Change IP/Geographic Location and Fool Zscaler

Cisco Umbrella has developed beyond just DNS. It now has what’s known as SWG (secure web gateway) and the Cisco Umbrella Roaming client which has a proxy and routes http/https traffic as well.

As far as not being able to access certain apps, I haven’t tested this blocking Umbrella yet. But there’s no reason to block Umbrella anyway if your traffic is still being tunneled and your location appears as your normal closest data center. Cisco AnyConnect however is definitely required to access some apps that require work servers for their data, but this also runs over top of Wireguard just fine.

It’s no more illegal than the work trip your company pays for when you go meet a customer abroad for a week or two. Or the vacation you took with PTO but brought your phone or laptop to do a little work if there was something urgent. There’s no reason to be a dramatic stickler unless you’re working with sensitive information like something you signed an NDA for or similar. All the export controlled things in my industry are hardware or software installed on that hardware. I don’t touch that and most digital nomads are not doing that either.

Umbrella is maybe SWG junior at this point, but they are trying to move in that direction… until next quarter when Cisco goes in another direction. AnyConnect is a VPN, so that’s also nothing like Zscaler. As I said, lots of customers run one or multiple VPNs with Zscaler, it just depends on their config. Many customers are blocking VPN, since it’s ancient tech, and vulnerable to attack and lateral movement, but there are lots of customers who still have it around and/or don’t block its use.

It’s no more illegal than the work trip your company pays for when you go meet a customer abroad for a week or two. Or the vacation you took with PTO but brought your phone or laptop to do a little work if there was something urgent. There’s no reason to be a dramatic stickler unless you’re working with sensitive information like something you signed an NDA for or similar.

That’s not true. It is very different, and very illegal. That’s why there are so many lawsuits and government programs to find people illegally working. Going on vacation and doing work in a foreign country is not legal. You are required to get a work visa, just like if you travel for business, and your company must pay the relevant taxes while you are working there. Do people do this and get away with it? 100%. That doesn’t mean it’s legal, or something companies aren’t going to have a problem with.

It has nothing to do with the type of data you work with, it’s violating the labor and tax laws in the country you are in. Even between many US states, companies are required to report and pay taxes if employees are traveling outside their home state (in terms of company location, not literal house). I am based in MA, and after working a project in NYC, my company ended up with sanctions and a large tax bill from NY, since they are required to pay taxes for my work in that state. I’m not being a stickler, but again what OP is asking is help breaking several laws and company policies (they already state this is not allowed at their company), so I’m just calling out that while there could be ways to do this technically, if they are caught, they could end up in trouble.

No one, who uses wireguard and enters as a tourist, is getting deported for tax fraud. It’s a non-issue.

In fact, many countries want the added tourism dollars since digital nomads spend a multiple of what the locals do.

DNs also don’t take local jobs, so there is zero issue of stealing away jobs from locals.

It’s illegal, but in the same sense that jaywalking is illegal.

You have to make a point of being caught to be prosecuted.

The risk from your employer is a far more potent threat.

You can’t block VPNs… especially not Tailscale which uses NAT traversal and a reverse proxy when needed (when using DERP relay servers).

You can detect VPNs with DPI, but not many are doing this except for big tech companies (FAANG).

Jaywalking is illegal… this is essentially the same as you are arguing. Many many many people do it and there is almost NO difference between vacationing for 2 weeks and vacationing with your laptop for 2 weeks. Other than the fact that you’re not paying taxes to that country which you’re also not paying while vacationing… it’s petty. In fact, your tourism as I mentioned is giving money to that country and in some cases like Mexico you get charged a tax for bringing your devices (more than 1 laptop) into the country even if you have no plans to sell them.

You can be the type that only follows by the rule book and never jay walk, or you can live care free and cross the road when there are no cars when you like. It’s up to the individual.

It is very common to block VPNs, one of the most common use cases for any NGFW, SWG, SASE, et cetera. I don’t know where you are hearing that you can’t but that is very much something commonly blocked.

DPI isn’t exactly cutting edge, and many enterprise and mid-sized companies use it extensively. Large enterprise almost all have SSL Inspection and DPI functioning pretty well, and will specifically target things like VPN, since they pose enormous risk to the enterprise.

It’s not “petty” to let someone know that tax evasion and working illegally are not legal. OP is asking if they can leverage a VPN to help break their company’s policies, and the law, and many of us responded that they will likely still be able to tell. No one is judging or threatening to tell their company. It’s a little more serious than jaywalking, since this has real world impact on the people that live there, but no one is judging or saying anything about it. OP called out that they knew it was wrong.

Try blocking Tailscale, I challenge you.

There is no impact of OP sending emails in Mexico versus not sending emails. Don’t know what else to tell ya…

I have, that’s a classic use case when showing customers how to block VPNs. Tailscale is just wireguard based. If you talk to anyone at Zscaler, Palo, Netskope, or any Network Security company, that’s one of the most common examples along with TOR.

Now, there can be challenges, just like TOR. If someone sets up their own node and randomizes ports, uses double VPN, it can be harder to catch right away.

Remember this is just from the NetSec perspective. Many companies also have endpoint security tools and other restrictions that can also have an impact on trying to use VPNs. On the apps side, many companies will have restrictions as well, so even if someone can install a VPN, and it’s allowed through Zscaler, their critical apps won’t allow the traffic. So even if you’re able to get around many of your company’s policies, you can’t get to Outlook, or your other apps/services. And eventually your SOC will see the behavior and catch up to what you’re doing.

