How to block vpn client programs

Toggle sidebar Toggle sidebar
N

Niraj Subedi

Honorable
Sep 14, 2014
18
0
10,510
I have Microtik router os v5.11. I have blocked Facebook through the router but my employers are accessing the blocked websites through the vpn client programs like HotSpot Shield . How to block the vpn client programs permanently through this router .
 
Solution
B
First you need to not allow the VPN protocols (this is not a port number) used by IPSEC and PPTP. Many times it is as simple as turning off the vpn passthough feature. You also want to block some of the common ports used like UDP 500.

Many vpn try to use http or https. So first thing is to block UDP to port 80 and 443. This will force the clients to use TCP which does not perform as well.

Now most the vpn sites use openvpn. They try to make it seam it runs on https but it really does not it just uses port 443. Because it is not really running HTTPS many firewalls can now detect openvpn by the invalid way it sets up the HTTPS session and block it.

What you are now left with are true HTTPS vpn. There are not a lot of...
Sort by date Sort by votes
First you need to not allow the VPN protocols (this is not a port number) used by IPSEC and PPTP. Many times it is as simple as turning off the vpn passthough feature. You also want to block some of the common ports used like UDP 500.

Many vpn try to use http or https. So first thing is to block UDP to port 80 and 443. This will force the clients to use TCP which does not perform as well.

Now most the vpn sites use openvpn. They try to make it seam it runs on https but it really does not it just uses port 443. Because it is not really running HTTPS many firewalls can now detect openvpn by the invalid way it sets up the HTTPS session and block it.

What you are now left with are true HTTPS vpn. There are not a lot of these mostly because the ones that work well are commercial appliance devices from cisco and juniper that charge a fee based on number of clients The VPN service providers do not want to pay and the free version of https server tend to be resource hogs.

The other thing is the VPN session tend to look different than normal traffic. It is not common to see large amounts of traffic going over a https session that is open for a long time. What we do is look at https sessions that are open for long times with a lot of data and see what they are connecting to. It tends to be pretty obvious when the IP they are talking to maps back to a VPN provider.

Now if you really want to take the extreme approach it is possible to setup a man in the middle attack in your network by setting up your own certificate server. This allows you to intercept the HTTPS stream and inspect what is running inside. This option is only valid in companies and you generally have to have disclaimers that pc are to be used for business purposes only which then means nobody should have a valid claim to privacy issues.
 
Upvote 0 Downvote
Solution
Write this, and have them sign it:

I understand that accessing Facebook at work is prohibited. I understand that the Company may monitor any and all traffic across the network. Using any means to circumvent this block may result in my employ being terminated.

Signed, The Employee
-------------------------------------------

(Consult your legal dept first)
 
Upvote 1 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom