Problem

Users on BYOD devices can try to use VPN services to bypass the firewall and web filter. This is both a security risk and a safeguarding risk because it gives the user access to sites and services not available normally.

Methods to use for blocking VPN traffic

Web filter only

When the Smoothwall is used as a web filter only, the options are limited. Since the web filter only manages HTTP(S) traffic, only VPN software using HTTP(S) will be affected by the web filter, and then only if the client is using proxy settings or being transparently filtered. VPN clients trying to use HTTPS ports will get blocked, because the proxy will recognize non-HTTPS traffic. Users trying to use HTTPS for VPN will be blocked if HTTPS inspection is used.

Firewall only

We recommend that you use the layer 7 application filtering options when you use the Smoothwall as a firewall. Blocking the entire VPN section effectively closes down all VPN usage for the sources configured in the policy.

Web filter and firewall

You need to combine the options mentioned when you use the Smoothwall both as a firewall and web filter.

In addition, another option would be to block all outgoing traffic in a firewall policy, especially for BYOD networks. Web traffic using a transparent or non-transparent proxy won't be affected by firewall rules, so the majority of applications on user BYOD devices will still work fine. Any additional ports and protocols required for some applications to work can always be allowed in a firewall policy.

As always, Smoothwall support can assist you and explain what you need to do to shut down client VPN usage from your networks.