We all know having a VPN is a great tool to protect the traffic we are transmitting.
In my environment we use cisco anyconnect for mobile clients only (laptops, phones). Lately I have be noticing that workstations have been using various VPN apps like (ultrasurf, softether, hola vpn etc…).
I feel like it would be a good idea to block workstations from using VPN since they are inside of the network and I need to be able to monitor what they are doing. Mobile clients should only be able to use VPN when they are doing work outside of our physical building.
Is my thought process rational? What do you guys think?
Those sorts of VPN services are a security risk. It can also be used to bypass other network based protections, or proxy filtering. I absolutely would block those VPN apps and other tunneling methods to the best of your enterprise ability.
it’s probably easier to route all traffic through a SSL intercepting proxy - while some VPNs could still go through, at least you’ll be able to single them out by examining non-standard traffic.
However, people could still use their mobiles as hotspot - so that needs some group policy applied.
The main question however is: why? Why are you monitoring traffic? Are you concerned about malware, people exfiltrating data…?
The main concern is wide device support. Usually, large vendors like VMWare (PulseSecure), Palo Alto (GlobalProtect) and F5 (f5vpn?) don’t provide support for Linux. And with ~50% of devs, according to 2019’s Stackoverflow’s survey, using Linux, that’s abysmal. This creates a market for alternative solutions. Blocking a bunch of VPN clients is a poor solution to an avenue of exfiltration that isn’t widely used. The cost VS benefit is not worth it. Are you really closing the door on such a large workforce?
Instead of succumbing to marketing flare (closing deals with expensive VPN vendors), provide full spectrum support and only then lock it down. This isn’t easy but security isn’t easy. Otherwise, sooner or later, an employee will punch a hole to enable his work. You want to work on solutions, not dictate problems.
One case I’m familiar with had a VPRnD approve Linux Mint despite security’s support for Windows only. He brought them down to the office and had them install it themselves as a “compromise”. Needless to say they just did next-next-next and achieved nothing. A few years later, when their expensive deals automatically shut down the entire corp network because the guy installed docker on that Linux, they asked firmly
“Who installed this OS?!”.
Their solutions?
“Just don’t use docker”.
Don’t be like them.
Instead of monitoring sites accessed, deploy an EDR. Spinning up a new IBM/Azure/GCP/AWS is cheap. Tooling new TTPs is expensive.
The main reasons I am concerned is because of data exfiltration, accessing sites that are on our blocklist and being able to monitor their activity (on our assets).
Not familiar with the Palo Altos, are they firewalls that are dual purpose with a proxy feature, or is this not really a proxy at all and it’s just blocklisting IPs based on categories they’re associated with?
Its the URL category blocking on the Palos. It isn’t a proxy in the sense that traffic is directed at the firewall and then forwarded on, the traffic flows through the firewall and the firewall queries PAN-DB for the category of the traffic. We also have the Umbrella DNS filtering which would happen at a lower level so the VPN traffic would ideally get blocked by that first.