Blocking Phone Apps with Firewall Policies

For the past few days, I've been trying to block social media/streaming sites on our company network. My strategy has been to create aliases such as Social_Media_Sites and adding FQDNs to the list such as www.facebook.com, facebook.com, and *.facebook.com, etc. I read somewhere that putting the FQDNs in aliases instead of directly in firewall policies is more dynamic when it comes to DNS resolution. Not sure if that's true but it's definitely cleaner looking. Then I create a firewall policy for each alias that denies HTTPS traffic from a specific firewall group to that alias. This has worked fine when it comes to web browsers like Chrome and Edge, even though it seems to be delayed sometimes, possibly due to DNS. The weird thing is that when using the app from my iPhone, I am still able to use the certain apps even though the FQDN is blocked. For example, I am still able to send pictures on the Snapchat app even though it is blocked. I am even able to see that it's being denied and matching the policy in Traffic Manager on the firebox. Is there something I'm missing?

Comments

  • edited June 2021

    You need to log allowed traffic to see what is going out.
    You could use a DNS proxy, and on Query Names, set both matched & non-matched to Log.
    Then you can see what domain names are trying to be accessed.

    Also, if you have Application Control, you can block lots of applications.

  • A few years ago, I wasted many hours/days/weeks trying to get control of mobile devices. It was like playing whack-a-mole. Some of these apps use all kinds of techniques to avoid being blocked - IP addresses instead of FQDNs and urls that seem to change regularly or have long alpha numeric paths. Blocking using DNS works, but it is also a lot of work. I suspect that this the reason we have not seen DNSWatch GO for mobile phones/devices.

    The other big problem is that they use client side certificates, which means that HTTPS proxy is pretty much useless even you manage to get the Firewall Certificate loaded onto the phone. This was all with Android 7, the everything changed again with Android 8 and I needed to start the process again. So I gave up!

    In the end, I stuck all the phones on their own VLAN and their own SSID with no direct connection to the internal network. Nasty things they are!

    Adrian from Australia

  • @xxup said:
    In the end, I stuck all the phones on their own VLAN and their own SSID with no direct connection to the internal network. Nasty things they are!

    It's not perfect but while I do things like put mobile devices in their own "guest" VLAN, one other thing I did a while ago was to block DNS-over-TLS (TCP port 853) as some mobile devices will use this if the DNS server its configured for is compatible (Google's 8.8.8.8 is one of them).
    Recent Android devices, if they have their "Private DNS" setting set to Automatic or a defined server name, will use DNS over TLS when available.

    Blocking DNS over HTTPS (DoH) I haven't gotten to trying to block yet, as I'm not sure if it'll require HTTPS packet inspection or whether Application Control can figure this out.

  • You can read comments about DoH here, from Oct 2020:

    DNSWatch and DNS over HTTPS (DoH) - Chrome
    https://community.watchguard.com/watchguard-community/discussion/comment/5172

    The feature requests mentioned by James have not been implemented yet.

Sign In to comment.