Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ricardo_Andres_
Contributor

Blocking Psiphon 3 R80.10

I'm trying to block Psiphon 3

I have blocked the single application, the category: anonymizers.

I have enabled the HTTPS Inspection for all the categories

The logs shows Psiphon is blocked but it's still working

Has anyone successfully blocked Psiphon 3 ???

16 Replies
Moti
Admin
Admin

0 Kudos
PhoneBoy
Admin
Admin

Psiphon, like many anonymizes, evolves specifically to avoid detection.

As a result, from time to time, the application signature needs to be updated.

I recommended engaging with the TAC and providing some packet captures so we can take a look.

0 Kudos
Ricardo_Andres_
Contributor

I really did block Psiphon3 with this configuration:

a) Enable HTTP Inspection in all categories

b) Block categories: Anonymizers, Unknown traffic

c) Block SSH in Firewall Layer (I had to allow ssh to my specific destinations)

The problem is: A few applications are not identified by Check Point, so they are blocked beacuse of the "unknown traffic" category drop

Idan_Sharabi
Employee Alumnus
Employee Alumnus

Hi Ricardo,

Full HTTPS inspection and blocking SSH protocol is indeed crucial for successful blocking of the Psiphon client.

Did you try to enforcing it without blocking 'Unknown Traffic' and failed to do so?

As Dameon stated above you may contact us via TAC and send us captures of the specific unblocked traffic, in the meanwhile we'll work on trying to reproduce the issue in our lab as well.

In case you are interested in adding new detection for apps which are currently not detected ("Unknown Traffic") you may submit a request via the following form and request a new application:

https://usercenter.checkpoint.com/usercenter/portal/media-type/html/role/usercenterUser/page/default... 

Thanks,

Idan

Ricardo_Andres_
Contributor

Hi Idan,

I did try without blocking "unknown traffic" category, but Psiphon is not blocked. So, in my case it was necessary.

0 Kudos
Ewane_Don_Metug
Explorer

Still looking for a work around to solve this with TAC.

0 Kudos
batmunkh_unubuk
Contributor

still i have same problem. 1 year continue working with TAC. but they didnot solve my problem. Psiphon very fast getting new updates. 

0 Kudos
Christopher_Tan
Explorer

You are correct Psiphon is quickly getting new updates, therefore the best way is to find the culprit. alert when there is a multiple ssh connection from same source. Fortunately, I have SIEM to do that.

0 Kudos
Mahipal_Singh
Employee
Employee

I am also facing same issue, though i have blocked open SSH & unknown traffic also.

0 Kudos
Sagar_Manandhar
Advisor

Finally able to block the psiphon with the help of tac.

The procedure is :

-install the latest hotfix in both gateway and management (may or may not be required)

- Enable https inspection and generate the self sign certificate.

- generate self-signed certificate and install it on all PC of the network (Would be easy if Active Directory is in use)

- Make a Policy for https inspection with "https" and "http_and_https_proxy" with ACtion=Inspection

- Add url and application policy to block the category "support file sharing".

Note: the psiphon is block for only devices in which we install the self-sign certificate. 

Thanks,

Sagar Manandhar

KennyManrique
Advisor

Does not work without HTTPS Inspection?? What happens on BYOD scenarios??

I have a customer with a WiFi deployment for Students where each one has his own tablet to access shared resources and for Internet Access, according to policy all Media Sharing and Media Streams are blocked, but still bypassed with Psiphon because I can't deploy a certificate for those devices.

Any ideas of a workaround?

Regards.

MikeB
Advisor

I also with the same issue in BYOD scenarios! Any suggestions??? 

0 Kudos
PhoneBoy
Admin
Admin

Like I said previously:

Psiphon, like many anonymizes, evolves specifically to avoid detection.

As a result, from time to time, the application signature needs to be updated.

I recommended engaging with the TAC and providing some packet captures so we can take a look.

Contact Support | Check Point Software 

Others have suggested (earlier on the thread):
  • Blocking outbound SSH traffic to unknown servers
  • Blocking Unknown Traffic
  • Not allowing traffic on "all" ports, but specific ones

Obviously HTTPS Inspection is not always possible but is also effective as well.

0 Kudos
PhoneBoy
Admin
Admin

Want to provide some update on this as the latest version of Psiphon has been updated to support QUIC.

In order to effectively block Psiphon, the following is needed:

  1. Block Psiphon
  2. Block Quic Protocol
  3. Block SSH Protocol (using the service in R80.10 or the application in R77.X)
  4. Block Unknown Traffic
  5. Full https inspection on the client machine without exceptions
Mahipal_Singh
Employee
Employee

But if we block QUIC protocol, will it impact any google services traffic i.e. google search, google mail, YouTube etc.

0 Kudos
PhoneBoy
Admin
Admin

I have not encountered any Google Service that also isn't available over traditional HTTP/HTTPS.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events