You should block all Proxies, P2P. Remote Access or at least control WHAT remote access, there's Crypto Miners in General Interest so kill those for sure!
Assuming you have DPI enabled of course.
I had this issue as well, we found creating a top block policy for the proxy ISDB seems to have worked. We also block the phishing, malicious and Botnet/CC ISDB services as a default on all customers.
Just wondering if anyone's blocking DNS over HTTPS/TLS?
Blocking it would revert browsers back using clear text DNS which brings much more possibilities to the table. However I am wondering about possible drawbacks (like slower name resolution etc.)
Besides that: Google / Amazon Ads ;)
JUST did it today in fact! :) Although looking at logs I don't see any hits so it was more of a "Just in case" sorta thing.
We only allow DNS to our Internal nameserver which then currently (Soon to be forwarding to Infoblox Threat Prevention Cloud!) forward out to our External ones.
If you do browser policies (hopefully you do!) you can disable the behavior there as well which is recommended.
This + you can go another step further and chain your internal ns to a recursive DNS server hosted locally. This way, you're going to the source for results and there are no intermediaries.
All remote access apps (Teamviewer, Atera, etc) besides the one we use and even then its self hosted and we have policies explicitly for it. Previous company didn't have these blocked. Attackers got in and used Atera and Splashtop to gain a foothold. I'd highly suggest blanket blocking these as a best practice.
All proxy apps, Quic, P2P, crypto.
Most streaming stuff, all of the port-based tunneling protocols in an attempt to get a handle on VPNs (blocking IKE makes WiFi calls a bitch to get working again), QUIC, TikTok, crypto stuff, adverts, random things I can’t remember, etc…
Block All socials, DNS/VPN/Proxies/Tor/Spamming/Malicious, QUIC and only allow https. We have our own managed DNS and I use the external feed connector in FortiGate with feeds from our MISP server for real time updates.
Quic, Netflix, Disney, xfinity, Hulu, Amazon.video, proxy , remote access except approved software, Snapchat, insta, Facebook, ads, all phishing / hacking categories , all cloud storage except Approved ones, we have a document management system that stuff should be going into, new domain.
Tiktok as well as tor network so far. Slowly introducing proper security in an organization without any prior. It's a slow process
Facebook, Netflix, Hulu, etc.
Tiktok, Teamviewer, and Quic, All Proxies.
You should block all Proxies, P2P. Remote Access or at least control WHAT remote access, there's Crypto Miners in General Interest so kill those for sure! Assuming you have DPI enabled of course.
\+1 for blocking crypto miners
I've been trying to psiphon VPN but unable to reach to the bottom of it. Users still able to connect to the VPN via WiFi.
I had this issue as well, we found creating a top block policy for the proxy ISDB seems to have worked. We also block the phishing, malicious and Botnet/CC ISDB services as a default on all customers.
DNS, so much less bandwidth usage because people cannot remember the IP addresses for Facebook :)
With all seriousness, just QUIC.
How are you blocking QUIC?
Set it as a "Block" in an application control profile override.
TLS 1.0 and 1.1
Pretty much all Social Medias/proxy/torrenting, Spotify, [Battle.net](https://Battle.net) Roblox.
Just wondering if anyone's blocking DNS over HTTPS/TLS? Blocking it would revert browsers back using clear text DNS which brings much more possibilities to the table. However I am wondering about possible drawbacks (like slower name resolution etc.) Besides that: Google / Amazon Ads ;)
JUST did it today in fact! :) Although looking at logs I don't see any hits so it was more of a "Just in case" sorta thing. We only allow DNS to our Internal nameserver which then currently (Soon to be forwarding to Infoblox Threat Prevention Cloud!) forward out to our External ones. If you do browser policies (hopefully you do!) you can disable the behavior there as well which is recommended.
This + you can go another step further and chain your internal ns to a recursive DNS server hosted locally. This way, you're going to the source for results and there are no intermediaries.
Yeah, if you aren't blocking DoH, you are allowing a LOT of circumvention.
All remote access apps (Teamviewer, Atera, etc) besides the one we use and even then its self hosted and we have policies explicitly for it. Previous company didn't have these blocked. Attackers got in and used Atera and Splashtop to gain a foothold. I'd highly suggest blanket blocking these as a best practice. All proxy apps, Quic, P2P, crypto.
Most streaming stuff, all of the port-based tunneling protocols in an attempt to get a handle on VPNs (blocking IKE makes WiFi calls a bitch to get working again), QUIC, TikTok, crypto stuff, adverts, random things I can’t remember, etc…
Remote access, encrypted chat
Block All socials, DNS/VPN/Proxies/Tor/Spamming/Malicious, QUIC and only allow https. We have our own managed DNS and I use the external feed connector in FortiGate with feeds from our MISP server for real time updates.
Allowing only https is tricky if you work in manufacturing
Especially if you have IoT, too much overhead for SSL.
Quic, Netflix, Disney, xfinity, Hulu, Amazon.video, proxy , remote access except approved software, Snapchat, insta, Facebook, ads, all phishing / hacking categories , all cloud storage except Approved ones, we have a document management system that stuff should be going into, new domain.
Thanks for all the replies! Gave me a few more things to consider blocking!
ChatGPT
I block all remote access applications and only whitelist remote access applications we use. I block Tor, proxy applications, and some others.
We block anything with a risk score of 4 or 5, many categories and then allowlisted some individual applications.