Do you have a defence against VPN applications with Sophos UTM?

Hello icbbne,

Thank you for contacting the Sophos Community!

Could you please share your Case ID so I can check what things the engineer recommended.

Do you have Application Control enabled in the UTM? (Web Protection >> Application Control) You should enable this as this allows the UTM to do packet inspection.

Additionally to this in Web Filter, you can block this type of apps/categories called "Anonymizers".

Regards,

Hi,

Thanks for your post. I am happy to give you the case ID however please do not reopen the case as every each email response takes days or even week. I noticed agents are so reluctant to escalate the cases when they are not able to solve or understand.

9926337

Kind regards

Hi,

if a client encrypt traffic via a VPN (or VPN-like tunnels) you don't have any change on any firewall to inspect that traffic.

This is a management issue - there needs to be a clear, written rule that such "cheating" is not permitted and what the consequences will be.

Agreed with Emmanuel that you should block 'Anonymizers' in Web Filtering.  If you aren't decrypting HTTPS there, you will want to do that, too.  Again, as he recommended, you can block "VPN and tunneling" traffic using Application Control.

You can always create Exceptions to these blocks for individuals with specific, job-related requirements.

Cheers - Bob

Hello icbbne,

So I checked the ticket, and I see one of the engineers referenced a note left by an escalation engineer in the case to troubleshoot, however the case was closed as per your request before the new engineer took over the case. 

I didn't find this to be a known issue in our database, I see in 9.6 this was happening but the signatures were updated, if the issue is happening for you we need to capture the traffic that isn't detected. 

However a senior engineer, mentioned your best bet is to reverse your rule to only allow what you need out of your organization, avoid any rule to allow everything outbound (Service = Any), also this proxy uses the DNS port as well, so blocking DNS and only allowing DNS to known DNS servers in your company is a good practice, or let the UTM do the DNS.

Regards,

In addidition to what others already wrote, this may be helpfull to you.

Most vpn clients which makes connection over 443 (https) do not like ssl interception. So using webproxy in transparant mode with ssl interception should block most of it.

For those using openvpn you can kill outbound udp/tcp 1194

Secondly, block webtraffic by creating firewall rules towards any:80 and any:443. In other words: do not permit any webtraffic besides what is done over the proxy. When you create your outbound blockrules, block also all other, not needed ports. (to prevent massive interuption in production networks I use allow and blockrules above the (often) existing any:any rule (so bad, but I see it often existing!) and switch on logging on all the created rules, as well to the any:any rule.

With following the firewall log (or syslog receiver) you can tweak the restrictions nicely.

After tweaking, I switch often most logging of, unless there is a syslog receiver available and extensive logging is required for compliancy.

Regards,

Arno

Hi,

Thanks for checking the case. If you pay close attention to case date time stamps you can see a situation and embarrassing workflow along with the canned responses like previous remote sessions never happened! Since I opened the case canned emails a week later advising me to give a call or sme insignificant question which was answered during remote session already and agent was collected data to analyze. Right after I receive the email I respond immediately and a week later another canned email says the same like I talk and write to a wall. Support engineer requested a week remote access by saying he will work on the case but a week later same canned email like previous remote session never happened. I give a call and everything start over again from the square one. I believe this enlights the reason for my request to close the case because it was going no where. Case was opened on 03 June 2020 and I had to ask to close on 15 August 2020. Now does it make sense?

Sophos used to have great support in the past and it was pleasure to work with every single engineer however since the beginning of 2020 it's falling a part, sorry but this is the fact. Not sure if I should blame 2020 for this too or not. I accomodated incompetency/carelessness of some so called engineers long time to respect their survival for bread and always left full score for all but we have to run business too! Not only this case, I have a few cases more that I had to give up eventually due to very similar approach to the cases. Since 6 years we are using this product and started looking for an alternative. I am happy to discuss these in detail if someone prefers to call as my first and last complaint has not been answered a few months ago.

For other responses:

Thanks gentlemen. FYI below.

• Yes Application Control is active and quite strict
• Yes Web Filtering active and VPN, Anonymisers are not allowed for all users

I wonder if anyone tested their own network with the XVPN to see if UTM able to block or not?

Kind regards

icbbne said:

I wonder if anyone tested their own network with the XVPN to see if UTM able to block or not?

I'll be honest, no not so far. I'm willing to as soon as I have some time and a test machine available. (I keep my working machine clean)

And from what I read, this XVPN makes it into their sport to be undetected. If I have any feedback on this, I'll come back to this list.

The issues with support: Well, with all respect, but count your blessings. I guess you are still in a good geographical region. From what I've heard, they (Sophos) is working hard to get the support back to the levels it should. But in the meantime I can't stand the commercials in the (Indian ) waiting queue anymore.

Regards,

Arno

I look forward to see the test results. I deeply hoping it's all about my config so I will have a chance to fix it.

If it's not config but a lack of proper definitions, I may have shorter lines to get things done. 

Please don't see this as a promise other then my best effort.