[c-nsp] Block Ultra Surf v14 on ASA

Chuck Church chuckchurch at gmail.com
Wed Feb 18 22:19:10 EST 2015


I’ve never dealt with Ultrasurf before (nor heard of it), but a quick google search lists a lot of methods to try to block it.  Everything from blocking google docs document that lists all proxies to blocking the proxies themselves.  Probably gonna be a lot of work blocking all those IPs, I’m guessing there are 100s of them (maybe thousands).  If you control the client workstations, might be easier to run a workstation software inventory program to catch the software. 

 

Chuck

 

From: Mohamed Nagy [mailto:eng.mohamednagy at gmail.com] 
Sent: Wednesday, February 18, 2015 7:09 PM
To: Nick Hilliard
Cc: Chuck Church; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA

 

Yes i cannot block all https port it will be Catastrophic in my network is there another solution's from asa ??

 

On Wed, Feb 18, 2015 at 7:06 PM, Nick Hilliard <nick at foobar.org <mailto:nick at foobar.org> > wrote:

On 18/02/2015 16:53, Chuck Church wrote:
> That will technically accomplish the requested goal.  There may be a bunch
> of side effects though.

yes, it will block all https.  This is what happens when you try to block a
VPN system which was explicitly designed to be difficult to block.

The real answer to the question is that this application cannot be blocked
with an ASA.  The OP will need to buy very expensive DPI hardware to guess
what sort of port 443 traffic is https and what sort is VPN traffic.

Nick



 



More information about the cisco-nsp mailing list