[c-nsp] Block Ultra Surf v14 on ASA

Thu Feb 19 04:39:00 EST 2015

Then they will just move from ultra surf to another vpn/proxy service... 
If the user is already doing this to bypass your security you will need to block them all not just one.

Why not upgrade to a firewall that can block this type of service , not just some ips,  we use Fortinet but lots of them exist.

Brian 

> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Ian McDonald
> Sent: giovedì 19 febbraio 2015 08:45
> To: Chuck Church; 'Mohamed Nagy'; 'Nick Hilliard'
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA
> 
> Hi folks,
> 
> If one could regularly parse the google docs document programmatically,
> which I'm pretty sure it's supposed to be, one could generate an IP list &
> feed it into a routing process (like bird) and peer in one's own bogon list to a
> null route table.
> 
> Sure, that's cheating a bit as it'd need some resource outside the ASA to feed
> it (or more likely the router nearest it), but it has the advantage of being
> maintainable outside trying to generate & refresh an acl on the ASA.
> 
> Remember to add logic to prevent foot-cannoning your own address space
> (and sending a warning if it were to have occurred).
> 
> Best Regards
> 
> --
> ian
> 
> 
> Sent from my phone, please excuse brevity and/or misspelling.
> ________________________________
> From: Chuck Church<mailto:chuckchurch at gmail.com>
> Sent: ‎19/‎02/‎2015 03:22
> To: 'Mohamed Nagy'<mailto:eng.mohamednagy at gmail.com>; 'Nick
> Hilliard'<mailto:nick at foobar.org>
> Cc: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA
> 
> I’ve never dealt with Ultrasurf before (nor heard of it), but a quick google
> search lists a lot of methods to try to block it.  Everything from blocking
> google docs document that lists all proxies to blocking the proxies
> themselves.  Probably gonna be a lot of work blocking all those IPs, I’m
> guessing there are 100s of them (maybe thousands).  If you control the client
> workstations, might be easier to run a workstation software inventory
> program to catch the software.
> 
> 
> 
> Chuck
> 
> 
> 
> From: Mohamed Nagy [mailto:eng.mohamednagy at gmail.com]
> Sent: Wednesday, February 18, 2015 7:09 PM
> To: Nick Hilliard
> Cc: Chuck Church; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Block Ultra Surf v14 on ASA
> 
> 
> 
> Yes i cannot block all https port it will be Catastrophic in my network is there
> another solution's from asa ??
> 
> 
> 
> On Wed, Feb 18, 2015 at 7:06 PM, Nick Hilliard <nick at foobar.org
> <mailto:nick at foobar.org> > wrote:
> 
> On 18/02/2015 16:53, Chuck Church wrote:
> > That will technically accomplish the requested goal.  There may be a
> > bunch of side effects though.
> 
> yes, it will block all https.  This is what happens when you try to block a VPN
> system which was explicitly designed to be difficult to block.
> 
> The real answer to the question is that this application cannot be blocked
> with an ASA.  The OP will need to buy very expensive DPI hardware to guess
> what sort of port 443 traffic is https and what sort is VPN traffic.
> 
> Nick
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/