At present no reliable way to block Tor Browser?

Hi,

I  have been able to stop downloading the tor browser using the application and web policies. I created my own web url group and added torproject.org to it. Then I added that to my 'block bad stuff' policy and while I can access the tor site, I cannot download the tor browser.

I have not installed tor browser so I cannot tell if this approach stops the tor browser from connecting. Also there was a post by one the Sophos Devs about tuning the IPS settings to assist with blocking tor.

Ian

I removed my web block and installed tor browser on my MBP running Mojave latest version.

I was unable to connect using tor browser with and without setting up the proxy bypass int per browser. It failed to connect to two different IP addresses.

I have application and web policies using standard XG supplied lists.

Ian

It could be as easy as in any other firewall where you can feed the firewall with custom IP block list.

Then you take one of the multiple list available and that's all, TOR is completely blocked.

https://www.dan.me.uk/tornodes

https://check.torproject.org/torbulkexitlist

The problem is that Sophos XG lack of features that are commonly available in other firewalls.

Still can't even match what UTM is able to do, what a bad choice to pick Cyberoam over Astaro, 9 years later, Astaro UTM is still better.

I was celebrating too soon: in order to get Skype personal working with high quality, I had to open some ranges of UDP and TCP ports (Ports for Skype) because after one week of configuration attemps (How to free skype with SFOS) I couldn't get Skype calls working in combination with SSL decryption. For me, it seems that the XG is pretty useless if you have to block Tor Browser traffic in a reliable way while keeping Skype et al. functional: there's no way to skip SSL decryption based on application, nor there's a way to update tor exit nodes by an external database/list on a regulary basis as l0rdraiden suggested. I am frustrated having invested so much time in a hopeless endeavour. I am missing something?

You could simply import the list of the TOR Exit IPs as a Host IP List and block them in the Firewall. That would be a static process. 

There could be a automated process in pulling those IPs and converting them into XG via XML API. Or you simply copy paste them into Notepad, replace all /r /d with , and put them into the Webadmin. 

Hi Sacha Roland,

please advise which ports you used to provide Skype access. I would like to try and replicate your issue hopefully with a fix.

Ian

Hi Ian,

I found out, that skype isn't even capable to establish calls with the following ports, services an exceptions enabled:

And I made these exceptions (disabling https decryption etc.):

5342.skypeexceptions.xml

Also, I additionally made a firewall rule with the above URLs as allowed destination networks and disabled decrypt https & scan.

But no success: Skype can't establish calls and Tor Browser (version 9.0.9/macos) still is capable to connect to the internet. The only way to disable Tor Browser right now is to disallow UDP completely. And for sake of clarity: I made these settings at the very beginning: Application filter recommended settings for better application detection.

I am curious.

Concerning the import of Tor Exit Nodes: unfortunately, it is not possible to import all exit nodes via API into a Host IP List, because the number of entries is limited:

<Status code="522">Maximum limit reached for entity.</Status>

Dont waste your time, it has to be loaded manually and it has a limit or 1000 or so, which make it basically useless for any CTI purpose

Even snort could handle this and block a given IP list but is simply not implemented in Sophos from the interface so you can not load a custom list in snort.

You have a cap of 1000 IPs per List. Therefore you would have this list to split into two Lists and use them in one firewall rule.

The update can be used on the object, without touching the firewall object. 

You can actually use this process:

Load the current List from the website.

Split the List into two objects, or make three, to be sure. 

Split the List in your Cache by 2 or 3 and update each Object in XG with their own List.

Repeat this every day with a script and Cron and thats it. 

Hi Sacha,

why I asked about your ports was that the MS site advises not all ports are required except if you want really high quality calls.

I shall experiment during the day, the weather's not inductive to working outside.

Ian

Hi Sacha,

a couple of points of interest

1/. XG should have stopped me from downloading TOR - it didn't.

2/. Sophos home should have blocked TOR - it didn't.

The fowling are my attempts t connect to the TOR network, with and without configuring HTTP proxy.

The only thing I can't really check is if Skype works, I have added all the ports you are using to my Skype firewall rule. My wife's Skype still connectds but has nothing total to at this stage.

Ian

Update point of interest - TOR currently does not try to use IPv6, if and when it does the current version of XG will not be able to block it easily if at all and allow other applications to function because the current version of XG does not support FQDN in the IPv6 rules.

Hi Sacha,

a couple of points of interest

1/. XG should have stopped me from downloading TOR - it didn't.

2/. Sophos home should have blocked TOR - it didn't.

The fowling are my attempts t connect to the TOR network, with and without configuring HTTP proxy.

The only thing I can't really check is if Skype works, I have added all the ports you are using to my Skype firewall rule. My wife's Skype still connectds but has nothing total to at this stage.

Ian

Update point of interest - TOR currently does not try to use IPv6, if and when it does the current version of XG will not be able to block it easily if at all and allow other applications to function because the current version of XG does not support FQDN in the IPv6 rules.

Further, I have installed Skype and logged in, connects and authenticates okay.

Ian

Hi Sacha Roland,

i think part of your current issue is with your service definitions being too narrow.

I think they should be like this.

Ian

Thanks to Ian, I got Skype working while keeping Tor Browser blocked by removing services for High Quality Skype Calls and editing my standard skype ports to these:

Unfortunately, when I check "Tor is censored in my country" in Tor settings and choose "Select a built-in bridge > meek-azure" then Tor connects to the internet.

Hi Sacha,

which firewall rules his your connection gong through?

I tried that configuration you posted and it failed very quickly to establish a connection.

So far using the alternate connection offered the application has been 'loading relay information' for over 15 minutes and still trying.

I am currently running v18.0.1 MR-1 patched and I have not made any changes since I last tested TOR access except for a rollback and and a rollforward.

Ian

update: 30 minutes later no connection, but I have not tried asking the project team for a proxy.

Thank you so much for keeping track with tis issue, Ian.

I traced the culprit firewall rule:

(Action: allow)

Source zones: ANY
Source networks and devices: ANY
Destination zones: WAN
Destination networks: see list below
Services: ANY

List of FQDNs:

skype.com
live.com
skypeassets.com
live.net
msecnd.net
auslogics.com
windows.com
msocsp.com
omniroot.com
trouter.io
passport.net
live-int.com
gfx-int.ms
passport-int.net
gfx.ms
ec2-52-6-101-221.compute-1.amazonaws.com
microsoftonline.com
microsoftonline-p.com
onmicrosoft.com
sharepoint.com
outlook.com
lync.com
msftconnecttest.com

After removing this FQDN-group, tor couldn't connect anymore, even with bridge-mode. The FQDNs I put in a web exception rule instead.

But why above FQDNs from big companies allowed tor to connect to the internet? I am curious to understand that.

If I would like to keep the FQDNs in a firewall rule (instead of putting them into web exceptions), what would I have to do to block tor browser anyway? I am curious to understand that as well.

Hi Sacha,

I see part of the problem being your firewall rule,

You should modify it and where possible avoid the use of 'ANY'. The same with your services you where possible should try to restrict the range of ports offered.

Ian