Using the Smoothwall to block access to HTTPS proxy sites or prevent HTTPS proxy software like UltraSurf bypassing the Guardian web filter.
Web filters are becoming increasingly popular, and are used to restrict a user's internet access to certain types of content. This has led to the creation of numerous proxy websites and proxy software applications designed to bypass web filters such as Guardian.
UltraSurf is one example of an application that bypasses web filters to gain access to sites that would otherwise be blocked. When someone uses a proxy website or application to request content, the proxy will contact a server which will then retrieve the requested content before returning it to the user, typically through an HTTPS connection. Because HTTPS traffic is encrypted, the content can't be seen by web filters and therefore no policies can be applied to the content. As more and more proxies are created on a daily basis, each becoming more complex and more efficient at bypassing web filters, simply blocking access to these services using domain or URL filtering alone is not particularly efficient.
Actions for the Guardian Web Filter
- If possible, ensure that all clients are going through a transparent proxy with HTTPS support enabled (Web proxy > Authentication > Policy wizard).
Note: This may however cause issues for other software applications which do not have support for this type of setup.
- The Web proxies category is blocked by default as it is part of Core Blocked Content web filter policy (see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/policies.htm). You should add a block policy if you do not have one for either Web proxies or Core Blocked Content.
- Create an HTTPS inspection policy that validate the certificate (Guardian > HTTPS inspection > Policy wizard). This ensures that any site visited must present a valid HTTPS certificate.
- As an alternative to step 3, you can create an HTTPS inspection policy to Decrypt and inspect HTTPS requests through the web filter. This does however require that the certificate used by Guardian is installed on each of the client machines (see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/httpssettings.htm).
Actions for the Firewall
Additionally, you can control access to ports using a firewall. If you are using the Smoothwall firewall, you do this in either the Network > Firewall > Firewall rules page (those running Inverness or above), or the Network > Outgoing pages (for those running Hearst or below).
Proxies will typically attempt to connect to their servers on port 80 or 443. If this fails, then some applications have the ability to use other ports. The following details ports predominately used by proxy bypass software:
|Proxy||Ports||Additional Notes||Last Checked|
|Betternet||1194, 5228, 7268, 9110||Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only||20th June 2019|
|CyberGhost||8078||20th June 2019|
|F-Secure Freedome VPN||500, 2744||31st January 2018|
|Freegate||1024 - 65535||March 2017|
|freevpn.og||8010||Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only||20th June 2019|
|Hexatech||5228, 9110||20th June 2019|
|Hideman VPN||500, 995||31st January 2018|
|HotSpot Shield||105, 179, 465, 990, 1024-65535||Will attempt to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only||20th June 2019|
|Kiwi VPN||1194||24th June 2019|
|Opera Free VPN||1194, 5353||20th June 2019|
|Secure VPN||82, 115, 500, 910, 4500||24th June 2019|
|Security Kiss||123, 5000, 5353||20th June 2019|
|SetupVPN||3000||24th June 2019|
|Snap VPN||500||Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.||24th June 2019|
|SpeedVPN||7, 1024-65535||20th June 2019|
|Spotflux||443||Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.||January 2017|
|Surf VPN||9970-9979||24th June 2019|
|Thunder VPN||53, 81, 465, 802, 936||24th June 2019|
|Tor||1024-65535||Will attempt to connect on port 80 or 443 so ensure that the HTTPS inspection policy is set to either Decrypt and inspect or Validate certificate only.||24th June 2019|
|TunnelBear||7011||20th June 2019|
|Turbo VPN||500||24th June 2019|
|VPN Monster||23, 25, 66, 110, 119||24th June 2019|
|VPNGate||500, 992, 995, 1024-65535||24th June 2019|
|VPN360||UDP 443, 500, 4000||24th June 2019|
|Yoga VPN||5000, 8000, 52000||21st June 2019|
|Windscribe||UDP ports: 80, 443. TCP and UDP ports: 500, 1194, 4500, 5228, 54783||Attempts to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only.||21st June 2019|
|X-VPN||This proxy uses a range of different ports (including 21, 25 and 53), you will need to lock down your firewall and only open ports that are necessary||Attempts to connect on port 80 or 443, so ensure that the HTTPS inspection policy is set to their Decrypt and inspect or Validate certificate only.||26th June 2019|
UltraSurf is a proxy application installed locally on user's devices. Users then configure their browsers to point to the local proxy. The UltraSurf proxy sends outgoing traffic to HTTPS sites using IP addresses. This is still the case when UltraSurf sends out traffic directly to port 443 (HTTPS), or when UltraSurf is set to use an upstream proxy.
So, what can be done?
- Block the installation and execution of the UltraSurf application using domain-wide security policies
- Set proxy settings in a security policy so users cannot override them
These are basic recommendations when blocking UltraSurf traffic. Users may still get around security policies by using non-domain-managed devices, or those devices where the user themselves has administration rights.
Server Name Indication (SNI) adds to the HTTPS Transport Layer Security (TLS) handshake to indicate to the proxy which domain the traffic is destined for. SNI is used by the Guardian web filter when transparently intercepting HTTPS traffic.
Additional actions for the Guardian web filter:
- It is recommended you create a transparent web proxy authentication policy which blocks HTTPS traffic that does not present an SNI header see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/authpolicywiz.htm
- Enable additional heuristics to block advanced proxy bypass tools see https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/proxy.htm
Note: The two options, shown above, may also block legitimate applications from working if they use the same type of traffic as UltraSurf, such as, some cloud-based services. Without SNI information, Guardian is unable to easily differentiate between UltraSurf and non-UltraSurf traffic using any parameters other than destination IP addresses.