Ultrasurf Blocking Fail

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Ultrasurf Blocking Fail

Not applicable

Hi,

I am suferring from many failed attempts trying to block ultrasurf. i added the application to a deny policy on the top of my policies, but users keeps jumping to the allow policy. i tried to block unkown UDP/TCP apps, but it failed too. the applcation itself can't be blocked even though i blocked all the dependecies. i tried to do it on 5050 and 5060 on both PAN 5.0.11 and PAN-OS 6.0 with the most updated licenses.can some one help. i guess it's considered a huge problem

30 REPLIES 30

L6 Presenter

My suggestion for all evasive apps like Ulrtrasurf, Tor, etc. is to open a support case when you find failure to block reliably. These apps are constantly evolving to try and evade control (evasive!). Once you have a support case open upload packet captures of the evasive traffic )capture it locally in your network) to the case. In many cases we find interesting regional differences in the application's evasion tactics. Having packet captures from your particular location is almost always a great help in determining what the app developer has added to the mix to try to fly under the radar.

-Benjamin

L5 Sessionator

Hello All,

I tested this on my firewall with latest App version (421) and it is being denied.

Regards,

Hari Yadavalli

Not applicable

for the time being we blocked the proxies as follow :

1-ssl decryption

2-block unknown App

3-block unknown url's

plus the app policy to deny the proxy software

try the following for TOR:

1- Enable SSl decryption if you don't want create  a policy with SSL as application and in the url profile block the unknown sites.

2-second policy to block TOR by deny application

3-block the unknown App also

you should also set block on SSL sessions which can't be decrypted (in decryption profile). Ultrasurf makes use of unsupported/unexisting SSL protocol options.

for some weird reasons, Ultrasurf 13.04 still passes thru even though the app is being discarded.

There is a inconsistency.Sometimes it is blocking.This is the case.

That's right, the application gets "discarded" however it calls for other apps like SSL to get thru. Hope PAN team can fix this asap.

Hi Kali,

when it shows SSL, is it being decrypted ? what are subsequent apps being seen ?

Decrypted yes, and i have positioned url's that needs to be checked (proxy and other evading type url's/apps). As per command line, it shows Ultrasurf and SSL "only", although Ultrasurf is being blocked, SSL still finds it's way to connect to other proxies.

Now for testing purposes. i created a decyption rule to block "ANY", and this time Ultrasurf is being blocked totally. It simply means that PAN should take a look at what other URL categories this software tries to connect to (and to what country/ip block/subnet/proxy server). The older version of Ultrasurf only connects to Taiwan (Hi-net ip block) and during that time, blocking TW would work but now, it seems Ultrasurf calls / connects to the US (I'm seeing Amazon Networks) and other Ip blocks outside Taiwan and China.

Decryption is the key, it should always apply on any category and block sessions which cannot be decrypted (add exceptions to banking and governement sites + to few applications that don't support it).

If you don't decrypt, there is no point in trying to block evasion applications.

There are some Tor/Ultrasurlf app providers which change their URLs everyday. Some of them are just providing a plain old openvpn client thats runs over SSL (boxpn for example).

I used to make filtering policies that were hard (if not impossible) to escape by my users with PAN products. SSL decryption is the key with an adapted AppID policy.

As per PAN support & Partners, they are already working on this round the clock to identify this new version properly.

If you don't decrypt all categories then you're missing a point : URL category is a lagging tool : a new domain will be identified as running proxies only after a few days. Commercial applications which propose to change domains every day / weeks will still go through.

If URL category was enough to flag applications/uses, PANW would not have invented AppID in the first place. URL category have been hire for 15 years and never solved anything...

Decrypting all categories, yes that worked, however most applications won't work then (yahoo messenger app don't load <<example), which will need some adjustments / tweaking then. anyway testing is still on-going and will update this thread once i find the right settings.

L2 Linker

Up to this day, this issue hasn't been resolved yet without turning SSL Decryption using "ALL" which breaks all other applications from working.

  • 10286 Views
  • 30 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!