Avatar of cyborama
cyborama
Flag for United States of America asked on

Blocking capabilities of circumventing proxies and firewalls via VPN, pptp and l2pt clientware and services

Hello There:  An Academy my niece goes to using a proxy in order to block content that the highschool or academy does not want them going to do to school polocies.  Anyway some of the students have found ways to circumvent this via using anchorfree hotspot shield.

I would like to help the IT person for this institution implement a way to mitigate the circumventing of the proxy server.  I have researched a bunch of sites and found there were tons of such vpn and proxy services that help people get around firewalls.

One thing I have discovered is these services basically fall into 3 major categories openvpn, pptp and l2pt.  I am wondering one of two things:

1. Is their a way to block many of these client applications or websites that provide services to circumvent proxies by targeting anything that bases its augrithym off openvpn pptp or l2pt.  I know there are some software out their like anti ultrasurf as well as fortiguard but I am trying to get an idea of the best system that can be used to monitor and block these services and sites that client software uses to bust open a network firewall or proxy service.

I know a big service being used today is your freedom which is a proxy service that claims the ability to bust open any firewall being used by school or company.


2. If there is no good method of literally fireproofing the firewall if you will what software or services can be used at a academy or highschool situation to be able to pick up traces of those who are violating the schools internet policy by using their own laptops and or client pcs in the school network to get onto forbidden sites via vpns like hotspot shield or ultra surf, your freedom among others who make use of tunneling and anonymizing the user so they are virtually untraceable and very invisible through this software especially if it is on their laptop and not downloaded onto one of the schools pcs.

Bottom line is, if there is no real good method in really fireproofing the firewall and making it hard to get through with the majority of free VPN out there what management system or software is available so at least the IT person of the school can get an idea when a student uses a proxy service or vpn to circumvent the school's filtering service and perhaps be able to tell what VPN was used to do so (i.e. hotspot shield, gpass, expatshield, Proxpn, yourfreedom, etc...)

I know this sounds like a complex question but any help would be appreciated as this has become a real problem in the school with students spending much time on facebook instead of what they should be doing during school hours and or study hall times in their dorm rooms.

Thanks for your help here.
NetworkingServer SoftwareNetwork Security

Avatar of undefined
Last Comment
cyborama

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Andrej Pirman

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
giltjr

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
cyborama

ASKER
Thanks for your help Labsy and gilrjr.  I was researching a bit about SecurityKiss (one of the vpn software to circumvent proxies and found out the following

-----------------------------------------------------------------------------------------------------
Check your firewall settings if connection is open for SecurityKISS Tunnel (TCP 80, 443 and UDP 123)

You may also check if DHCP client is running. You'll find instructions here
--------------------------------------------------------------------------------------------------------------------
Here is some more on this particular product
--------------------------------------------------------------------------------------
In order to work correctly SecurityKISS Tunnel requires that DHCP Client service is started in your Windows system.

Most Windows configurations have the DHCP Client set to start automatically, however if you can't connect it's worth to check if the service is running.

Below we are showing step by step how to do it on Windows XP but the instruction also applies for other Windows versions.
------------------------------------------------------------------------------------------------------------------

So my question is the following are the folk at securitykiss saying that they actually use port 443 and port 80 to port their traffic through in order to circumvent a proxy setup.  Also I would assume their is no way to allow internet surfacing on approved sites without having dhcp client running.

Lastly if there are only certain sites that we know we want to block while allowing students to effectively do research on the internet for reports, history class and so forth is it safe to say that blocking all ports but 80, 443 and ports dealing with incoming and outgoing email will allow students to have the freedom to do research projects while still being able to black list particular websites such as facebook with the proxy.

I guess what I am saying is by opening ports 80 and 443 while black listing certain sites that are not allowed would vpn and proxy services take advantage of port 80 and 443 in regards to tunnelizing and anonymizing users past the firewall or proxy or do pretty much all free vpns and proxy services use ports other than 8o and 443.

I researched hotspotshield as this is the hottest free vpn used by students at the school now and they definitely do not use port 80 or 443 for their purposes but it almost appears as if securitykiss does which is listed as another popular free vpn tunneling site.



It seems like blocking all but specific white listed sites would only allow students to go to sites a, b, c, and do, etc... for research purposes when doing various projects for school.  I am wondering if their can still be a way to give the students more freedom to properly do research using sites that are very valuable but may not have been discovered as relevant for research while still blocking the social media sites like facebook, twitter, etc... so students while at school will for the most part be forced to focus on the research they are suppose to be doing instead of surfing and chatting. This is why I am wondering if by only opening ports 80 and 443 plus email in and out ports I can pretty much simply black list those popular social networking sites while still have the confidence that anonymizing and tunneling software and services like yourfreedom, hotspotshield and securitykiss can not open up to the students who are going through the schools proxy the ability to tunnel pass and access these social networking sites.

Thanks,

Bo
giltjr

The problem with allowing port 80/443 and black listing sites is that there are a TON of  anonymous proxy sites that use port 80 and you can still do SSL VPN's using port 443.


So you block facebook through your proxy, then fire up their browsers to to someanonymouseproxy.com or somesslvpnserver.com, connect to it and then access facebook through that proxy.vpn.

Yes it is a pain to block everything and then whitelist, but the alternative is to allow everything and then black list most anonymous proxy servers/ssl VPN servers.

All of these anonymous proxy server and VPN sites know everybody lets port 80 and 443 through, so they use those ports.
Andrej Pirman

Yes, the main concern is that the common practice of proxying port 80 and leaving SSL port 443 to bypass local proxy ends up with huge security risk, because, as told, most of today's VPN proxy services use SSL 443 port for connection and data transmition, bypasing all inspection on enterprise firewall.

There are some expensive SSL proxy firewalls available, but I doubt very much that their content filtering and examination engines are able to cope with millions of VPN software offers across the globe. Cisco and Juniper have some such devices, but subscriptions to daily updates are expensive.
Beside, and not last, these SSL proxy firewalls act as a "trusted man in the middle" inspectors, using known hacking techniques to analyze SSL certificate and parts of stream, which makes the whole ocnversation less trusted. Web site with SSL certificate claims, that connection is trusted... but in such case, it might not be anymore. So, is it legal or not...well, I am not sure.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
cyborama

ASKER
thank you Labsy and gltjr that was very informative and helpul