There is no impact of OP sending emails in Mexico versus not sending emails. Don’t know what else to tell ya…

No one is saying there is an impact - OP was saying wasn’t allowed for some reason, and the reason is that the company would have to sponsor OP’s work visa and pay taxes, so if they don’t see the travel as necessary, they probably don’t want to do that. I don’t know why you’re banging on about this. Yes it’s illegal, yes some people still do it. No one is judging OP for it, it was just mentioned as the reason why the company doesn’t allow it.

Yeah I don’t believe that for a second. Tailscale does randomize ports and reverse proxies. You’re not blocking that sorry…

Lol… if the traffic is going through the Wireguard VPN tunnel before it goes through the company VPN servers then nothing is going to be blocked. Not Outlook, not Teams, nothing. Because Outlook and Team servers are still accessed using the company VPN as normal, it’s just the originating IP that’s different. And guess what, there’s always the web versions of those apps/services which are just port 443 traffic.

I have no clue what crazy firewall config you’re dreaming up but it’s not applicable to 90% employers out there. The majority aren’t even monitoring DNS locations… moreover all the global companies with employees traveling every week are not manually allowing certain ports or DNS servers for them depending on where they travel. You can have the fanciest NetSec tools in the world, but in most cases they aren’t being used in the ways you think.

This has a real world impact on the people that live there.

Sorry but you definitely said that. OP never specified how long they want to stay anyway, so the work visa stuff could be a moot point.

Start reading up on how these tools work, blocking TOR and Tailscale is not uncommon. There can be challenges depending on how it’s deployed, as I called out. But I think you aren’t understanding how thing like Zscaler, Netskope, Palo, et cetera work.

Lol… if the traffic is going through the Wireguard VPN tunnel before it goes through the company VPN servers then nothing is going to be blocked. Not Outlook, not Teams, nothing.

This is where I think you’re still getting confused. If the company has Zscaler, then they likely don’t have any VPN, and if they do it’s probably for internal access, not SaaS apps. Also, VPN won’t use servers unless it’s a home VPN, so those wouldn’t come into play.

The reason SaaS apps would be blocked is because most companies will restrict access into those apps to be from Zscaler only. That way someone can’t just pop on a random browser and authenticate. So in your scenario, they can reach Teams, Outlook, et cetera, but they will not be able to authenticate or get to their company’s tenant. They can log into a personal O365 account, as they aren’t blocked from getting to webpage, but they won’t be able to auth or access any enterprise resources.

I have no clue what crazy firewall config you’re dreaming up but it’s not applicable to 90% employers out there. The majority aren’t even monitoring DNS locations… moreover all the global companies with employees traveling every week are not manually allowing certain ports or DNS servers for them depending on where they travel. You can have the fanciest NetSec tools in the world, but in most cases they aren’t being used in the ways you think.

Again, you’re misunderstanding these tools. These are firewalls, and manually allowing ports and protocols is something you see on small home networks, that’s very uncommon for enterprises. These tools blend that traditional firewall functionality with newer capabilities, and handling a mostly remote workforce is something that these tools do with very little effort. That’s why Zscaler saw so much growth in 2020… because you could quickly allow users from all over the world, levera deeper security policies at L7, and decommission VPN.

What you’re calling impossible and fancy is default functionality for these tools, which is why they are so popular.

As someone that works with companies to rollout and mature these technologies, I 100% agree that they don’t use all the capabilities, but what you’re describing it pretty out of the box stuff, and common for most medium sized businesses and up. In many cases the config is so commonplace that it’s automated with checkboxes for them. Zscaler and others have boxes for blocking TOR, Bittorrent, et cetera. It takes zero manual configuration at this point.

Authentication is trivial. Offline backup codes run on most apps and only require a clock, no internet connection at all.

Ok so you agree they aren’t used on a wide scale. And why do you think that is? Because it causes more work and more problems. So for the time being, a full tunnel VPN + other small things works for 90% of people to maintain their home locations as it appears to their work devices/servers.

I feel like you’re only understanding 30% of what I’m saying.

The reason so many companies moved away from VPN and firewalls and to solutions like Zscaler, was the increased visibility, control, integration, and ease of management. The things you think are complicated and hard to solve for, are so common that most companies can accomplish it with a few clicks.

I can’t tell if you’re just trying to be difficult, or if you just aren’t familiar with cyber and network security. But if you are just starting to learn about cyber or NetSec, I wish you the best of luck.

Explain that to my friend with MANY clients running Wireguard over top of their Zscaler for this exactly use case. You’re dreaming of an IT utopia whose implementation in the real world doesn’t exist… yet anyway.

As I’ve said a dozen times now, some customers run VPN with Zscaler. How are you not understanding this?! What I said to OP is that it depends on their configuration. There are tons of customers who allow certain VPNs, allow all VPNs, or allow none. It depends on their company. There are many wireguard or NordVPN, or whatever VPN you want that work over the top of Zscaler, or Palo, or Netskope. It depends on the config.

Blocking VPN is not new tech, it’s not an IT Utopia. This is what enterprise have been doing for a decade since NGFWs became commonplace. They have the ability to block VPNs, some do, some don’t. It’s like you’ve never encountered enterprise security before, this is FAR from utopia. This isn’t some futuristic pipedream, this stuff is so standard that it’s part of demos that SEs (who are often barely technical) can do.

It’s obvious you don’t have a background in this space, so I’m trying to be nice, but you are impossible to talk to. I don’t know who gave you the over-inflated confidence to go on about subjects you have zero experience with, but they did you a massive disservice.