This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Do you have a defence against VPN applications with Sophos UTM?

Since Sophos support couldn't help me with this case I decided to ask the community what is their solution. If I am missing something please let me know so I can correct my UTM accordingly.

 

Here are the details of the test, please compare with your own system and check if you are able to prevent a user/s who using a VPN application going restricted websites and other stuff.

  1. SSL Inspection operational on UTM- You have installed the certificate on the client machine (actually doesn't matter at all)
  2. Client installs a VPN app such as XVPN (do not turn on XVPN yet!) https://xvpn.io/
  3. Try to access a restricted website and ensure you are blocked!
  4. Turn on XVPN and try to access the restricted website again to see the result

 

Our findings are;

  • We absolutely have no control on a traffic if VPN applications in use by any client (with SSL certificate or without)
  • Clients even able to bypass the UTM with Chrome extensions (we removed extensions via GPO on domain joined workstations eventually as a workaround)


This thread was automatically locked due to age.
Parents
  • Hello icbbne,

    Thank you for contacting the Sophos Community!

    Could you please share your Case ID so I can check what things the engineer recommended.

    Do you have Application Control enabled in the UTM? (Web Protection >> Application Control) You should enable this as this allows the UTM to do packet inspection.

    Additionally to this in Web Filter, you can block this type of apps/categories called "Anonymizers".

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi,

    Thanks for your post. I am happy to give you the case ID however please do not reopen the case as every each email response takes days or even week. I noticed agents are so reluctant to escalate the cases when they are not able to solve or understand.

    9926337

    Kind regards

  • This is a management issue - there needs to be a clear, written rule that such "cheating" is not permitted and what the consequences will be.

    Agreed with Emmanuel that you should block 'Anonymizers' in Web Filtering.  If you aren't decrypting HTTPS there, you will want to do that, too.  Again, as he recommended, you can block "VPN and tunneling" traffic using Application Control.

    You can always create Exceptions to these blocks for individuals with specific, job-related requirements.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello icbbne,

    So I checked the ticket, and I see one of the engineers referenced a note left by an escalation engineer in the case to troubleshoot, however the case was closed as per your request before the new engineer took over the case. 

    I didn't find this to be a known issue in our database, I see in 9.6 this was happening but the signatures were updated, if the issue is happening for you we need to capture the traffic that isn't detected. 

    However a senior engineer, mentioned your best bet is to reverse your rule to only allow what you need out of your organization, avoid any rule to allow everything outbound (Service = Any), also this proxy uses the DNS port as well, so blocking DNS and only allowing DNS to known DNS servers in your company is a good practice, or let the UTM do the DNS.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi,

    Thanks for checking the case. If you pay close attention to case date time stamps you can see a situation and embarrassing workflow along with the canned responses like previous remote sessions never happened! Since I opened the case canned emails a week later advising me to give a call or sme insignificant question which was answered during remote session already and agent was collected data to analyze. Right after I receive the email I respond immediately and a week later another canned email says the same like I talk and write to a wall. Support engineer requested a week remote access by saying he will work on the case but a week later same canned email like previous remote session never happened. I give a call and everything start over again from the square one. I believe this enlights the reason for my request to close the case because it was going no where. Case was opened on 03 June 2020 and I had to ask to close on 15 August 2020. Now does it make sense?

    Sophos used to have great support in the past and it was pleasure to work with every single engineer however since the beginning of 2020 it's falling a part, sorry but this is the fact. Not sure if I should blame 2020 for this too or not. I accomodated incompetency/carelessness of some so called engineers long time to respect their survival for bread and always left full score for all but we have to run business too! Not only this case, I have a few cases more that I had to give up eventually due to very similar approach to the cases. Since 6 years we are using this product and started looking for an alternative. I am happy to discuss these in detail if someone prefers to call as my first and last complaint has not been answered a few months ago.

     

    For other responses:

    Thanks gentlemen. FYI below.

    • Yes Application Control is active and quite strict
    • Yes Web Filtering active and VPN, Anonymisers are not allowed for all users

    I wonder if anyone tested their own network with the XVPN to see if UTM able to block or not?

     

    Kind regards

Reply
  • Hi,

    Thanks for checking the case. If you pay close attention to case date time stamps you can see a situation and embarrassing workflow along with the canned responses like previous remote sessions never happened! Since I opened the case canned emails a week later advising me to give a call or sme insignificant question which was answered during remote session already and agent was collected data to analyze. Right after I receive the email I respond immediately and a week later another canned email says the same like I talk and write to a wall. Support engineer requested a week remote access by saying he will work on the case but a week later same canned email like previous remote session never happened. I give a call and everything start over again from the square one. I believe this enlights the reason for my request to close the case because it was going no where. Case was opened on 03 June 2020 and I had to ask to close on 15 August 2020. Now does it make sense?

    Sophos used to have great support in the past and it was pleasure to work with every single engineer however since the beginning of 2020 it's falling a part, sorry but this is the fact. Not sure if I should blame 2020 for this too or not. I accomodated incompetency/carelessness of some so called engineers long time to respect their survival for bread and always left full score for all but we have to run business too! Not only this case, I have a few cases more that I had to give up eventually due to very similar approach to the cases. Since 6 years we are using this product and started looking for an alternative. I am happy to discuss these in detail if someone prefers to call as my first and last complaint has not been answered a few months ago.

     

    For other responses:

    Thanks gentlemen. FYI below.

    • Yes Application Control is active and quite strict
    • Yes Web Filtering active and VPN, Anonymisers are not allowed for all users

    I wonder if anyone tested their own network with the XVPN to see if UTM able to block or not?

     

    Kind regards

Children