Organizations under pressure to keep students and employees from bypassing internet filters using client technologies, like UltraSurf
are in a perpetual game of cat and mouse. A network admin I know used these steps to block it on his Sonicwall:
Ultrasurf uses “140300000101″ for SSL ehlo messages. If you can block this signature with the your firewall you can block ultrasurf. To do this follow these steps:
- Create a custom object in Firewall/Application Object section. Lets say the name of the object is “Ultra”
- Application object type must be “Custom object”
- Match Type must be “Exact Match”
- Input Representation must be “Hexadecimal”
- Then add Content “140300000101″
- Policy name: write whatever you want
- Policy type “Custom Policy”
- Adress Source “Any”, Destionation “Any”
- Service Source “Any”, Destionation “Any”
- Exclusion Adrsss “None”
- Application Object “Ultra Object” **Select the object which you write in the first section
- Action “Reset/Drop”
- Users/Group Included “All”, Excluded “None”
- Schedule “Always On”
- Enable loging “Check”
- Redundancy Filters “Use Global settings checked”.
- Connection Side “Client Side”.
- Direction “Basic” Both
Dont forget to enable the Application Firewall feature. This is a bit easier to do on a Palo Alto firewall since the application is already identified natively by the box, you just have to block it in one of your threat profile policies.
"No more Orkuting,no more facebook sorry to students
