[c-nsp] Block Ultra Surf v14 on ASA

Ian McDonald iam at st-andrews.ac.uk
Thu Feb 19 02:45:25 EST 2015 

Hi folks,

If one could regularly parse the google docs document programmatically, which I'm pretty sure it's supposed to be, one could generate an IP list & feed it into a routing process (like bird) and peer in one's own bogon list to a null route table.

Sure, that's cheating a bit as it'd need some resource outside the ASA to feed it (or more likely the router nearest it), but it has the advantage of being maintainable outside trying to generate & refresh an acl on the ASA.

Remember to add logic to prevent foot-cannoning your own address space (and sending a warning if it were to have occurred).

Best Regards

--
ian


Sent from my phone, please excuse brevity and/or misspelling.
________________________________
From: Chuck Church<mailto:chuckchurch at gmail.com>
Sent: ‎19/‎02/‎2015 03:22
To: 'Mohamed Nagy'<mailto:eng.mohamednagy at gmail.com>; 'Nick Hilliard'<mailto:nick at foobar.org>
Cc: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA

I’ve never dealt with Ultrasurf before (nor heard of it), but a quick google search lists a lot of methods to try to block it.  Everything from blocking google docs document that lists all proxies to blocking the proxies themselves.  Probably gonna be a lot of work blocking all those IPs, I’m guessing there are 100s of them (maybe thousands).  If you control the client workstations, might be easier to run a workstation software inventory program to catch the software.



Chuck



From: Mohamed Nagy [mailto:eng.mohamednagy at gmail.com]
Sent: Wednesday, February 18, 2015 7:09 PM
To: Nick Hilliard
Cc: Chuck Church; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA



Yes i cannot block all https port it will be Catastrophic in my network is there another solution's from asa ??



On Wed, Feb 18, 2015 at 7:06 PM, Nick Hilliard <nick at foobar.org <mailto:nick at foobar.org> > wrote:

On 18/02/2015 16:53, Chuck Church wrote:
> That will technically accomplish the requested goal.  There may be a bunch
> of side effects though.

yes, it will block all https.  This is what happens when you try to block a
VPN system which was explicitly designed to be difficult to block.

The real answer to the question is that this application cannot be blocked
with an ASA.  The OP will need to buy very expensive DPI hardware to guess
what sort of port 443 traffic is https and what sort is VPN traffic.

Nick





_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list