Has anyone tried blocking apps like Ultrasurf with app-ID successfully? Ultrasurf’s been a pain at my company. App-ID doesn’t block it fully. Users can still connect to the tunnel even with a deny policy in place.
Which “permit” rule is it matching?
Are you using SSL decryption? Without every allowed port going through SSL decryption, many tunnels, not just Ultrasurf, will evade app-id.
I had a problem with one of those VPN apps a few months back. Had to enable decryption on the CDN URL category to fully squish it. This, of course, can break lots of other things, especially for mobile users.
Last time I saw a problem with employees using proxy apps to bypass web filtering and access porn and gambling sites on work-owned resources, it was a battle of cat-and-mouse to block all the tunneling apps. Did get the firewalls locked down better (it was nice to have a justification for putting in policies InfoSec had been trying to implement for years), but still had a few slipping through.
Management finally got tired of applying a technical solution to a social problem – three “terminations for cause” later, the problems stopped.
Are you also blocking URL filtering results for proxy-avoidance-and-anonymizers?
Typically, with that combination, you’re going to be 90+% of the way there
Palo Alto is one of the firewalls that does this piece very well. We run a district of 12000 students that all take laptops home so it is crucial we block and proxies and vpn’s from ever running.
1.) Are you running SSL Decryption?
2.) Are you running a block list above your permit policies? If you are I bet the proxy is using a different APP-ID/Port to get out. I would recommend to create a group of whitelisted app’s and block everything by default which is the best practice by all layer 7 firewall vendors.
3.) Are you using Application default for your ports?
4.) There are two proxies that were able to get out after completeing the above steps. Psiphon and Torbrowser. These two are probably the strongest proxies/VPN’s you’ll find and the only way to block these is by blocking all unsupported cipher suites.
5.) After the above there should be no more proxies/vpn’s going out.100% guaranteed
SSL decrypt is on. I’m getting a lot of denies on my ultrasurf rule. But I also see a lot of allows on the next closest rule allowing non-dns, http, ssl traffic. It’s identifying as insufficient-data and being allowed. I see a lot of denies for unknown-udp as well. Seems like to completely stop this though, I had to allow service any for the ultrasurf deny rule, not app-default. By doing that, I’m not seeing as much insufficient-data sessions creeping past.
Great step by step. For #3, you’re referring to the whitelisted app rules only right? Deny rules would have port any
With your methodology, proxies/VPNs would be blocked if my ruleset looks like:
- Allow DNS/http/SSL - app default
- Allow other apps like O365, Salesforce, etc. - app default
- Implicit interzone deny
If you are seeing insufficient data that means any allow rule is used to check what is the application and then it is blocked.
The firewall needs some data to match with signatures and identify it as a known app
Correct the whitelisted apps would have application default and blacklisted apps would have any port.
Don’t forget to create a second policy for web-browsing as when set to application default it only allows tcp/80. So all webbrowsing 443 traffic would get dropped. You would need to create web-browsing - port 80/443 not sure why they did it this way.
Yes not only will this block your proxies/vpns but also your unknown applications. This is the best way to shape your traffic to applications/sites that are known and approved by you. To implement this without any issues or complaints you would monitor the traffic for at least 2-3weeks than generate a report to see all APP-Id’s that have been used and create a whitelist AppID group based on that. Everything else would hit the implicit deny rule.
Also don’t forget to block “all unsupported cipher suites” this is key to making sure you block all the vpns/proxies.
So I have done all of the above and I have 2 VPN applications that are still connecting. The traffic is being allowed thru my web-browsing policy on port 80 and ssl policy on port 443, application incomplete. Any suggestions?
Can you message me logs that show this application along with the “decrypted” option checked.