zenmate?

  • 2
  • Question
  • Updated 3 years ago
  • Answered
Hi,
I work in an international school and just came across Zenmate https://zenmate.io/ and their impressive chrome extension: anything coming out of chrome is encrypted and encapsulated so that it goes through your firewall and bypasses any filtering to exit somewhere around the world (so far I've seen Hong Kong, Germany, Switzerland, UK, USA).
My question is: is there any chance that the HiveManager might be able, in a very near future, to detect such traffic so I can, at least, know who is using the extension?

Thanks,
Yves
Photo of Yves Yoseph

Yves Yoseph

  • 2 Posts
  • 2 Reply Likes

Posted 4 years ago

  • 2
Photo of McArenas

McArenas

  • 16 Posts
  • 1 Reply Like
We are seeing a lot of SSL traffic from our HMOL Dashboard recently, and we are suspecting that our users have been using this to mask their web activity and it effectively bypasses OpenDNS even though WebProxy/Anonymizer is blocked. 

Wonder if the 6.1r3's Application signature has this included. 


Photo of Matt Kopp

Matt Kopp

  • 47 Posts
  • 12 Reply Likes
Side bar: regarding the OpenDNS filtering.  If you have the OpenDNS Umbrella installed (which Aerohive does support...), you can still filter HTTPS traffic.  The big note is that OpenDNS, of course, only filters at L7, so if they've gotten smart and used IPs, you'd have to be more creative.  Also, Web Proxy/Anonymizers are only blocked, again, at L7.  If they're using IPs or physical Anonymizers, no luck (I know from experience).
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
ZenMate seems to make an initial request to api.zenguard.biz, presumably to log the user in and obtain the current list of available proxies. It then makes a connection to the individual proxy (which seem to have hostnames like gbXX.zenguard.org.

You can easily add a custom application signature for that initial request (just add a custom app with type HTTPS and hostname api.zenguard.biz). This will check and match on the SSL client HELLO's hostname field.

I suspect trying to block the service using a firewall policy with this custom app will not successfully block the service - there are probably evasion techniques it will fall back to if the initial request to api.zenguard.biz fails (I would hope so, otherwise this is not a very well-written system!!), for example using cached information, not specifying the hostname in the client HELLO or using a distributed discovery system.

However from a quick test, adding a custom application like the above will at least give you some information about who is using the service.

I have checked on our Palo Alto firewall, and currently it does not detect this application either (just classifies the traffic as generic SSL). Again, could add a customer signature - might be able to do a little more as Palo Alto allows the use of wildcard matching (e.g. *.zenguard.org) which I don't believe Aerohive currently supports (at least when I tried using wildcards, the application signature was not triggerred).
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Hmmm. Looks like I gave them too much credit.

On the Palo Alto, just blocking using a custom app signature with regexes on the SSL client hello looking for:

.*\.zenguard\.biz and .*\.zenguard\.org

seems to be enough to prevent it working!

I have tried using an IP firewall policy with a custom application on Aerohive matching HTTPS hostname with *.zenguard.biz and *.zenguard.org, but this does not appear to work quite as reliably as on the Palo Alto for some reason. There is still stuff that sneaks past Aerohive that is detected by the Palo Alto's app signature.

However, with the above rule in place on Aerohive, if I disable the extension in Chrome, and then re-enable, it does not work. Presumably this causes the extension to have to log-in to the ZenMate application again from scratch.

Looks like that initial call to api.zenguard.biz IS blocked, and this is enough to prevent the extension working (at the moment). Seems a bit amateurish, but that's what my testing shows. YMMV.
Photo of McArenas

McArenas

  • 16 Posts
  • 1 Reply Like
Thanks for the tip.

At our end, we were able to block ZenMate by applying a Global Block to the following domains:

zenguard.biz
zenguard.org
zenmate.io

Photo of tariq bushra

tariq bushra

  • 1 Post
  • 0 Reply Likes
Zenmate didn't block yet. My client are using Zenmate for block websites and running.Proxy server is Mikrotik 5.18.
Kindly give me Solution.

Tariq Hussain
System Administrator
Dr. Ziauddin Hospital University
00923222425582

Photo of aamir

aamir

  • 2 Posts
  • 1 Reply Like
send me your skype .
aamir@netox.net
Photo of Kunwar Faizan

Kunwar Faizan

  • 1 Post
  • 0 Reply Likes
Make your self a DNS server on the existing server and make A records for the flollowing websites: 

zenguard.biz
zenguard.org
zenmate.io

redirect them to a dead link or may be to the loopback address. The other way is to use a better proxy server like squid on linux (very easy to make).  this wouldn't work on a transparent proxy. to do it on a transparent proxy try s.sl bumping
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
FYI, the latest Palo Alto application update includes a definition for zenmate.
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes
Just adding a screenshot


Photo of aamir

aamir

  • 2 Posts
  • 1 Reply Like
i blocked zanmate on mikrotik routeros using layer7 regexp filter
  for regexp syntax

^.+(api.zenguard.biz|zenmate.io|zenguard.zendesk.com|zendesk.com|zenguard.org).*$

first  create a layer7 protocol



create a firewall filter

add layer7 protocol in filter role  e.g denied (in my case filter name is denied)



Select action = reject     (or you can simply select drop)
select log if you want to see real time requests
rejectwith = icmp network unreacable or admin prohibted





click ok to save the on top of everything.

now clock log to view real time zenmate drop requests.

for help email me @
 aamir@netox.net
(Edited)
Photo of OMAIR

OMAIR

  • 1 Post
  • 0 Reply Likes
can anyone tell me zenmate traffic is blocked in tmg or not ???? repli to my email " realumair47@yahoo.com"