Hi All,
Currently a Sysadmin within a school. I am having some trouble at the moment blocking Hotspot shield. Have tried a few options in blocking this but I am not having any luck. Currently have a Fortigate inline, attempted to use their signature without any prevail. Is anyone aware of any products/services or appliances that can successfully stop Hotspot shield in its tracks?
This is something you are going to have to pass on as a disciplinary solution rather than a technical solution. Even the Great Firewall of China has issues blocking these VPN services.
I’d draw the line at trying to block apps on students phones, even if its through use of the web filter.
If it was a chrome extension or a ipad app on district owned devices, that would be something I’d take a look at. However, if kids are doing bad things on their phone, there isn’t much I can do about that.
So, you are somewhat facing a whack a mole situation if you aren’t careful. You can attempt to block IP ranges as suggested by others or whole domains, but these are moving targets. Now enter the fact that there are a plethora of other apps that do exactly the same thing.
This was one reason I went with Palo Alto as a content filter. It allows me to block this category of traffic and so far, I haven had issues with students gaining access to illicit traffic, but I still accept that where there is a will, there is a way.
At some point, you have to have disciplinary action be apart of the equation. If you are working with a 1:1, take their device away for a while. If not, revoke computer rights until they understand their expectations on behavior. But you have to have your admin teams back you up.
Do you have SSL inspection set up and the categories with the filters correctly applied?
We use a product called Iceni by Opendium. They have developed a way of blocking this - Zero-Configuration HTTPS Filtering | Opendium
Opendium added spoofing-detection back in March to block Hotspot Shield - it’s still effective at blocking it:
(This is quite robust since it doesn’t involve filtering based on the thousands of IP addresses that Hotspot Shield connects to).
Barracuda WSG just added new Hotspot Shield protection in version 12 https://campus.barracuda.com/product/websecuritygateway/article/BWF/ReleaseNotes/
I was actually in China in January and couldn’t seem to get any VPN I got from the App store to bypass their firewall. May have just been a fluke though.
The seem to have new IP’s all the time. All belonging to EGI hosting.
Totally get the whole if there’s a will there’s a way, however it’s pretty difficult to tell if a user is actually using these VPNs because the traffic is showing is legitimate sites (eg: paypal.com).
While disciplining users is fine, it’s not so practical when you have most of the school sitting on a VPN all day.
SSL inspection alone may not be a viable solution here. In any setup utilizing full SSL inspection, some domains are bound to be whitelisted from SSL inspection, such as domains of financial institutions or the domains required for Chromebook logins. In my tests using Wireshark, it appears as though Hotspot Shield uses a fake SNI to masquerade as a trusted website, such as paypal.com. It also uses a legitimate certificate for the website that it masquerades as, and it also uses a special client, which downloads the certificate without the need for a private key. To Wireshark, it appears like a perfectly normal connection to a SSL-inspection-whitelisted domain.
Barracuda is garbage.
It’ll be quickly defeated.
are you aware of what they are doing in order to block it?
The reason Astrill is popular at my work is because of the large amount of Chinese students. It is what they use when they are at home.
For legal reasons you are required to block inappropriate material. Block EGI hosting, if people say they can’t get to educational material and you find it on EGI, whitelist them. I doubt the number would be high.
In that case, are they really authenticating their servers? It would be very unlikely unless they have an out of band way to do it.
I think i’ve finally found a solution. I made a new post about it here. they seem to be doing some pretty neat stuff to stop them. I’ll let you know how my testing goes.
It looks like the way they’re doing it is to actually try and find all the Hotspot Shield server IPs and list them in a dedicated Hotspot Shield section of the Application Definitions