I have been looking into this for similar reasons. Option 1 from what I have found is to have your DNS servers referencing one of the RBL's that keep track of the open proxy sites. That seems to help. Option 2 involves adding a 3rd party product called WebSense that appears to have the ability to block proxy trafic like this.
This is what I have found so far.
Organizations under pressure to keep students and employees from bypassing internet filters using client technologies, like UltraSurf are in a perpetual game of cat and mouse.
A network admin I know used these steps to block it on his Sonicwall:
Ultrasurf uses “140300000101″ for SSL ehlo messages. If you can block this signature with the your firewall you can block ultrasurf. To do this follow these steps:
Create a custom object in Firewall/Application Object section. Lets say the name of the object is “Ultra”
Application object type must be “Custom object”
Match Type must be “Exact Match”
Input Representation must be “Hexadecimal”
Then add Content “140300000101″
Then go to Object Policy/Application Firewall Policy Settings:
Policy name: write whatever you want
Policy type “Custom Policy”
Adress Source “Any”, Destionation “Any”
Service Source “Any”, Destionation “Any”
Exclusion Adrsss “None”
Application Object “Ultra Object” **Select the object which you write in the first section
Users/Group Included “All”, Excluded “None”
Schedule “Always On”
Enable loging “Check”
Redundancy Filters “Use Global settings checked”
Connection Side “Client Side”
Direction “Basic” Both
Dont forget to enable the Application Firewall feature. This is a bit easier to do on a Palo Alto firewall since the application is already identified natively by the box, you just have to block it in one of your threat profile policies. :
Source of above info :
Thanks for all your help & support,actually i have a sonicwall in my office & i already had come accross the solution that you specified,actually i somehow have to manage to do this on a watchguard or an Asa.
Now that would be kinda tricky,lets see how that goes.
Please update me as to how that goes.
Thanks & Regards,
There is a command "ip audit signature" in ASA.to attach a policy to a signature.
Check if the following link provide some help.
Here is a sample ASA config file :
I think that signature based blocking can be done using WATCHGUARD also.
I am searching for the solution.. I'll update as soon as I get something useful..
I have a watchguard X1250e,your doccument looks good but we are not sure that this will do the needful on the Watchguard,i am in touoch with the watchguard guys & it seems even they are stumped by this application maybe we may have to work with the signature that we have.
Please let me know if you have any inputs.
Chetan i really appericiate your genuine helping nature.
Thanks a ton,