cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Blocking Psiphon 3 R80.10

I'm trying to block Psiphon 3

I have blocked the single application, the category: anonymizers.

I have enabled the HTTPS Inspection for all the categories

The logs shows Psiphon is blocked but it's still working

Has anyone successfully blocked Psiphon 3 ???

Tags (2)
16 Replies
Admin
Admin

Re: Blocking Psiphon 3 R80.10

0 Kudos
Admin
Admin

Re: Blocking Psiphon 3 R80.10

Psiphon, like many anonymizes, evolves specifically to avoid detection.

As a result, from time to time, the application signature needs to be updated.

I recommended engaging with the TAC and providing some packet captures so we can take a look.

0 Kudos

Re: Blocking Psiphon 3 R80.10

I really did block Psiphon3 with this configuration:

a) Enable HTTP Inspection in all categories

b) Block categories: Anonymizers, Unknown traffic

c) Block SSH in Firewall Layer (I had to allow ssh to my specific destinations)

The problem is: A few applications are not identified by Check Point, so they are blocked beacuse of the "unknown traffic" category drop

Highlighted
Employee
Employee

Re: Blocking Psiphon 3 R80.10

Hi Ricardo,

Full HTTPS inspection and blocking SSH protocol is indeed crucial for successful blocking of the Psiphon client.

Did you try to enforcing it without blocking 'Unknown Traffic' and failed to do so?

As Dameon stated above you may contact us via TAC and send us captures of the specific unblocked traffic, in the meanwhile we'll work on trying to reproduce the issue in our lab as well.

In case you are interested in adding new detection for apps which are currently not detected ("Unknown Traffic") you may submit a request via the following form and request a new application:

https://usercenter.checkpoint.com/usercenter/portal/media-type/html/role/usercenterUser/page/default... 

Thanks,

Idan

Re: Blocking Psiphon 3 R80.10

Hi Idan,

I did try without blocking "unknown traffic" category, but Psiphon is not blocked. So, in my case it was necessary.

0 Kudos

Re: Blocking Psiphon 3 R80.10

Still looking for a work around to solve this with TAC.

0 Kudos

Re: Blocking Psiphon 3 R80.10

still i have same problem. 1 year continue working with TAC. but they didnot solve my problem. Psiphon very fast getting new updates. 

0 Kudos

Re: Blocking Psiphon 3 R80.10

You are correct Psiphon is quickly getting new updates, therefore the best way is to find the culprit. alert when there is a multiple ssh connection from same source. Fortunately, I have SIEM to do that.

0 Kudos
Employee+
Employee+

Re: Blocking Psiphon 3 R80.10

I am also facing same issue, though i have blocked open SSH & unknown traffic also.

0 Kudos

Re: Blocking Psiphon 3 R80.10

Finally able to block the psiphon with the help of tac.

The procedure is :

-install the latest hotfix in both gateway and management (may or may not be required)

- Enable https inspection and generate the self sign certificate.

- generate self-signed certificate and install it on all PC of the network (Would be easy if Active Directory is in use)

- Make a Policy for https inspection with "https" and "http_and_https_proxy" with ACtion=Inspection

- Add url and application policy to block the category "support file sharing".

Note: the psiphon is block for only devices in which we install the self-sign certificate. 

Thanks,

Sagar Manandhar

Re: Blocking Psiphon 3 R80.10

Does not work without HTTPS Inspection?? What happens on BYOD scenarios??

I have a customer with a WiFi deployment for Students where each one has his own tablet to access shared resources and for Internet Access, according to policy all Media Sharing and Media Streams are blocked, but still bypassed with Psiphon because I can't deploy a certificate for those devices.

Any ideas of a workaround?

Regards.

Re: Blocking Psiphon 3 R80.10

I also with the same issue in BYOD scenarios! Any suggestions??? 

0 Kudos
Admin
Admin

Re: Blocking Psiphon 3 R80.10

Like I said previously:

Psiphon, like many anonymizes, evolves specifically to avoid detection.

As a result, from time to time, the application signature needs to be updated.

I recommended engaging with the TAC and providing some packet captures so we can take a look.

Contact Support | Check Point Software 

Others have suggested (earlier on the thread):
  • Blocking outbound SSH traffic to unknown servers
  • Blocking Unknown Traffic
  • Not allowing traffic on "all" ports, but specific ones

Obviously HTTPS Inspection is not always possible but is also effective as well.

0 Kudos
Admin
Admin

Re: Blocking Psiphon 3 R80.10

Want to provide some update on this as the latest version of Psiphon has been updated to support QUIC.

In order to effectively block Psiphon, the following is needed:

  1. Block Psiphon
  2. Block Quic Protocol
  3. Block SSH Protocol (using the service in R80.10 or the application in R77.X)
  4. Block Unknown Traffic
  5. Full https inspection on the client machine without exceptions
Employee+
Employee+

Re: Blocking Psiphon 3 R80.10

But if we block QUIC protocol, will it impact any google services traffic i.e. google search, google mail, YouTube etc.

0 Kudos
Admin
Admin

Re: Blocking Psiphon 3 R80.10

I have not encountered any Google Service that also isn't available over traditional HTTP/HTTPS.