Article Applies To:
Affected SonicWALL Security Appliance Platforms:
Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500.
Firmware: SonicOS Enhanced 188.8.131.52-36o or higher
Software Version: Upto UltraSurf 9.97
Services: DPI-SSL and IPS.
UltraSurf protocol negotiates an SSL key exchange using SSL protocol with no certificate present - which is legal SSL. This doesn’t give SonicWALL Intrusion Prevention Service (IPS) anything to distinguish it from other legal SSL exchanges. The method outlined below is one of the methods to block UltraSurf.
Intrusion Prevention Service (IPS):
When a client and a server start the SSL/TLS handshake, the server usually sends its certificate to the client for verification of server's public key. This signature detects the situation that the server omits sending its certificate. This type of traffic is used by some anti-censorship software. for example: Ultrasurf. Although SonicWALL IPS has signature IDs to block IPS, these signatures aren't sufficient to block UltraSurf. The following sections outline the method to block UltraSurf using DPI-SSL and IPS signature IDs.
1. Signature Category: PROXY-ACCESS
Signature Name: Non-SSL traffic over SSL port -- Traffic Anomaly Detection
Signature ID: 6
2. Signature Category: PROXY-ACCESS
Signature Name: Potential Ultrasurf/Freegate -- Traffic 5
Signature ID: 2532
3. Signature Category: POLICY
Signature Name: Potential Ultrasurf Traffic
Signature ID: 150
Step 1: Enabling DPI-SSL Service for Intrusion Prevention engine.
1. Login to SonicWALL Mangement Interface
2. Click on DPI-SSL > Client SSL option
Client DPI-SSL: Used to inspect HTTPS traffic when clients on the SonicWALL security appliance’s LAN access content located on the WAN.
3. Under General Settings section, Check the options "Enable SSL Client Inspection" and "Intrusion Prevention".
4. Click on Apply to accept the settings
Max Concurrent DPI-SSL inspected connections:
Hardware Model Max Concurrent DPI-SSL inspected connections
NSA 3500 250
NSA 4500 350
NSA 5000 1000
NSA E5500 2000
NSA E6500 4000
NSA E7500 8000
Alert: The internal diag.html page setting ‘Allow SSL without proxy when connection limit exceeded’ enabled by default will allow Ultrasurf through undetected when the Client DPI-SSL connection limit (varies per model see above) is reached.
Importing DPI-SSL certificate into browsers:
In the Client DPI-SSL scenario, the SonicWALL UTM appliance typically does not own the certificates and private keys for the content it is inspecting. After the appliance performs DPI-SSL inspection, it re-writes the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration. By default, this is the SonicWALL certificate authority (CA) certificate, or a different certificate can be specified. Users should be instructed to add the certificate to their browser’s trusted list to avoid certificate trust errors.
By default, DPI-SSL uses the Default SonicWALL DPI-SSL CA Certificate to re-sign traffic that has been inspected.
In order for re-signing certificate authority to successfully re-sign certificates browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.
• Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate.
• Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the Trust this CA to identify websites check box is selected, and click OK.
• Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.
Step 2: Enabling IPS signatures
1: Login to the SonicWALL Management Interface. Ensure IPS is enabled on the appropriate Interface under Network > Zones page
2: Go to Security Services > Intrusion Prevention page, ensure that the "Enable IPS" is selected under the IPS Global Settings section.
3: Select PROXY-ACCESS from the Category menu and edit the Potential Ultrasurf Traffic signature. OR enter the Signature ID 6 in the Lookup Signature ID field.
4: Click on the drop-down menu for Prevention and Detection setting and select Enable.
Note: Repeat the above steps to configure Signature ID 150 and 2532.
5: Click OK to update the settings.
Ultrasurf software will never succeed in Contacting the server... and the following log message is displayed under Log > View page.