Monday

Blocking Ultrasurf with a Sonicwall Application Firewall

Organizations under pressure to keep students andemployees from bypassing internet filters using clienttechnologies, like UltraSurf are in a perpetual game of catand mouse. A network admin I know used these steps to block it on his Sonicwall:

Ultrasurf uses “140300000101″ for SSL ehlo messages. If you can block this signature with the your firewall you can block ultrasurf. To do this follow these steps:

  1. Create a custom object in Firewall/Application Object section. Lets say the name of the object is “Ultra”
  2. Application object type must be “Custom object”
  3. Match Type must be “Exact Match”
  4. Input Representation must be “Hexadecimal”
  5. Then add Content “140300000101″

Then go to Object Policy/Application Firewall Policy Settings:

  1. Policy name: write whatever you want
  2. Policy type “Custom Policy”
  3. Adress Source “Any”, Destionation “Any”
  4. Service Source “Any”, Destionation “Any”
  5. Exclusion Adrsss “None”
  6. Application Object “Ultra Object” **Select the object which you write in the first section
  7. Action “Reset/Drop”
  8. Users/Group Included “All”, Excluded “None”
  9. Schedule “Always On”
  10. Enable loging “Check”
  11. Redundancy Filters “Use Global settings checked”
  12. Connection Side “Client Side”
  13. Direction “Basic” Both
Dont forget to enable the Application Firewall feature. This is a bit easier to do on a Palo Alto firewall since the application is already identified natively by the box, you just have to block it in one of your threat profile policies.

1 comment:

  1. great but in the last versions of ultrasurf, don't work

    ReplyDelete

Related Posts Plugin for WordPress, Blogger...