0

We have SonicWall installed in our networked that turned pretty much useless lately, regarding content filtering, after employees found a trick to bypass it and spread the word around.

Could you please recommend the common tricks used to bypass SonicWall rules and their countermeasures I should configure the SonicWall to, to block these holes to force the company internet access policy?

Sisyphus
  • 133
  • 1
  • 1
  • 6
  • This is why it makes sense to get purpose-built devices for the application. never felt that Sonicwall's solution was robust. – ewwhite Jul 15 '15 at 00:08

3 Answers3

0

you need to inspect SSL traffic, anything that's https can't be identified without enabling DPI-SSL. There are so few sites now that are http and most redirect to https automatically that you really need to inspect it, or control their DNS to be able to prevent it.

Running all their traffic through a Web proxy would also be a solution for devices under your control.

Dave Andrews
  • 21
  • 2
0

There will always be ways around content filters. My lists aren't extensive, but here are some items that should help cover most of your concerns.

  • Most common methods to bypass web filters is to use a web-based proxy website

Example:Logging into a free web proxy web service; this is a service that's provided by visiting a website that will mask your web browsing through their website

  • Some people bypass web filters through VPN, which encapsulates traffic and prevents your local web filter from viewing content/destination

Example: Logging into a VPN service from a service provider; since all traffic going through that service is going to be encrypted, no one will be able to tell what you're doing while connected to the service (so long as the traffic is going through the service)

Some methods you can employ are:

  • Forcing proxy servers through GPO

http://social.technet.microsoft.com/wiki/contents/articles/5156.how-to-force-proxy-settings-via-group-policy.aspx

  • Forcing proxy through DHCP, DNS and routing rules

http://smallbusiness.chron.com/set-up-dhcp-provide-proxy-server-50621.html

  • Using a 3rd party web filter solution (one that allows filtering by IP, domain names, and content)
CIA
  • 1,606
  • 2
  • 13
  • 30
  • Could you kindly explain more about the first 2 points you suggested as remedies. From what i heard around the place, they are not using web-based proxy websites nor VPNs, even not browser plugins for proxies! are there any other methods? – Sisyphus Jul 14 '15 at 20:45
  • ...I thought I explained it fairly well... I added a little bit of clarification, but if you're having a hard time understanding, perhaps you should be hiring someone with more experience than yourself to manage your network environment (no offense, but the terminology I was using is pretty basic for network people to understand) – CIA Jul 14 '15 at 23:54
  • I was asking for a clarification of the remedies, not the bypassing techniques. "Forcing proxy servers through GPO" "Forcing proxy through DHCP ..... " . but thanks for the help anyway :) – Sisyphus Jul 15 '15 at 09:10
  • See my latest updates – CIA Jul 15 '15 at 13:19
0

What model and services do you have? And what methods are they using?

The CFS settings allow you to restrict access to HTTP proxies, and the application firewall should keep them from using a VPN.

Many web sites are now using SSL, so if you want to enforce your policies through SSL you will need a DPI-SSL subscription. Or the new SSL Control feature (under Firewall Settings) may be helpful.

atariguy
  • 160
  • 1
  • 8
  • We have NSA 220, we are not aware of the exact method they are using. We dont have DPI-SSL license, however AppRules used to do good job blocking SSL connections to websites like Facebook and its relevant apps. – Sisyphus Jul 14 '15 at 20:55
  • You're going to need to find out what they're doing if it's not being blocked and you want to block it. – atariguy Jul 14 '15 at 20:58
  • Something I remembered today is that for many website's these days, simply changing "http:" to "https:" will bypass CFS, proxy server enforcement, etc., because a lot of web servers have SSL certs (even if they're just self-signed) installed for exactly this reason. – atariguy Jul 17 '15 at 20:25
  • Application Control already addresses this problem, but still it is not enough. – Sisyphus Jul 18 '15 at 16:54