• TCB13@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    9 months ago

    Just because something is “technically” possible doesn’t mean its scalability and costs are a actually considerable option.

    Any mid-range / price firewall solution is capable of effectively blocking most VPN solutions. Both OVPN and Wireguard VPN traffic is trivial to identify as such and block. Here’s an example and another.

    Btw, I’ve never seen something like that, my VPN worked even in China, and that must mean something…

    China’s great firewall works a little bit differently. They aren’t actively blocking certain kinds of traffic by default because that would mean a large DPI effort they don’t want to undertake. Also if you google a bit about it you’ll find that people’s experiences are mostly “my VPN worked fine for a day/week/month and then it was blocked”. It seems they’ve some IPs and domains blocked and the rest is some kind of machine learning that applies rules as it sees fit, this guy here has a good analysis of it.

    • NoLifeKing@ani.social
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      3
      ·
      9 months ago

      As said, I’ve never seen a network that even tried to block any kind of VPN, and i have seen numerous networks… I kinda built them even. Good, i don’t think anyone outside of a clownshow authoritarian circlejerk would even try to do that.

      There is however a problem you forgot. VPNs are very very necessary when you work with sensitive data in BtoB, wanna do remote checkup of a server? You better use a fucking VPN or you aint getting in. Wanna help someone over TeamViewer? Thats not much different from a VPN…

      And there is still TOR…

      China’s great firewall works a little bit differently. They aren’t actively blocking certain kinds of traffic by default because that would mean a large DPI effort they don’t want to undertake. Also if you google a bit about it you’ll find that people’s experiences are mostly “my VPN worked fine for a day/week/month and then it was blocked”. It seems they’ve some IPs and domains blocked and the rest is some kind of machine learning that applies rules as it sees fit, this guy here has a good analysis of it.

      Interesting. Well it was some years ago.

      • TCB13@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        9 months ago

        As said, I’ve never seen a network that even tried to block any kind of VPN, and i have seen numerous networks… I kinda built them even. Good, i don’t think anyone outside of a clownshow authoritarian circlejerk would even try to do that.

        All the serious companies (financial sector) I worked for so far did it, because as I linked is really easy with any cheap firewall solution.

        clownshow authoritarian circlejerk

        Well… a bank could be considerar that indeed, but you know, security concerns and all.

        VPNs are very very necessary when you work with sensitive data in BtoB, wanna do remote checkup of a server? You better use a fucking VPN or you aint getting in.

        So what? A company can use a firewall to block VPNs when the target IP isn’t on some whitelist, or the source computer isn’t authorized to use VPNs. On those high security setups at banks and whatnot client machines inside the company network won’t need to touch a VPN to do a “remote checkup of a server” at some cloud provider as the network will be configured to internally route the traffic from all computers / users (backed by SSO/AD credential) to access those resources via a special VPN setup on some router / server.

        Wanna help someone over TeamViewer? Thats not much different from a VPN…

        Fortinet and WatchGuard can both distinguish a VPN from TeamViewer. They can actually do much more than that, even TeamViewer from RDP or VNC is just a couple of clicks on their UIs.

        • NoLifeKing@ani.social
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          The systems im used to are used in hospitals and banks as well, they are rather a setup of closed off Mashines that can only communicate internally and a second system that gets necessary data outside, the inner circles don’t get internet at all in these setups and they aren’t connected to the outside circle, they are closed off completely. The outside communication builds on a VPN (or sometimes a physical fiber cable) to get to the necessary network (outside databases, or servers that stand in another building/facility for example) where they do their business, the computers in that circle aren’t standalone Mashines, they just start a Virtual Mashine on a server. Incoming traffic goes through a filter that is strictly white-list for all traffic, but you can’t do that as a isp (you cant do your method as a isp either) outgoing traffic is also white-list only. (yes we are assholes and block people from using Facebook at work)

          Its just impossible to even start a VPN from these systems unless you have administrator privileges, so im not used to your way of doing it. Maybe some day i need to learn about that more, as things get more and more connected the systems im used too aren’t up to standard anymore it seems. I still like the airgap for safety.

          • TCB13@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            2
            ·
            edit-2
            9 months ago

            Its just impossible to even start a VPN from these systems unless you have administrator privileges, so im not used to your way of doing it.

            That’s also the policy for the majority of the machines/users but there are a few that do have admin privileges like IT teams and whatnot and even if they manage to install a VPN solution (the app would most likely get blocked by endpoint security either way) they couldn’t communicate to the outside because the firewalls, as I described, are all set to block VPN traffic. Except for those situations I specified above.

            The bottom line is: distrust everything, everyone and anything. Even if you can ensure nobody can install a VPN application on their computers, assume someone might get around that and add proper firewall checks and blocks as well.