How to block HotSpot Shield with an Cisco Asa 5520 ?

How to block HotSpot Shield with an Cisco Asa 5520 ?
cegepdemataneAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
Hotspot shield is essentially a openvpn to their servers to use as a proxy outbound to the internet.  

You have 2 options here....  

1) Block the outbound traffic when the source IP is one of the hotspot servers.    This is a hard one since it seems hotspot changes ip's frequently to get around this exact tactic.     Here are some I've found:
129.250.211.8
64.55.144.50
74.85.13.17
129.250.211.61

With an ASA you would just block outbound IP traffic to these ips using an ACL

For example:
access-list outbound extended deny ip any host 129.250.211.8
access-list outbound extended deny ip any host 64.55.144.50
access-list outbound extended permit ip any any
access-group outbound in interface inside


2) Disable the IPSEC passthtough.  This would essentially kill all outbound VPN requests.    Might not be feasible in your environment.



0
cegepdemataneAuthor Commented:
Yes in outbound we do not need vpn connection.  To disable ipsec with an ASA i have to block ESP protocol ?

Even with the ESP blocking in outbound (port 50) it seem to be able to connect.

Thanks
0
MikeKaneCommented:
I had to go back and do some more reading.  It seems that this service uses a bunch of different proxy's that rotate daily (or something like that)...   I read one person was able to setup a WEB-Url filter to block outbound requests that contained "/config/?action=connect" which is apparently how Hotspot starts a session.

With an ASA, you'd probably need to do something like this: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml 

That link shows how to setup a custom inspection for http, In theory, it should work with that above string as well...  

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cegepdemataneAuthor Commented:
Didn't work even with the Filter on the URL string.

I've did the trick with GPO with a restriction on the openvpntray.exe.

Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.