TABLE OF CONTENTS

• What is Psiphon?
• Psiphon modes
• How to block psihpon in vpn mode.
• How to block psihpon in non vpn mode.

What is Psiphon?

Psiphon is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH, and HTTP Proxy technology to provide you with uncensored access to Internet content. Your Psiphon 3 client will automatically learn about new access points to maximize your chances of bypassing censorship.

Psiphon modes

Psiphon works in vpn and non-vpn mode, uses a lot of detection evasion techniques, so we can't block it by just denying Psiphon application in the security policy. 

If allow any rule is also configured on ngfw, then its recommended filtering torrent, p2p, malicious  URLs, and apps.

NOTE: As the new version of Psiphon app comes, you may have to identify new apps and block them as well.

How to block psihpon in vpn mode.

Configure access-policy under ngfw to block below application

• L2TP
• IPSEC
• UNKNOWN_SSL
• ISAKMP
• PSIPHON
  

How to block psihpon in non vpn mode.

Note:- Here you can see presence of Rules 2 & 3 for Blocking psiphon in Non-VPN and VPN modes respectively. Also noticeable is Rule 1 which allows legitimate browsing traffic for reference. In production, you may have to create many such rules.

 Top block psiphon in non-vpn we need to configure SSL decryption profile for HTTPS and with below checks.

Configure access-policy under ngfw to block below application based on current version of psiphon app, 

• BIGO 
• HTTP
• HTTP_PROXY
• HTTP_TUNNEL
• PSIPHON
• QUIC
• SSH
• UNKNOWN_SSL
• UNKNOWN_TCP
• UNKNOWN_UDP
• ARES
• WTP

Psiphon application also uses p2p/torrent connection so we have also used predefined application filter High-Risk-Applications in same deny security policy to block such apps.

BEST PRACTICES

NGFW policies for psiphon in VPN and Non VPN mode are broader in context to account for its circumventing nature.

Network Admin must ensure that there are specific allow policies on top for allowing legitimate traffic that otherwise could get blocked by psiphon policies. At the same time, it also needs to be ensured that any allow policies on top do not create a hole for psiphon to connect.

Services like SSL Decryption require a lot of processing so it is advised that for traffic that does not need decryption (and also can not leak psiphon), SSL Decryption can be disabled using Rule with Enforce Action of 'no-decrypt' on Top under 'Decryption policies'.

Wherever possible (not mandatory), have endpoint security that blocks installation of such tools. This greatly reduces need of NGFW and/or SSL decrypt policy rules thereby reducing chances of errors and its impacts.