How to block access to HTTPS proxy bypass sites or software

Article #:

Product

Castle

1613 and 1752

Guardian

All

Summary

Using the Smoothwall to block access to HTTPS proxy sites or prevent HTTPS proxy software like UltraSurf bypassing the Guardian web filter.

Problem

Web filters are becoming increasingly popular, and are used to restrict a user's internet access to certain types of content. This has led to the creation of numerous proxy websites and proxy software applications designed to bypass web filters such as Guardian. UltraSurf is one example of an application that bypasses web filters to gain access to sites that would otherwise be blocked. When someone uses a proxy website or application to request content, the proxy will contact a server which will then retrieve the requested content before returning it to the user, typically through an HTTPS connection. Because HTTPS traffic is encrypted, the content can't be seen by web filters and therefore no policies can be applied to the content. As more and more proxies are created on a daily basis, each becoming more complex and more efficient at bypassing web filters, simply blocking access to these services using domain or URL filtering alone is not particularly efficient.

Solution

Actions for the Guardian Web Filter

1. If possible, ensure that all clients are going through a transparent proxy with HTTPS support enabled (Web proxy > Authentication > Policy wizard).

Note: This may however cause issues for other software applications which do not have support for this type of setup.

2. The Web proxies category is blocked by default as it is part of Core Blocked Content web filter policy (see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/policies.htm). You should add a block policy if you do not have one for either Web proxies or Core Blocked Content.
3. Create an HTTPS inspection policy that validate the certificate (Guardian > HTTPS inspection > Policy wizard). This ensures that any site visited must present a valid HTTPS certificate.
4. As an alternative to option 3, you can create an HTTPS inspection policy to Decrypt and inspect HTTPS requests through the web filter. This does however require that the certificate used by Guardian is installed on each of the client machines (see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/httpssettings.htm).

Actions for the Firewall

Additionally, you can control access to ports using a firewall. If you are using the Smoothwall firewall, you do this in either the Network > Firewall > Firewall rules page (those running Inverness or above), or the Network > Outgoing pages (for those running Hearst or below).

Proxies will typically attempt to connect to their servers on port 80 or 443. If this fails, then some applications have the ability to use other ports. The following details ports predominately used by proxy bypass software:

Proxy Ports Additional Notes
Spotflux 443 Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.
HotSpot Shield

105, 179, 465, 990, 1024-65535

 
Freegate 1024 - 65535  
Tor 1024-65535 Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.
PrivitizeVPN 1723  
GPass 1024-65535  
CyberGhost 8078  
Security Kiss 123, 5000, 5353  
TunnelBear 7011  
freevpn.og 8010 Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only
VPNGate 992, 995, 1024-65535 Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.

Blocking UltraSurf

UltraSurf is a proxy application installed locally on user's devices. Users then configure their browsers to point to the local proxy. The UltraSurf proxy sends outgoing traffic to HTTPS sites using IP addresses. This is still the case when UltraSurf sends out traffic directly to port 443 (HTTPS), or when UltraSurf is set to use an upstream proxy.

So, what can be done?

Block the installation and execution of the UltraSurf application using domain-wide security policies
Set proxy settings in a security policy so users cannot override them

These are basic recommendations when blocking UltraSurf traffic. Users may still get around security policies by using non-domain-managed devices, or those devices where the user themselves has administration rights.

Server Name Indication (SNI) adds to the HTTPS Transport Layer Security (TLS) handshake to indicate to the proxy which domain the traffic is destined for. SNI is used by the Guardian web filter when transparently intercepting HTTPS traffic.

Additional actions for the Guardian web filter:

It is recommended you create a transparent web proxy authentication policy which blocks HTTPS traffic that does not present an SNI header — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authpolicywiz.htm
Enable additional heuristics to block advanced proxy bypass tools — see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/proxy.htm

Note: It should be noted that the above two options may also block legitimate applications from working if they use the same type of traffic as UltraSurf, such as, some cloud-based services. Without SNI information, Guardian is unable to easily differentiate between UltraSurf and non-UltraSurf traffic using any parameters other than destination IP addresses.

Attribution:

Last updated:

Author:

Contributions by:

5th December 2016

 

Samantha Nair

 

Copyright © 2000-2016 Smoothwall All rights reserved.