IPS will see is a source and destination connection using 443.
Ian
I have done limited investigation of the vpn, the free version is not very secure, the paid version is more secure. All usage is logged.
a suggestion would. Be to block their servers there are 50
ian.
I downloaded packet capture software on my Mac and I am trying to check if IPS signatures can be created for it. The problem with blocking servers is that the IPs can change anytime. But it is a good temporary solution
Depends on which review you read whether it has 50 or 247 servers. Very insecure package and offers no privacy.
It's like most of the other VPNs in the market but it uses Squid Proxy I think. Still investigating the traffic.
The extension uses Squid Proxy to bypass the firewall.
Hoxx vpn is not in the IPS signatures under squid, chrome or extensions. It is in applications under 'proxy and tunnels' whereas squid is not in the application list. My IPS pattern version 18.19.54.
I don't use chrome and my IPS is currently broken so I can't test my firewall rules to see if it is blocked.
Hoxx vpn is available in firefox as well. I have submitted a request for Squid Proxy IPS signature.
IPS is unable to block Hoxx VPN though. Already tested.
I don't rely on IPS, i have both web and application policies that block all stuff I want to block vpns and tunnels along sites I consider annoying and of no value.
Sorry, I meant application control. Application control is unable to block Hoxx VPN. Application control uses Snort IPS OpenAppID to block applications.