Block Ultrasurf
Blocking Ultrasurf with a Sonicwall Application Firewall
A network admin I know used these steps to block it on his Sonicwall:
Ultrasurf uses “140300000101″ for SSL ehlo messages. If you can block this signature with the your firewall you can block ultrasurf. To do this follow these steps:
Your Ad Here
1. Create a custom object in Firewall/Application Object section. Lets say the name of the object is “Ultra”
2. Application object type must be “Custom object”
3. Match Type must be “Exact Match”
4. Input Representation must be “Hexadecimal”
5. Then add Content “140300000101″
Then go to Object Policy/Application Firewall Policy Settings:
1. Policy name: write whatever you want
2. Policy type “Custom Policy”
3. Adress Source “Any”, Destionation “Any”
4. Service Source “Any”, Destionation “Any”
5. Exclusion Adrsss “None”
6. Application Object “Ultra Object” **Select the object which you write in the first section
7. Action “Reset/Drop”
8. Users/Group Included “All”, Excluded “None”
9. Schedule “Always On”
10. Enable loging “Check”
11. Redundancy Filters “Use Global settings checked”
12. Connection Side “Client Side”
Your Ad Here
13. Direction “Basic” Both
Dont forget to enable the Application Firewall feature. This is a bit easier to do on a Palo Alto firewall since the application is already identified natively by the box, you just have to block it in one of your threat profile policies.
Monday, March 15
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment