Link to home
Start Free TrialLog in
Avatar of cegepdematane
cegepdemataneFlag for Canada

asked on

How to block HotSpot Shield with an Cisco Asa 5520 ?

How to block HotSpot Shield with an Cisco Asa 5520 ?
Avatar of MikeKane
MikeKane
Flag of United States of America image

Hotspot shield is essentially a openvpn to their servers to use as a proxy outbound to the internet.  

You have 2 options here....  

1) Block the outbound traffic when the source IP is one of the hotspot servers.    This is a hard one since it seems hotspot changes ip's frequently to get around this exact tactic.     Here are some I've found:
129.250.211.8
64.55.144.50
74.85.13.17
129.250.211.61

With an ASA you would just block outbound IP traffic to these ips using an ACL

For example:
access-list outbound extended deny ip any host 129.250.211.8
access-list outbound extended deny ip any host 64.55.144.50
access-list outbound extended permit ip any any
access-group outbound in interface inside


2) Disable the IPSEC passthtough.  This would essentially kill all outbound VPN requests.    Might not be feasible in your environment.



Avatar of cegepdematane

ASKER

Yes in outbound we do not need vpn connection.  To disable ipsec with an ASA i have to block ESP protocol ?

Even with the ESP blocking in outbound (port 50) it seem to be able to connect.

Thanks
ASKER CERTIFIED SOLUTION
Avatar of MikeKane
MikeKane
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Didn't work even with the Filter on the URL string.

I've did the trick with GPO with a restriction on the openvpntray.exe.

Thanks