At present no reliable way to block Tor Browser?

Hi,

I  have been able to stop downloading the tor browser using the application and web policies. I created my own web url group and added torproject.org to it. Then I added that to my 'block bad stuff' policy and while I can access the tor site, I cannot download the tor browser.

I have not installed tor browser so I cannot tell if this approach stops the tor browser from connecting. Also there was a post by one the Sophos Devs about tuning the IPS settings to assist with blocking tor.

Ian

I removed my web block and installed tor browser on my MBP running Mojave latest version.

I was unable to connect using tor browser with and without setting up the proxy bypass int per browser. It failed to connect to two different IP addresses.

I have application and web policies using standard XG supplied lists.

Ian

I've been fiddling with this today. I'm also not able to prevent theTOR browser to start for 100%.
Sometimes it doesn't start sometimes it does.

What I was able to accomplish is to disable browsing from a TOR Browser session.
If you're interested please let me know.

Grtz, Peter-Paul

Yes, I am very interested in the way you disabled browser sessions.

Did you alter the settings mentioned here for better application detection?

First i created a new service (Hosts and services -> Services), like this:

(not sure if the UDP entries are necessary, added them just in case)

Then i added a new FW rule:

Finally i made sure no one is able to download the TOR Browser, so i added 'torproject.org' to URL group [Local TLS deny list] (Web -> URL groups)

The result (for me) is that the TOR Browser does start (most of the times) but browsing is not possible. I've tested with:
- "Check our Tor Browser Manual" on the opening tab of TOR Browser
- google.com
- nu.nl
- ibm.com
- sophos.com

(Also tested on an Android phone as well on an iPhone, both succesfull)

I'm interested to hear about your findings, succes.

Grtz, Peter-Paul

Thank you,

I followed your suggestions, but tor is able to connect the internet.

Maybe I missed something: are the suggested changes all you did or did you something before (like application detection etc.)?

Here are my rules:

Honestly, I seriously doubt dropping some TCP/UDP ports is enough to stop tor. It is designed to work around obstacles, you have to use application signatures etc.

Best regards

Sacha

Sorry, forgot to mention two things:
1. i did alter the settings mentioned here for better application detection?

2. i added something to my default web policy (Web -> Policies):

Grtz, Peter-Paul

Hi Sacha Roland 

You have "any service" selected on your rules.  As you have stated TOR is designed to work around proxies and firewalls such as the XG.

We have to make it harder for them to do so.  As TOR is updated more frequently, we are only able to create signatures based on the files seen in the wild.  The TOR user/dev community will not give us the file before they release it so that we can have signatures created beforehand.  

So in order to make it harder for TOR to be blocked, you have to limit ports outbound.  For DNS outbound, limit to port and DNS providers.

There are a lot of posts on here about Psiphon being blocked.  Search for them to see what else has been done to limit that application.

You should also increase the maximum amount of packets that get scanned before IPS makes a decision on what type of traffic it is.  You can do this by going to the "Console" and running command: set ips maxpkts 100

Ensure that the following settings have been set on the web proxy:

Block PUAs

Enable pharming protection

Block invalid certificates

Block unrecognized protocols

The above settings are in addition to limiting outbound ports/services and locking down any other rules with "any service" to a specific IP.

Let us know how it goes.

Thanks!

Thank you for your in-depth information. But I didn't get what I'll have to do with my "any service" settings. I am not familiar enough with the general concept. What do I have to do specifically? (Is there a how-to?)

Hi,

you replace "ANY Service" with specific services eg https, http in the proxy rules. SMTP/s and IMAP/s and POP/s in the  mail rules with specific destinations.

Where you can you change ANY destination to specific destinations which I know is not practical for general internet access.

Ian

Thank you. I got the concept now and narrowed down outbound connections to specific Protokolls and IPs. Now Tor Browser is blocked.

It could be as easy as in any other firewall where you can feed the firewall with custom IP block list.

