Users will try to avoid policies by using a VPN on their phone. It seems to get easier, and less complex, to do each day.
What is a good way to prevent/block this?
Any info is much appreciated
Good luck. This sounds like a losing battle. I’m assuming you are in government because I don’t understand the point of these kind of tasks in the corporate world.
On a positive note you can implement this which feels like a best effort attempt on Meraki’s part. Probably not 100% but easy to implement at least.
https://community.meraki.com/t5/Security-SD-WAN/Blocking-VPN-outbound-IPVanish/td-p/14351
No such way as far as I know.
Aplication control filter on my Fortinets can block VPNs.
I’m with other users on this one; what you need to do here is set up a group policy that keeps them at a low per-client bandwidth rate appropriate for your network, then assign that group policy to your wireless VLAN. (if you don’t have your wireless and wired networks on separate VLANs now is a good time to get that cleared up as well)
What is a good way to prevent/block this?
Fire them if they intentionally bypass policy. This is a management issue, not a technical one.
Some apps that can consume a lot of data, and bog down the wireless network, are easily blocked in meraki. Netflix, for example, has its own category. Blocked. Done.
Now someone flips to their vpn app, while on the wireless, starts streaming (Netflix, for example) again.
They’ll just flip to cellular? Please do! I’m not playing fun police here. Do what you want on the cell network.
There is plenty of bandwidth to go around for normal use. But when everyone starts streaming its hard to get anything done on your tablet, smart phone, etc.
But yes, you can block the phones from the network. And meraki lets you provide a message that appears next time they connect. That is a good feature.
Thanks for this. Good info.
My example is above on why block this in the corporate world.
Fire productive people with a good knowledge base over a policy violation such as this is short sighted. You fire people when they cant do their jobs, arent productive, and so on. When the issue is a question of bandwidth you talk to your workers like they were adults concerned with the interests of the company and their co-workers ability to do work.
I’ve seen the fire 'em over usage policy play out. Lost people who were vital, who were never replaced, and watches systems decay die because the person who could support them was let go.
ehh. I’m not a manager nor in HR.
Besides. That takes time. IT pros get paid to fix problems and fix them fast.
If it’s a bandwidth issue just do per user BW limits.
Ahhh, I see. In limited bandwidth situations I can respect these kinds of problems/solutions.
Right, so it’s not your problem. You do the reasonable thing that your equipment supports, and if users are violating that, it’s HR’s problem, not IT.
Or create policy for mobile devices that neuters their bandwidth. 320kb/s with burst you’ll be fine for email and messaging but you won’t be coming to work to update 72 applications on your iPhone or watching Netflix.
You said “fire them”. I’m not a manager nor in HR. Anyhoot, neg away trigger’d boi
Yes, that’s even better yet.
I didn’t say *you* fire them, but the business needs to take action. It isn’t an IT issue.