How to block Squid Proxy using Application Control?

Hi,

you create policy blocking proxy and tunnels. There is a category already in the XG, you need to add it to your application policy and it will need to be in every firewall rule that the users have access to.

Ian

Hello Vineeth,

Greeting, thank you for contacting Sophos Community!

You may refer to the below KBA:

support.sophos.com/.../KB-000038258

Hi,

I added it in the application control. The user is still able to access the VPN. I cannot enable SSL/TLS decryption because the user bought his own device. I am able to block Psiphon, Hotspot Shield etc.

I did some packet inspection, and Hoxx VPN is connecting to some unknown addresses. It uses TLS v1.3. When I checked the address in Sophos, it showed up in the "Content Delivery" category.

"I cannot enable SSL/TLS decryption because the user bought his own device." Why not? You're already wanting to block their use of VPNs so it's not like you're not imposing some restrictions on them already. You can send them the CA certificate with instructions as to how to install it and then give them a couple of days before you turn on decryption. Their choice.

As soon as you go down the road of "i want to block something" it gets tricky, if the device is not managed. The reason is from a privacy reason noble: TLS and HTTPS can be used to hide your movements and actions in the internet. 

Tools like tor and other VPNs are making there money to "work everywhere". Therefore there interest is, to get through all sorts of firewalls. If you do not open the communication, (decrypt TLS), you will not see the truth. 

The guests can bring their own devices and connect to the wifi. So, TLS inspection cannot be done because it is not possible to add a CA certificate to their devices.

I have configured all that was mentioned in the support articles. I am sure the application control team can take a look at creating or updating a signature for "Proxy over 443". 

You could try creating FQDN group with hoxx.com and *.hoxx.com and then create a rule at the top of your rule list as a block to this FQDN group. I was unable to find a server list for the app. The security rating on hoxx.com is not great so a DNS block might just work?

You might also need to block browser extensions.

Ian

I downloaded the app to my mac book, apple blocked the installation as untrustworthy, though that can be bypassed and the I tried the firefox extension but that would not install on my firefox app.

I have configured all that was mentioned in the support articles. I am sure the application control team can take a look at creating or updating a signature for "Proxy over 443". 

The problem with Hoxx is that it uses some random URLs to connect. Submitted a request to Sophos using the "Application Control Submission".