Block Ultrasurf and Similar Applications with NG Firewall

Applications like Ultrasurf, Psiphon, and Betternet use tunneling, proxies and other evasion techniques to get around filtering. These kinds of applications can be difficult, if not impossible, to block. In most situations we would recommend blocking these using Windows Group Policy as discussed at the bottom of this page. NG Firewall can make its best effort to block these kinds of services through the use of Firewall Rules, Application Control, and SSL Inspection. 

Please note that Ultrasurf was designed to bypass country-level firewalls; as such the best defense is to prevent installation on any device in your network.  

Firewall Rules

In order to block proxies and other evasion techniques you must add an egress (outbound) firewall rule to block all outbound traffic, allowing only traffic that is required. Blocking all outbound ports blocks the port-hopping activity of these applications. 

  1. Go to Apps > Firewall Settings > Rules
  2. Click Add to add a rule
  3. Set the Action Type to Block

FirewallBlockAllRuele.jpg
Clicking the image above will load it, full-size, in a new window.

You would then create rules for the ports and protocols that should be allowed like port 80, 443, and 53. Make sure you put those rules above the Block All rule. The image below is provided as an example.

FirewallAllowRule.jpg
Clicking the image above will load it, full-size, in a new window.

Click Save in the bottom right of the window to apply the new rules.

 

Application Control

Application Control detects some versions of Ultrasurf and other evasion applications but also detects traffic on HTTP and HTTPS ports that is not using the HTTP/HTTPS protocol. 

  1. Go to Apps > Application Control Settings.
  2. Under the Applications tab, select to Tarpit Ultrasurf and other proxy applications you want blocked.
    AppControlBlockUltrasurf.jpg

  3. Under the Rules tab, enable the two options as shown below:
    AppControlBlockRules.jpg
    Clicking the image above will load it, full-size, in a new window.

 

SSL Inspector 

SSL Inspector inspects all HTTPS connections so that evasion applications can not tunnel through NG Firewall using HTTPS.

  1. Go to  Apps > SSL Inspector Settings
  2. Under the Configuration tab enable Block Invalid HTTPS Traffic
    SSLInspectorConfigTab.jpg
    Clicking the image above will load it, full-size, in a new window.

  3. Under the Rules tab enable Inspect All Traffic, as shown below
    SSLInspectorRulesInspectAll.jpgClicking the image above will load it, full-size, in a new window.

 

Blocking Evasion Applications with Windows Group Policy

This method of blocking Ultrasurf and similar applications is recommended as it is much more effective and manageable for most network environments. Blocking with Group Policy is accomplished by adding a Software Restriction Rule to block the hash and/or the certificate used by the offending software. 

For more information on adding this using Group Policy visit this Microsoft Technet Article:

http://technet.microsoft.com/en-us/library/bb457006.aspx

 

Follow
Was this article helpful?
3 out of 3 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk