topic Block users from using Tor in Network Security

Block users from using Tor

Frank Hoeben — Mon, 11 Mar 2019 18:36:50 GMT

The title says it all.

How do I block users from using the Tor network to bypass the firewall?

All I'm able to find is that Tor uses port 9001 (TCP) by default but switches to any other open port (80,443,25,23,22, etc) when it's blocked.

Blocking those 'backup' ports is obviously not the right way, so I'm looking for inspect rules or any other way to classify and block Tor.

Re: Block users from using Tor

mirober2 — Wed, 08 Sep 2010 12:45:42 GMT

Hi Frank,

I did a quick capture to look at the Tor client while it is connecting. It looks like it encrypts most of the connection traffic, so all your users would probably need to first connect through a proxy that could decrypt the connection and block it that way. Tor is designed to be very resilient, so I don't think you'll find a feasible way to block it at the firewall.

Hope that helps.

-Mike

Re: Block users from using Tor

Frank Hoeben — Wed, 08 Sep 2010 13:24:42 GMT

I was afraid of that.

Plan B would be to tell the AV software to block the Tor executables by default, but files are easily renamed and versions change so file hashes are useless.

Plan C is making the use of firewall bypassing software an offense punishable by death.

Re: Block users from using Tor

Nagaraja Thanthry — Wed, 08 Sep 2010 13:35:13 GMT

Hello,

One alternative could be to tie down the inside interface access-list to a

specific list of allowed ports. From what I understand of working of Tor, it

tries to relay through multiple hosts and for that, the relay servers setup

certain ports. So, if you limit the inside network access to normal ports

like 80/443, and 53, then the access will be limited to these ports. Now,

you can configure HTTP inspection to limit Tor access on port 80 as well

(you might take a performance hit when you configure http inspection). This

will limit the Tor users to use only port 443 for relay.

Hope this helps.

Regards,

My way to block tor is

nawir — Mon, 20 Oct 2014 01:50:55 GMT

My way to block tor is this

http://nbctcp.wordpress.com/2014/10/20/blocking-tor-browser-in-cisco-asa-5505/

do you have all IP addresses

Tagir Temirgaliyev — Mon, 20 Oct 2014 15:38:16 GMT

do you have all IP addresses of TOR servers?

palo-alto firewall can block tor because it has protocol inspection

If you check my my link,

nawir — Tue, 21 Oct 2014 01:55:52 GMT

If you check my my link, there are around 6500 server I need to copy paste into botnet blacklist.

I admit its not automatic way to block tor, but at least its work. I already test that.

If management have budget, of course they can buy another easier to manage device.

Its just one alternative to block tor