• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4076
  • Last Modified:

How to block HotSpot Shield with an Cisco Asa 5520 ?

How to block HotSpot Shield with an Cisco Asa 5520 ?
0
cegepdematane
Asked:
cegepdematane
  • 2
  • 2
1 Solution
 
MikeKaneCommented:
Hotspot shield is essentially a openvpn to their servers to use as a proxy outbound to the internet.  

You have 2 options here....  

1) Block the outbound traffic when the source IP is one of the hotspot servers.    This is a hard one since it seems hotspot changes ip's frequently to get around this exact tactic.     Here are some I've found:
129.250.211.8
64.55.144.50
74.85.13.17
129.250.211.61

With an ASA you would just block outbound IP traffic to these ips using an ACL

For example:
access-list outbound extended deny ip any host 129.250.211.8
access-list outbound extended deny ip any host 64.55.144.50
access-list outbound extended permit ip any any
access-group outbound in interface inside


2) Disable the IPSEC passthtough.  This would essentially kill all outbound VPN requests.    Might not be feasible in your environment.



0
 
cegepdemataneAuthor Commented:
Yes in outbound we do not need vpn connection.  To disable ipsec with an ASA i have to block ESP protocol ?

Even with the ESP blocking in outbound (port 50) it seem to be able to connect.

Thanks
0
 
MikeKaneCommented:
I had to go back and do some more reading.  It seems that this service uses a bunch of different proxy's that rotate daily (or something like that)...   I read one person was able to setup a WEB-Url filter to block outbound requests that contained "/config/?action=connect" which is apparently how Hotspot starts a session.

With an ASA, you'd probably need to do something like this: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml 

That link shows how to setup a custom inspection for http, In theory, it should work with that above string as well...  

0
 
cegepdemataneAuthor Commented:
Didn't work even with the Filter on the URL string.

I've did the trick with GPO with a restriction on the openvpntray.exe.

Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now