SOLVED - OPN Sense Network for application messages only (WhatsApp, WeChat)

[GabrielaSelby]

Hello everyone

I'm looking for a way to set up an open network for guests which only allows the transfer of messages over applications.
We want to keep the data transfer as light as possible, only a few KB per person.

The transfer of images/audio files/videos should be impossible.

So far I've thought of making a completely restricted network (No LAN traffic allowed) with the exception of a list of ports and networks pertaining to the following apps:
-Whatsapp
-WeChat
-Line
-Facebook Messenger

But I have no idea how to block media transfer.

[mimugmail]

This will only work with commercial products like ASA with additional license

[fabian]

In theory it is impossible to know the content of such a message but there is still metadata. For example, you can see that the connection to port 443 has lots of uplink traffic compared to downloads. From this perspective it is the job of a proxy or the IPS to drop the connection. Please note that this is very likely prone to errors.

[GabrielaSelby]

In theory it is impossible to know the content of such a message but there is still metadata. For example, you can see that the connection to port 443 has lots of uplink traffic compared to downloads. From this perspective it is the job of a proxy or the IPS to drop the connection. Please note that this is very likely prone to errors.

So if I were to filter every user on this network through a 20kbps pipe, theoretically the network would only allow messages since other transfers usually cancel themselves within the app. But is there a way to link specific ports to types of data transfer or should I stick to data throttling? I've found very little information about the way these apps work over a network, though I've mostly looked into WhatsApp since its my priority.

[BeNe]

So if I were to filter every user on this network through a 20kbps pipe, theoretically the network would only allow messages since other transfers usually cancel themselves within the app.

Can´t agree! As long as there is traffic allowed and flow, why should the app cancel themself ? Ok, it´s slow but still possible. Since the most Apps or Websites are SSL crypted you need to change the certificate on the Sense and play man-in-the-middle. Some apps doesn´t care about it - others does.

Sophos UTM or XG have such an "Application Control" feature. You have to pay for.

[fabian]

Since the most Apps or Websites are SSL crypted you need to change the certificate on the Sense and play man-in-the-middle. Some apps doesn´t care about it - others does.

This is wrong - the certificate does not need to be touched nor the TLS connection by itself. The only thing is that the connection can be dropped (TCP RST) after more traffic tries to cross the transparent proxy (for example more that 2 Mbit per second).

Sophos UTM or XG have such an "Application Control" feature. You have to pay for.

That information of probably off-topic.

[BeNe]

This is wrong - the certificate does not need to be touched nor the TLS connection by itself. The only thing is that the connection can be dropped (TCP RST) after more traffic tries to cross the transparent proxy (for example more that 2 Mbit per second).

Are you sure ? How do you know which Applications is current active inside a SSL Stream ?
Most Apps use a https connection. As long as you can´t see the data inside the stream you will be unable to know what happen. I can send images and audio files with WhatsApp or Threema with the speed of an "Edge" Mobile Network without any problems. That is not faster 2 Mbit and works.

That information of probably off-topic.

Of course,sorry!

[fabian]

Are you sure ? How do you know which Applications is current active inside a SSL Stream ?

Most TLS implementations include SNI which will include the hostname. When this is extracted, you can guess the application.

For example if the hostname includes the name of one vendor, it is probably from that vendor.

Most Apps use a https connection. As long as you can´t see the data inside the stream you will be unable to know what happen. I can send images and audio files with WhatsApp or Threema with the speed of an "Edge" Mobile Network without any problems. That is not faster 2 Mbit and works.

That was just an example. The data sent over the encrypted stream will increase if an image is sent instead of a plain text message.

[BeNe]

Most TLS implementations include SNI which will include the hostname. When this is extracted, you can guess the application.

Correct - i understand - could be a possible way if every Application deliver the needed TLS implementations include SNI.
So you need to generate your own list and collect all vendors signature. Sometimes it is maybe a holding company of apps or an intermediate.

The data sent over the encrypted stream will increase if an image is sent instead of a plain text message.

Also correct. But you will not be sure what it is exactly. You can guess with the amount of data - but you will never know it. There are many way of course.

I´m interested how GabrielaSelby will solve the problem. Please keep us up to date 

[GabrielaSelby]

Thank you very much for your input, I'll be testing this system over the next few weeks might take months to finish the entire network since its meant to be used at high latitudes, but I will share my solution or at least experience with this issue as I continue.

Edit: At the moment I'm looking into how deep I can go with traffic shaping rather than proxy filtering for different kinds of data transfer, since the open network will be dedicated to apps and not regular internet usage so it wont impact other users.

[mimugmail]

In theory it is impossible to know the content of such a message but there is still metadata. For example, you can see that the connection to port 443 has lots of uplink traffic compared to downloads. From this perspective it is the job of a proxy or the IPS to drop the connection. Please note that this is very likely prone to errors.

So if I were to filter every user on this network through a 20kbps pipe, theoretically the network would only allow messages since other transfers usually cancel themselves within the app. But is there a way to link specific ports to types of data transfer or should I stick to data throttling? I've found very little information about the way these apps work over a network, though I've mostly looked into WhatsApp since its my priority.

Within one of the next versions there will be a delay option in the pipe so you can also add a delay of e.g. 2000ms of http traffic. Should be fine for text, but not browsing ..

But this is a really ugly trick

[GabrielaSelby]

Update ~ Successful initial trial!


So this is how I did it

Via Firewall Aliases set up the following domains list:
•   whatsapp.com
•   whatsapp.net
•   wechat.com
•   wechat.net
•   messenger.com
•   www.facebook.com
•   orcart.facebook.com
•   fbstatic-a.akamaihd.net
•   api.facebook.com
•   orcart.facebook.com
•   fbexternal-a.akamaihd.net
•   fbcdn-profile-a.akamaihd.net
•   graph.facebook.com

Open the following ports (both TCP and UDP) on the firewall for outgoing traffic:
•   80
•   443
•   5222
•   5223
•   5228

Next, setup traffic shaping.
Pipe all download on the network (destination) at 256kbps
Pipe all upload on the network (destination) at 64kbps

Add these firewall Rules along with the outgoing ports
https://www.dropbox.com/s/9je3c8th3d3klom/Screenshot%202018-04-23%2012.22.14.png

(Ignore the first one thats just the default Open Kimono I use before cracking down on my firewalls)

And voila!


Results

Now the network has only been functioning for about 24 hours.
So far, text messaging is possible on Whatsapp, We Chat and Facebook Messenger.
Voice messages are only allowed through on WeChat if they are short enough.
Image transfer fails on all 3.
Voice calls fails on all 3.
Video chat fails on all 3.
No browsing is possible so far.
We have not seen any http traffic, and the network is wide open on the WiFi no authentication.

Note: On cellphones you may get a warning that the network doesn't have a connection to the internet since its locked down so tight, just ignore it and add an exception in the device.

I'll do another update once there's customer feedback.

Line wasn't ever necessary for this system, but I still haven't figured out how to let it through thats sort of a pet project of mine, might try again in the future.