Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2259
Views
0
Helpful
4
Replies

cisco WSA able to block TOR Browser?

J_Vansen_S
Level 3
Level 3

‎04-08-2014 11:28 PM

hi all,

 

We have a WSA in the network as a transparent proxy.

Is there a way for WSA to block the use of TOR Browser?

 

Also is it possible to limit torrent bandwidth too

5 people had this problem
Labels:
0 Helpful
4 Replies 4

Martin Paszkiewicz
Level 1
Level 1

‎04-14-2014 06:39 AM

I am also interested in this information.   Tor Browser seems to cut right through WSA with ease...

0 Helpful

Porfirio Alvarado
Level 1
Level 1

‎10-21-2014 06:55 AM

Any info on blocking TOR.

As for bit torrent you can do that on the AVC section but that will only work if users are using port 80 or 443 since bit torrent uses dynamic ports you may need to use nbar or another packet inspection tool.
 

0 Helpful

SriSagar Kadambi
Cisco Employee
Cisco Employee
In response to Porfirio Alvarado

‎10-22-2014 10:39 PM

* Requiring NTLM auth in explicit proxy mode stops it cold - this is
just a missing feature in TOR.
* If you disable auth, or use Basic auth, then requiring that SSL
destinations have server certs signed by known CA's will stop it.  (This
works regardless of the decryption reputation, as the WSA always appears
to check this in explicit mode when configured.)
* If you disable the above two methods, the "filter avoidance" URL
category is only effective against the initial "find directory servers"
boot-up.  If we miss one, or the client has this info cached from
before, the URL category is not effective.
* Another method that would be effective would be to block all browsing
by IP address; however, this has a pretty good chance of false
positives.

Notice that the above will only work if all egress ports which are not proxied are blocked. TOR will attempt to go outbound on higher ports; if you are not blocking these (eg on the Firewall), it becomes nearly impossible to effectively block TOR.

0 Helpful

SriSagar Kadambi
Cisco Employee
Cisco Employee

‎10-21-2014 05:29 PM

Hi Guys,

* Requiring NTLM auth in explicit proxy mode stops it cold - this is
just a missing feature in TOR.
* If you disable auth, or use Basic auth, then requiring that SSL
destinations have server certs signed by known CA's will stop it.  (This
works regardless of the decryption reputation, as the WSA always appears
to check this in explicit mode when configured.)
* If you disable the above two methods, the "filter avoidance" URL
category is only effective against the initial "find directory servers"
boot-up.  If we miss one, or the client has this info cached from
before, the URL category is not effective.
* Another method that would be effective would be to block all browsing
by IP address; however, this has a pretty good chance of false
positives.

Notice that the above will only work if all egress ports which are not proxied are blocked. TOR will attempt to go outbound on higher ports; if you are not blocking these (eg on the Firewall), it becomes nearly impossible to effectively block TOR.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents