Block Evasive Applications — Configuration Example


Evasive applications use dynamic ports and protocols, encryption and other techniques to make the application traffic difficult to detect and manage. The objective of this configuration example is to show how you can block Ultrasurf with WatchGuard Firebox policies and subscription services. You can use a similar strategy to block other types of evasive applications on your network.

This configuration example assumes you have an existing Firebox configured with HTTP and HTTPS proxy policies.

These steps are provided as a basic guide. Your network environment might require additional configuration settings.

Application Control and WebBlocker Configuration

To completely block Ultrasurf traffic, you must create a layered defense strategy of Firebox services. The first step is to deny Ultrasurf web pages (*ultrasurf*/*) so that users cannot download the application. This is done via an HTTPS proxy with content inspection and WebBlocker.

To prevent the download of Ultrasurf :

  1. In Application Control, configure an action to drop all traffic for the Ultrasurf application and other tunneling and proxy services.
    1. In the Edit Application Control Action dialog box, click Select by Category.
    2. Select the Tunneling and proxy services check box.
    3. From the drop-down list, select Drop.
  2. Apply the Application Control action to your HTTP and HTTPS proxies.
  3. You must enable content inspection on the HTTPS proxy for Application Control to be effective.

  4. In WebBlocker, to deny proxy avoidance applications like Ultrasurf, on the Categories tab, select Information Technology > Proxy Avoidance.
  5. On the Exceptions tab, add an exception to deny *ultrasurf*/*.
  6. Apply the WebBlocker action to your HTTP and HTTPS proxies.​​​

Firebox Configuration

Ultrasurf is a proxy-based application that allows Internet users to bypass firewalls and to surf the web anonymously. With Ultrasurf, users can avoid filtering rules that you create and enforce with WatchGuard WebBlocker. Ultrasurf hides your IP address and clears browsing history and cookies. It attempts to use alternate pathways if a connection is blocked.

The next layer of defense is to configure the Firebox to prevent connections from Ultrasurf. We recommend you complete this configuration for both current and legacy versions of Ultrasurf.

How It Works

Many proxy avoidance applications use a similar set of strategies to try to connect to their servers. Typically, the application first sends DNS queries to find a server. Then it tries to connect to the server on HTTP port 80 and then on HTTPS port 443. Some applications try to build an SSL tunnel on either the standard port 443, or another port, such as TCP 53 or another dynamically selected port. If all of this fails, the application could try to connect to backup servers located on popular and often allowed data centers such as Microsoft or Amazon Web Services. Another strategy includes attempts to download another executable while the application continues to repeatedly try to connect to a server.

To detect these types of applications, you must configure proxies and services with appropriate settings, and enable logging for reports. It is also important to regularly monitor log files and reports to keep up with the new trends in network activity as updates of those applications become available.

This configuration example uses a combination of policies and services to block the strategies used by Ultrasurf:

  • Proxy Policies — Proxy policies examine all outgoing HTTP, HTTPS, and DNS connections, and deny or block connections or content that could represent a threat. They also use configured services and other configuration settings to examine connections and content to determine whether to allow a connection. Proxy policies enforce protocols. For example, if a tunneling application attempts to send traffic over TCP/UDP 53 and a DNS proxy is in place, then the traffic will fail as the tunnel traffic is not DNS-compliant.
  • Application Control — Application Control drops connections for applications in the Tunneling and proxy services category and other application categories that could represent a threat. Application Control is enabled for all outgoing browsing policies.
  • WebBlocker — WebBlocker blocks connections to websites in the proxy avoidance category and other categories that could represent a threat. The WebBlocker configuration is used by the HTTP-proxy and HTTPS-proxy actions.

You can apply the same type of configuration strategies to protect against advanced malware and other evasive applications. To do this, you would configure other security services such as Gateway AntiVirus, Botnet Detection, APT Blocker, Reputation Enabled Defense, and Intrusion Prevention Services. We recommend that you monitor log messages and reports regularly to help identify new threats, so you can update the configuration as threats and application behaviors evolve.

See Also

About Application Control

Enable Application Control in a Policy

Manage Evasive Applications

Use Certificates with HTTPS Proxy Content Inspection