Protection against VPN connections, Witopia, Hotspot Shield etc

Given that it's hard to take the install applications rights away from my users, from their assigned workstations, what's the easiest mechanism to block connections initiated by Hotspot Shield and Witopia etc.

We have an internal proxy (webwasher) which is defined as proxy for all users and also have ASA 5520 beyond it. I need to define mechanism to detect and terminate the connections emanating off HotSpot Shield other VPNs off my workstations?

I can block launching of hotspot.exe from my GPO but user can easily bypass it by renaming the file.

Any other clues?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave HoweSoftware and Hardware EngineerCommented:
usually they have a limited number of "must contact" IP addresses - those vary from app to app, but if you get a copy, install it, then see where it connects to, eventually you can access control list entries for them all, one by one, until the app stops connecting.
Set up your ASA5520 to force all outbound HTTP/S traffic thru your webwasher proxy, then drop in a 'default deny' policy on the inside interface. This will effectively block all outbound connections unless you explicitly allow them in the ACL. Bear in mind this means you'll need to create new rules for approved services, and you need to review your business needs carefully to ensure you have everything opened you need for normal operations, but it will block these apps from 'phoning home'. You'll still have some get through, mainly those who use HTTP/S as a transport mechanism - but you'll get most of the junk.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SwiftAuthor Commented:
Would appreciate if one of you can host the latest HotSpot shield file somewhere so that I can evaluate the ports it uses.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.