Re: [m0n0wall] Blocking Outgoing VPN Access

From:	Chris Buechler <cbuechler at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Blocking Outgoing VPN Access
Date:	Tue, 11 Oct 2005 10:14:33 -0400

On 10/11/05, Jim Naslund <jnaslund at gmail dot com> wrote:
> Hi,
>
> I'm trying to block VPN access from my network because people are
> connecting to a nearby campus with VPN and downloading
> through direct connect that way. I made a firewall rule that rejected UDP
> packets destined for port 500 but this did not prevent access.
> The VPN connection I'm trying to block uses IPSec. Any suggestions?
>

depends on just how it does IPsec.  IPsec on many VPN devices can be
tunneled over any TCP port.  Also it uses the ESP protocol in many
cases, so block that.  I'd also block GRE to break PPTP, while you're
at it.

If the user has complete control over the remote VPN device, there is
no way to block access to it unless you know the destination IP and
can drop it off entirely (and hope they don't move to another dst IP).
 If the user has control of the device, they can do any number of
things to get around your blocking, like going through TCP/443 (HTTPS)
or TCP/80 (HTTP) which you likely can't block (unless you drop
everything outbound from users and force the use of a proxy).

In the end, this is a technical solution to a people problem, which is
rarely the best solution.

-Chris