ASA 5520 Firewall bypass proxy -Ultrasurf

Tashi BDFCL · ‎03-04-2013

Hi,

I have ASA 5520 firewall with web filtering. I have lots of sites been blocked for security reason, like facebook, prone sites and so on... After blocking those sites i have found out that users being using proxy software i.e. ultrasurf and seen that this software bypass all blocked sites. I have tried blocking the sites with hard code but still this software bypass the blocked sites and user can access the blocked sites from their machine.

Is there any ways to overcome with this issue. I have seen in other organization using CHECKPOINT equipments which works really nice and this device blocks the sites completely and it blocks the proxy too.

I want to know, whether the ASA has a capability to block sites lilke CHECKPOINT.

I being a Network Administrator and have serious concern about the network securities loop holes. Therefore i want to know is there any other way out to solve this issue?

Thanks,

Regards,

TashiBDFCL

Andrew Phirsov · ‎03-04-2013

The one thing you may try to do is to block connection-establishment to the ultraserf servers from your clients' PCs. When connection is established, you can't do anything about it, cause it uses secure http.

Blocking connection establishment can be done well with cisco ISR using FPM framework. I personnaly did this thing for team-viewer. The key is to match specific field in packets, when client is trying to connect to the server. What to block you can find throug analyzing traffic using wireshark.

But ASA doesn't have an abiltity to block custom fields in the packet, when it's not related to a specific protocol, so i don't think ASA can do it.

Probably it's possible to block access to ultraserf servers using access-list with FQDN of the ultraserf -servers in destination part. But i'm not sure it'll work.