These are cloud-housed endpoints, so you “could” accidentally block something, but I doubt it. Also, this is just what I can dig up real quick. Depending on your location, I would limit traffic “off- continent” if possible.
If you mange the devices, I would block the extension using policy.
@edanpedragosa are you using DTTS? As it should block most VPNs de-facto. If you don’t then you’d have to create custom firewall rules in your router OS to block the endpoints along with ensuring they don’t make it on your adam:ONE policies which is pretty easy with whitelists but on a default allow policy you might want to add them to a blacklist just to be safe.
I already have set policies for our managed devices but devices we don’t control are still jumping for joy.
I hope Adam:ONE can provide an official block list that we can subscribe to stop the joy of those unblock tools from the gateway filter itself. I know they can make one, they’re the experts.
@atw: are you using DTTS? As it should block most VPNs de-facto.
atw’s recommendation is to use DTTS – something I agree with. Squashing every VPN/app that pops up would have to be someone’s full time job.While I don’t work for them, I’m assuming this is probably outside the scope of the product.
DTTS is available at the “Business” subscription level (Get adam:ONE® | ADAMnetworks) at a $80 price point – plus the $800(!) onboarding package (although I don’t know how it works if you’re an existing customer – would be nice to know).
If these are not viable options for you, the only other thing I can think to recommend is to use a transparent proxy with SSL intercept and deep packet inspection. Which, again, is outside of the scope I believe.
If you have any more questions, I’ll try to help as best I can
I assumed the coloring was for emphasis, so try this:
80.254.112.116 (116.112.254.80.donpac.ru)
ROSTOV-TELEGRAF-AS PJSC Rostelecom Rostov-na-Dony (21479) Rostov, Russia
64.227.26.40
DIGITALOCEAN-ASN (14061) New Jersey, United States
161.35.54.85
DIGITALOCEAN-ASN (14061) New Jersey, United States
18.236.83.7 (ec2-18-236-83-7.us-west-2.compute.amazonaws.com)
AMAZON-02 (16509) Oregon, United States
154.53.45.244 (host.contabo.net)
CONTABO (40021) Missouri, United States
162.14.208.141
TENCENT-NET-AP Shenzhen Tencent Computer Systems Company Limited (45090) Beijing, China
50.116.54.157 (ip-50-116-54-157.cloudezapp.io)
AKAMAI-AP Akamai Technologies, Inc. (63949) New Jersey, United States
78.46.78.226 (tvoirecepty.ru)
HETZNER-AS (24940) North Rhine-Westphalia, Germany
112.121.100.249 (landscape.ics.com.tw)
DIGICENTRE-TW DigiCentre Company Limited (7532) Taiwan, Taiwan
2001:0DF1:7800:0002:0000:0000:0007:603A
CRI-AS-AP CV. Rumahweb Indonesia (58487) Jakarta, Indonesia
5.78.65.239 (static.239.65.78.5.clients.your-server.de)
HETZNER-CLOUD3-AS (212317) Oregon, United States
as well as
CN=167.71.19.131
OpenVPN Web CA 2021.11.08 07:58:46 UTC veepn
2021-11-07 — 2022-11-08
**167.71.19.131**
CN=cnazure-veepn-dr
cnazure-veepn-dr
2017-09-09 — 2027-09-07
cnazure-veepn-dr, cnazure-veepn-dr.yhcaldgdn0pethkpvt2o0it4jb.ex.internal.cloudapp.net
You can also always use Wireshark(https://www.wireshark.org) to discover what these extensions are connecting to, or audit the firewall logs. But you’ll quickly discover what a Sisyphean task this is.
You could try to stack NextDNS with your current resolvers using DNSHarmony. NextDNS has a category to block VPN/bypass methods, but I’m not sure how exhaustive it is. You would need to disable the NextDNS block page in its settings (they return 0.0.0.0 instead of NXDOMAIN), and setup it up as custom resolver in ADAM:one (My Dashboard).
The coloring tag is automatically done by this site depending probably on keywords.
As for:
“probably outside the scope of the product.”
It should be within their scope as a content filtering product, we subscribed to this service because it can block PSIPHON. That is why if possible, I’m requesting for an official Adam:ONE released block list rule that we can just turn on from our dashboards.
I’ve been doing a whack-a-mole thing prior to Adam:ONE subscription so I’m comfortable to say that the experts at Adam:ONE can soon come up with a solution.
“Don’t Talk to Strangers (DTTS)®
Trap your attackers. Shut them down WITHOUT the need of detection.
(European, US and Canadian patents 2020). Zero Trust Egress control that denies all outbound IP connections unless verified by an approved DNS lookup. This bullet proofs DNS based filtering to prevent circumvention by direct IP connections; advanced circumvention tools like Psiphon / TOR; or systemic failure of DNS based filtering by VPNs, DoH and DoT. The net result is preventing all C2 malware that use direct outbound connections as part of the attack vector from executing. As well as providing immunity against data extortion by preventing exfiltration of data from the protected network.”
I freely admit I thought this was a core feature of the product suite, turns out it’s not. I would consider this a fancy firewall that does sort of have an identity crisis. However, I’m sure that any alternative from rivals coughCiscocough are out of this world expensive.
experts at Adam:ONE can soon come up with a solution.
They have: DTTS
It was, quite frankly, luck to get the DoH list released to base subscribers. But it you take a look at what it is – it’s just a forwarding list. Therefore, someone played 'whack-a-mole" for us. Dollars to donuts this list isn’t the same as the “Tier 1” maintained for MSP providers, as I believe those lists are prefixed with “MSS |”
If this isn’t something you can afford, maybe look here: Transparent proxy
As I’ve mentioned previously, we are already using DTTS and are also subscribed to MSS.
That is the very reason we subscribed to Adam:ONE, so someone can play ‘whack-a-mole’ for us and all we need to do is to turn on a switch to apply the new rule.
Are you running on Blacklisting policies?
If so, then the “whack-a-mole” game is still going.
Whitelisting is essential if you want to block VPNs, as some are now using domain names as well as IP addresses to connect, which makes the Blacklisting policies flawed.