This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ricardo_Andres_
Contributor
‎2017-06-20 08:16 AM

Blocking Psiphon 3 R80.10

I'm trying to block Psiphon 3

I have blocked the single application, the category: anonymizers.

I have enabled the HTTPS Inspection for all the categories

The logs shows Psiphon is blocked but it's still working

Has anyone successfully blocked Psiphon 3 ???

16 Replies
PhoneBoy
Admin
Admin
‎2017-06-20 02:28 PM

Psiphon, like many anonymizes, evolves specifically to avoid detection.

As a result, from time to time, the application signature needs to be updated.

I recommended engaging with the TAC and providing some packet captures so we can take a look.

0 Kudos
Ricardo_Andres_
Contributor
‎2017-06-20 02:36 PM
In response to PhoneBoy

I really did block Psiphon3 with this configuration:

a) Enable HTTP Inspection in all categories

b) Block categories: Anonymizers, Unknown traffic

c) Block SSH in Firewall Layer (I had to allow ssh to my specific destinations)

The problem is: A few applications are not identified by Check Point, so they are blocked beacuse of the "unknown traffic" category drop

Idan_Sharabi
Employee Alumnus
Employee Alumnus
‎2017-06-21 01:18 AM
In response to Ricardo_Andres_

Hi Ricardo,

Full HTTPS inspection and blocking SSH protocol is indeed crucial for successful blocking of the Psiphon client.

Did you try to enforcing it without blocking 'Unknown Traffic' and failed to do so?

As Dameon stated above you may contact us via TAC and send us captures of the specific unblocked traffic, in the meanwhile we'll work on trying to reproduce the issue in our lab as well.

In case you are interested in adding new detection for apps which are currently not detected ("Unknown Traffic") you may submit a request via the following form and request a new application:

https://usercenter.checkpoint.com/usercenter/portal/media-type/html/role/usercenterUser/page/default... 

Thanks,

Idan

Ricardo_Andres_
Contributor
‎2017-06-22 12:43 PM
In response to Idan_Sharabi

Hi Idan,

I did try without blocking "unknown traffic" category, but Psiphon is not blocked. So, in my case it was necessary.

0 Kudos
Ewane_Don_Metug
Explorer
‎2017-11-02 09:47 AM
In response to Idan_Sharabi

Still looking for a work around to solve this with TAC.

Psiphon filtering Checkmate.pdf
Preview file
533 KB
0 Kudos
batmunkh_unubuk
Contributor
‎2017-06-22 05:47 PM

still i have same problem. 1 year continue working with TAC. but they didnot solve my problem. Psiphon very fast getting new updates. 

0 Kudos
Christopher_Tan
Explorer
‎2017-06-27 01:06 AM
In response to batmunkh_unubuk

You are correct Psiphon is quickly getting new updates, therefore the best way is to find the culprit. alert when there is a multiple ssh connection from same source. Fortunately, I have SIEM to do that.

0 Kudos
Mahipal_Singh
Employee
Employee
‎2017-07-06 01:00 PM

I am also facing same issue, though i have blocked open SSH & unknown traffic also.

0 Kudos
Sagar_Manandhar
Advisor
‎2017-10-13 06:47 AM

Finally able to block the psiphon with the help of tac.

The procedure is :

-install the latest hotfix in both gateway and management (may or may not be required)

- Enable https inspection and generate the self sign certificate.

- generate self-signed certificate and install it on all PC of the network (Would be easy if Active Directory is in use)

- Make a Policy for https inspection with "https" and "http_and_https_proxy" with ACtion=Inspection

- Add url and application policy to block the category "support file sharing".

Note: the psiphon is block for only devices in which we install the self-sign certificate. 

Thanks,

Sagar Manandhar

KennyManrique
Advisor
‎2017-10-17 03:03 PM
In response to Sagar_Manandhar

Does not work without HTTPS Inspection?? What happens on BYOD scenarios??

I have a customer with a WiFi deployment for Students where each one has his own tablet to access shared resources and for Internet Access, according to policy all Media Sharing and Media Streams are blocked, but still bypassed with Psiphon because I can't deploy a certificate for those devices.

Any ideas of a workaround?

Regards.

MikeB
Advisor
‎2018-03-02 12:15 PM
In response to KennyManrique

I also with the same issue in BYOD scenarios! Any suggestions??? 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-03 02:54 PM

Like I said previously:

Psiphon, like many anonymizes, evolves specifically to avoid detection.

As a result, from time to time, the application signature needs to be updated.

I recommended engaging with the TAC and providing some packet captures so we can take a look.

Contact Support | Check Point Software 

Others have suggested (earlier on the thread):
  • Blocking outbound SSH traffic to unknown servers
  • Blocking Unknown Traffic
  • Not allowing traffic on "all" ports, but specific ones

Obviously HTTPS Inspection is not always possible but is also effective as well.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-24 12:01 PM

Want to provide some update on this as the latest version of Psiphon has been updated to support QUIC.

In order to effectively block Psiphon, the following is needed:

  1. Block Psiphon
  2. Block Quic Protocol
  3. Block SSH Protocol (using the service in R80.10 or the application in R77.X)
  4. Block Unknown Traffic
  5. Full https inspection on the client machine without exceptions
Mahipal_Singh
Employee
Employee
‎2018-10-24 07:24 PM
In response to PhoneBoy

But if we block QUIC protocol, will it impact any google services traffic i.e. google search, google mail, YouTube etc.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-24 07:55 PM
In response to Mahipal_Singh

I have not encountered any Google Service that also isn't available over traditional HTTP/HTTPS.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top