Identifying VPN based filter avoidance.

[Scott Noakes]

For schools supporting BYOD this may be of interest. We've seen a steadily growing number of students using VPNs to bypass school filtering. In a large student high school we found 15% of students were using VPNs like Hotspot Shield and Ultrasurf to gain unrestricted internet access. If you're interested in learning more about VPN use and identification Linewize has published a technical guide on this: http://www.linewize.com/identification-of-vpn-based-filter-avoidance

[ictdi...@kowhai.school.nz]

Great info thanks.

[Blake Richardson]

Seems like advertising for likewise if you ask me.......

[Scott Noakes]

Hi Blake,

Thanks for your response. We view this growing use of VPNs as an issue that schools need to be aware of, and yes we can help with solving it should they want to address this issue. If awareness is advertising then guilty as charged!

For us this is all about providing schools with transparency over how their network is being used and surfacing the data so that inappropriate student use can be addressed through conversation and education.

I would suggest that you download Hotspot Shield and try it against your 60k of Sonicwall SuperMassive 9200 mentioned in a previous post. I'd wager that Hotspot Shield will get straight through, no problems.

Here's the link: 

https://www.hotspotshield.com/

Also here's the link to their help forum on the topic, 28 views and 0 people finding it useful:

https://www.sonicwall.com/en-us/support/knowledge-base-(1)/170503354229552

If it magically blocks Hotspot Shield then you should let them know. :)

Cheers Scott.

[Paul Batchelor]

Hi,

This may be useful ( or not ? ) :

Latest AW+ OS 5.7.1

 

Topology:

 

Client PC/web browser-----private zone/LAN-----AW+ Firewall_router-----public zone/internet-----server

 

When a client web browser connects to a secure web server using HTTPs (TLS/SSL encrypted VPN), during the initial negotiation of the secure/encrypted link (during what’s known as the TLS handshaking phase) that client web browsers advertise (in unencrypted clear text) to the secure web server the domain to which they wish to connect to – that clear-text information is supplied and contained within the ‘SNI” field during secure TLS handshaking.

 

The SNI information is used by the secure web servers (which typically host multiple secure web sites for multiple domains) to select and offer to the client web browser the appropriate certificate, and allow the negotiation of the encrypted link, and HTTPs access to the encrypted web site to proceed.

 

https://en.wikipedia.org/wiki/Server_Name_Indication

 

Allied Telesis OS AW+ 547-1, the AR-Series Firewalls http://www.alliedtelesis.com/products/security-appliances

now support the ability to configure either URL filtering, or web control, and are able to automatically filter on (block access)  for client web browsers connecting to secure websites via HTTPs.

This is done by filtering based on the domain information SNI field information. 

That means you could define filters to control access from client web browsers that attempt access secure web sites via HTTPs, based on the domain they are trying to access.

 

The AW+ OS version 547-1 software release notes will document that new capability, with associated updates to the URL filtering, and web control Feature Overview guides.

Cheers 

Paul

 

[Scott Noakes]

Hi Paul, thanks for forwarding the info. Here’s an interesting article going over the mechanics of what hotspot shield are doing:

https://www.opendium.com/node/87

Worth noting that Hotspot Shield are deliberately using domains that default firewall filtering criteria normally exclude from SSL inspection (such as update.microsoft.com, windowsupdate.microsoft.com, mozilla.org etc).

[Andrew Godfrey]

When the application initiates a connection, we see the following traffic:
The client makes a DNS lookup for a fairly innocuous looking domain, such as easternarmenia.us. This produces the IP address of one of the Hotspot Shield servers for the client to connect to.

This would require allowing BYOD devices direct dns lookup access to the internet rather the an on-site forwarder wouldn't it?

 

Andrew Godfrey  |  Network Manager

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Paul Batchelor]

Andrew,

Tks – here is a reply:

* When the application initiates a connection, we see the following traffic:

The client makes a DNS lookup for a fairly innocuous looking domain, such as easternarmenia.us. This produces the IP address of one of the Hotspot Shield servers for the client to connect to.

 

This would require allowing BYOD devices direct dns lookup access to the internet rather the an on-site forwarder wouldn't it?

 

ATNZ : Sure, if you want users to perform DNS lookup, you could use local DNS server, or DNS server located in the internet, or alternatively you could configure your router or switch DHCP server to tell clients their DNS server address is the gateway router LAN IP. 

(Many home routers do this, with their routers performing DNS lookup, and storing resolved IPs within the routers DNS cache). 

Basically the SNI filtering operates completely independently of this DNS caching/DNS proxy behaviour, and we have found DNS lookup filtering to be less secure/more easily bypassed, compared to SNI based filtering.

Cheers 

Paul

 

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.