Then you take one of the multiple list available and that's all, TOR is completely blocked.

https://www.dan.me.uk/tornodes

https://check.torproject.org/torbulkexitlist

The problem is that Sophos XG lack of features that are commonly available in other firewalls.

Still can't even match what UTM is able to do, what a bad choice to pick Cyberoam over Astaro, 9 years later, Astaro UTM is still better.

It could be as easy as in any other firewall where you can feed the firewall with custom IP block list.

Then you take one of the multiple list available and that's all, TOR is completely blocked.

https://www.dan.me.uk/tornodes

https://check.torproject.org/torbulkexitlist

The problem is that Sophos XG lack of features that are commonly available in other firewalls.

Still can't even match what UTM is able to do, what a bad choice to pick Cyberoam over Astaro, 9 years later, Astaro UTM is still better.

I was celebrating too soon: in order to get Skype personal working with high quality, I had to open some ranges of UDP and TCP ports (Ports for Skype) because after one week of configuration attemps (How to free skype with SFOS) I couldn't get Skype calls working in combination with SSL decryption. For me, it seems that the XG is pretty useless if you have to block Tor Browser traffic in a reliable way while keeping Skype et al. functional: there's no way to skip SSL decryption based on application, nor there's a way to update tor exit nodes by an external database/list on a regulary basis as l0rdraiden suggested. I am frustrated having invested so much time in a hopeless endeavour. I am missing something?

You could simply import the list of the TOR Exit IPs as a Host IP List and block them in the Firewall. That would be a static process. 

There could be a automated process in pulling those IPs and converting them into XG via XML API. Or you simply copy paste them into Notepad, replace all /r /d with , and put them into the Webadmin. 

Hi Sacha Roland,

please advise which ports you used to provide Skype access. I would like to try and replicate your issue hopefully with a fix.

Ian

Hi Ian,

I found out, that skype isn't even capable to establish calls with the following ports, services an exceptions enabled:

And I made these exceptions (disabling https decryption etc.):

5342.skypeexceptions.xml

Also, I additionally made a firewall rule with the above URLs as allowed destination networks and disabled decrypt https & scan.

But no success: Skype can't establish calls and Tor Browser (version 9.0.9/macos) still is capable to connect to the internet. The only way to disable Tor Browser right now is to disallow UDP completely. And for sake of clarity: I made these settings at the very beginning: Application filter recommended settings for better application detection.

I am curious.

Concerning the import of Tor Exit Nodes: unfortunately, it is not possible to import all exit nodes via API into a Host IP List, because the number of entries is limited:

<Status code="522">Maximum limit reached for entity.</Status>

Dont waste your time, it has to be loaded manually and it has a limit or 1000 or so, which make it basically useless for any CTI purpose

Even snort could handle this and block a given IP list but is simply not implemented in Sophos from the interface so you can not load a custom list in snort.

You have a cap of 1000 IPs per List. Therefore you would have this list to split into two Lists and use them in one firewall rule.

The update can be used on the object, without touching the firewall object. 

You can actually use this process:

Load the current List from the website.

Split the List into two objects, or make three, to be sure. 

Split the List in your Cache by 2 or 3 and update each Object in XG with their own List.

Repeat this every day with a script and Cron and thats it. 

Hi Sacha,

why I asked about your ports was that the MS site advises not all ports are required except if you want really high quality calls.

I shall experiment during the day, the weather's not inductive to working outside.

Ian

Hi Sacha,

a couple of points of interest

1/. XG should have stopped me from downloading TOR - it didn't.

2/. Sophos home should have blocked TOR - it didn't.

The fowling are my attempts t connect to the TOR network, with and without configuring HTTP proxy.

The only thing I can't really check is if Skype works, I have added all the ports you are using to my Skype firewall rule. My wife's Skype still connectds but has nothing total to at this stage.

Ian

Update point of interest - TOR currently does not try to use IPv6, if and when it does the current version of XG will not be able to block it easily if at all and allow other applications to function because the current version of XG does not support FQDN in the IPv6 rules.

Further, I have installed Skype and logged in, connects and authenticates okay.

Ian