Hi All,
Currently a Sysadmin within a school. I am having some trouble at the moment blocking Hotspot shield. Have tried a few options in blocking this but I am not having any luck. Currently have a Fortigate inline, attempted to use their signature without any prevail. Is anyone aware of any products/services or appliances that can successfully stop Hotspot shield in its tracks?
Have actually searched for solutions, especially on the Fortinet forums? The first four results I got were literally for the same problem you have and were posted this year!
Try using this search term in google: fortigate "Hotspot shield " site:forum.fortinet.com
Try posting in /r/k12sysadmin
Not a lot of folk here work education, and not a lot of education admins around here know about that subreddit.
Make sure L2TP and PPTP are blocked as a signature based rule.
I’m intrigued to know how they’re getting the client installed… Maybe set up AppLocker and blacklist it? Even better, make a whitelist and stop all other executables.
Why are users able to even download or install the software? No applocker? Proxy rules? This sounds nightmarish
Couldn’t you block them by name/IP? They can’t possibly have that many.
I’m sure you could at least detect when students go to these VPNs. If it were possible, you could enforce a policy where there’s actual consequences (e.g. their device is blocked for 15 minutes, or detention or something). That would only be possible if students can BYOD but need to register it first (so you know who is who). That or BYOD is allowed but requires an app install (to ensure some kind of control while onprem).
Have definitely done some searching, I have found this as well as a few others like this. Unfortunately even after using these I found that I was still able to get straight out using Hotspot Shield.
Have dropped a note over there as well, seems to be something that no one has an answer too though so figured i’d ask in a couple of places.
Only seem to have trouble with Ultrasurf and Hotspot Shield. All other VPNs are pretty much blocked. They both go out on 443, Ultrasurf has randomly generated domains and i’ve seen Hotspot Shield send packets with SNI Parameters of legitimate sites such as Papal.com, Adobe.com, even Facebook.com or cloudfront domains even though the destination IP addresses have no relation to any of those services. It’s pretty crazy seeing some of the stuff they do to get through.
Edit: Forgot to mention, we’re a pretty heavy BYOD school which of course means we have 0 control over the devices.
School is heavy with BYOD as it’s government backed.
It is a nightmare haha. You’ve certainly got that right.
You would be very surprised, seems to be a huge number of IPs it’s using. Also seeing traffic going to “paypal.com” or “adobe.com” that is actually destined to a hotspot shield IP.
It’s a little difficult to tell whether a user is using a VPN or not when their traffic looks to be completely legitimate.
Have you checked the logs and made sure that the policy/rule you are using is being applied correctly.
Maybe go caveman on it… Locate IP addresses sending this traffic in the firewall logs. If it’s PSK find associated MAC on your wireless controller, if it’s LDAP / captive portal find the user account, and blacklist it. When they come to support, point out that it’s a breach of the network policy, warn them that next time they’ll be copying their coursework contents from an encyclopedia with a pen and paper, like we used to.