Block Ultrasurf

Blocking Ultrasurf with a Sonicwall Application Firewall

(Now Schools n College can breath easy-----Regards:-Rahul Tyagi)

Organizations under pressure to keep students and employees from bypassing internet filters using client technologies, like UltraSurf are in a perpetual game of cat and mouse. A network admin I know used these steps to block it on his Sonicwall:

Ultrasurf uses “140300000101″ for SSL ehlo messages. If you can block this signature with the your firewall you can block ultrasurf. To do this follow these steps:

Your Ad Here

Create a custom object in Firewall/Application Object section. Lets say the name of the object is “Ultra”
Application object type must be “Custom object”
Match Type must be “Exact Match”
Input Representation must be “Hexadecimal”
Then add Content “140300000101″

Then go to Object Policy/Application Firewall Policy Settings:

Policy name: write whatever you want
Policy type “Custom Policy”
Adress Source “Any”, Destionation “Any”
Service Source “Any”, Destionation “Any”
Exclusion Adrsss “None”
Application Object “Ultra Object” **Select the object which you write in the first section
Action “Reset/Drop”
Users/Group Included “All”, Excluded “None”
Schedule “Always On”
Enable loging “Check”
Redundancy Filters “Use Global settings checked”
Connection Side “Client Side”
Your Ad Here
Direction “Basic” Both

Dont forget to enable the Application Firewall feature. This is a bit easier to do on a Palo Alto firewall since the application is already identified natively by the box, you just have to block it in one of your threat profile policies.

"No more Orkuting,no more facebook sorry to students of LPU"