topic Re: Blocking Psiphon 3 R80.10 in General Topics

Blocking Psiphon 3 R80.10

Ricardo_Andres_ — Tue, 20 Jun 2017 15:16:36 GMT

I'm trying to block Psiphon 3

I have blocked the single application, the category: anonymizers.

I have enabled the HTTPS Inspection for all the categories

The logs shows Psiphon is blocked but it's still working

Has anyone successfully blocked Psiphon 3 ???

Re: Blocking Psiphon 3 R80.10

Moti — Tue, 20 Jun 2017 20:45:58 GMT

Dameon Welch Abernathy mor himi

Re: Blocking Psiphon 3 R80.10

PhoneBoy — Tue, 20 Jun 2017 21:28:18 GMT

Psiphon, like many anonymizes, evolves specifically to avoid detection.

As a result, from time to time, the application signature needs to be updated.

I recommended engaging with the TAC and providing some packet captures so we can take a look.

Re: Blocking Psiphon 3 R80.10

Ricardo_Andres_ — Tue, 20 Jun 2017 21:36:31 GMT

I really did block Psiphon3 with this configuration:

a) Enable HTTP Inspection in all categories

b) Block categories: Anonymizers, Unknown traffic

c) Block SSH in Firewall Layer (I had to allow ssh to my specific destinations)

The problem is: A few applications are not identified by Check Point, so they are blocked beacuse of the "unknown traffic" category drop

Re: Blocking Psiphon 3 R80.10

Idan_Sharabi — Wed, 21 Jun 2017 08:18:19 GMT

Hi Ricardo,

Full HTTPS inspection and blocking SSH protocol is indeed crucial for successful blocking of the Psiphon client.

Did you try to enforcing it without blocking 'Unknown Traffic' and failed to do so?

As Dameon stated above you may contact us via TAC and send us captures of the specific unblocked traffic, in the meanwhile we'll work on trying to reproduce the issue in our lab as well.

In case you are interested in adding new detection for apps which are currently not detected ("Unknown Traffic") you may submit a request via the following form and request a new application:

https://usercenter.checkpoint.com/usercenter/portal/media-type/html/role/usercenterUser/page/default.psml/js_pane/supportId%2CCreateServiceRequestId

Thanks,

Idan

Re: Blocking Psiphon 3 R80.10

Ricardo_Andres_ — Thu, 22 Jun 2017 19:43:29 GMT

Hi Idan,

I did try without blocking "unknown traffic" category, but Psiphon is not blocked. So, in my case it was necessary.

Re: Blocking Psiphon 3 R80.10

batmunkh_unubuk — Fri, 23 Jun 2017 00:47:37 GMT

still i have same problem. 1 year continue working with TAC. but they didnot solve my problem. Psiphon very fast getting new updates.

Re: Blocking Psiphon 3 R80.10

Christopher_Tan — Tue, 27 Jun 2017 08:06:15 GMT

You are correct Psiphon is quickly getting new updates, therefore the best way is to find the culprit. alert when there is a multiple ssh connection from same source. Fortunately, I have SIEM to do that.

Re: Blocking Psiphon 3 R80.10

Mahipal_Singh — Thu, 06 Jul 2017 20:00:39 GMT

I am also facing same issue, though i have blocked open SSH & unknown traffic also.

Re: Blocking Psiphon 3 R80.10

Sagar_Manandhar — Fri, 13 Oct 2017 13:47:05 GMT

Finally able to block the psiphon with the help of tac.

The procedure is :

-install the latest hotfix in both gateway and management (may or may not be required)

- Enable https inspection and generate the self sign certificate.

- generate self-signed certificate and install it on all PC of the network (Would be easy if Active Directory is in use)

- Make a Policy for https inspection with "https" and "http_and_https_proxy" with ACtion=Inspection

- Add url and application policy to block the category "support file sharing".

Note: the psiphon is block for only devices in which we install the self-sign certificate.

Thanks,

Sagar Manandhar

Re: Blocking Psiphon 3 R80.10

KennyManrique — Tue, 17 Oct 2017 22:03:34 GMT

Does not work without HTTPS Inspection?? What happens on BYOD scenarios??

I have a customer with a WiFi deployment for Students where each one has his own tablet to access shared resources and for Internet Access, according to policy all Media Sharing and Media Streams are blocked, but still bypassed with Psiphon because I can't deploy a certificate for those devices.

Any ideas of a workaround?

Regards.

Re: Blocking Psiphon 3 R80.10

Ewane_Don_Metug — Thu, 02 Nov 2017 16:47:53 GMT

Still looking for a work around to solve this with TAC.

Re: Blocking Psiphon 3 R80.10

MikeB — Fri, 02 Mar 2018 20:15:14 GMT

I also with the same issue in BYOD scenarios! Any suggestions???

Re: Blocking Psiphon 3 R80.10

PhoneBoy — Sat, 03 Mar 2018 22:54:24 GMT

Like I said previously:

Psiphon, like many anonymizes, evolves specifically to avoid detection.

As a result, from time to time, the application signature needs to be updated.

I recommended engaging with the TAC and providing some packet captures so we can take a look.

Contact Support | Check Point Software

Others have suggested (earlier on the thread):

Blocking outbound SSH traffic to unknown servers
Blocking Unknown Traffic
Not allowing traffic on "all" ports, but specific ones

Obviously HTTPS Inspection is not always possible but is also effective as well.

Re: Blocking Psiphon 3 R80.10

PhoneBoy — Wed, 24 Oct 2018 19:01:59 GMT

Want to provide some update on this as the latest version of Psiphon has been updated to support QUIC.

In order to effectively block Psiphon, the following is needed:

Block Psiphon
Block Quic Protocol
Block SSH Protocol (using the service in R80.10 or the application in R77.X)
Block Unknown Traffic
Full https inspection on the client machine without exceptions

Re: Blocking Psiphon 3 R80.10

Mahipal_Singh — Thu, 25 Oct 2018 02:24:15 GMT

But if we block QUIC protocol, will it impact any google services traffic i.e. google search, google mail, YouTube etc.

Re: Blocking Psiphon 3 R80.10

PhoneBoy — Thu, 25 Oct 2018 02:55:21 GMT

I have not encountered any Google Service that also isn't available over traditional HTTP/HTTPS.