At present no reliable way to block Tor Browser?

Although I had enabled "Filter avoidance apps" (app control) as well as SSL inspection, Tor Browser managed to connect to the internet. As Sophos support told me on the phone, this problem seems to be known.

Are there any experiences here in blocking Tor Browser reliably?
Maybe more steps are necessary to block, like outlined here for another manufacturer?

  • In reply to Sacha Roland:

    First i created a new service (Hosts and services -> Services), like this:


    (
    not sure if the UDP entries are necessary, added them just in case)

    Then i added a new FW rule:

    Finally i made sure no one is able to download the TOR Browser, so i added 'torproject.org' to URL group [Local TLS deny list] (Web -> URL groups)

    The result (for me) is that the TOR Browser does start (most of the times) but browsing is not possible. I've tested with:
    - "Check our Tor Browser Manual" on the opening tab of TOR Browser
    - google.com
    - nu.nl
    - ibm.com
    - sophos.com

    (Also tested on an Android phone as well on an iPhone, both succesfull)

    I'm interested to hear about your findings, succes.

    Grtz, Peter-Paul

  • In reply to Peter-Paul Gras:

    Thank you,

    I followed your suggestions, but tor is able to connect the internet.

    Maybe I missed something: are the suggested changes all you did or did you something before (like application detection etc.)?

    Here are my rules:

    Honestly, I seriously doubt dropping some TCP/UDP ports is enough to stop tor. It is designed to work around obstacles, you have to use application signatures etc.

    Best regards

    Sacha

  • In reply to Sacha Roland:

    Sorry, forgot to mention two things:
    1. i did alter the settings mentioned here for better application detection?

    2. i added something to my default web policy (Web -> Policies):

    Grtz, Peter-Paul

  • In reply to Sacha Roland:

    Hi  

    You have "any service" selected on your rules.  As you have stated TOR is designed to work around proxies and firewalls such as the XG.

    We have to make it harder for them to do so.  As TOR is updated more frequently, we are only able to create signatures based on the files seen in the wild.  The TOR user/dev community will not give us the file before they release it so that we can have signatures created beforehand.  

    So in order to make it harder for TOR to be blocked, you have to limit ports outbound.  For DNS outbound, limit to port and DNS providers.

    There are a lot of posts on here about Psiphon being blocked.  Search for them to see what else has been done to limit that application.

    You should also increase the maximum amount of packets that get scanned before IPS makes a decision on what type of traffic it is.  You can do this by going to the "Console" and running command: set ips maxpkts 100

    Ensure that the following settings have been set on the web proxy:

    Block PUAs

    Enable pharming protection

    Block invalid certificates

    Block unrecognized protocols

    The above settings are in addition to limiting outbound ports/services and locking down any other rules with "any service" to a specific IP.

    Let us know how it goes.

    Thanks!

  • In reply to KingChris:

    Thank you for your in-depth information. But I didn't get what I'll have to do with my "any service" settings. I am not familiar enough with the general concept. What do I have to do specifically? (Is there a how-to?)

  • In reply to Sacha Roland:

    Hi,

    you replace "ANY Service" with specific services eg https, http in the proxy rules. SMTP/s and IMAP/s and POP/s in the  mail rules with specific destinations.

    Where you can you change ANY destination to specific destinations which I know is not practical for general internet access.

    Ian

  • In reply to rfcat_vk:

    Thank you. I got the concept now and narrowed down outbound connections to specific Protokolls and IPs. Now Tor Browser is blocked.

  • In reply to KingChris:

    It could be as easy as in any other firewall where you can feed the firewall with custom IP block list.

    Then you take one of the multiple list available and that's all, TOR is completely blocked.

    https://www.dan.me.uk/tornodes

    https://check.torproject.org/torbulkexitlist

    The problem is that Sophos XG lack of features that are commonly available in other firewalls.

    Still can't even match what UTM is able to do, what a bad choice to pick Cyberoam over Astaro, 9 years later, Astaro UTM is still better.

  • In reply to l0rdraiden:

    I was celebrating too soon: in order to get Skype personal working with high quality, I had to open some ranges of UDP and TCP ports (Ports for Skype) because after one week of configuration attemps (How to free skype with SFOS) I couldn't get Skype calls working in combination with SSL decryption. For me, it seems that the XG is pretty useless if you have to block Tor Browser traffic in a reliable way while keeping Skype et al. functional: there's no way to skip SSL decryption based on application, nor there's a way to update tor exit nodes by an external database/list on a regulary basis as l0rdraiden suggested. I am frustrated having invested so much time in a hopeless endeavour. I am missing something?

  • In reply to Sacha Roland:

    You could simply import the list of the TOR Exit IPs as a Host IP List and block them in the Firewall. That would be a static process. 

    There could be a automated process in pulling those IPs and converting them into XG via XML API. Or you simply copy paste them into Notepad, replace all /r /d with , and put them into the Webadmin. 

     

  • In reply to Sacha Roland:

    Hi Sacha Roland,

     

    please advise which ports you used to provide Skype access. I would like to try and replicate your issue hopefully with a fix.

    Ian

  • In reply to rfcat_vk:

    Hi Ian,

    I found out, that skype isn't even capable to establish calls with the following ports, services an exceptions enabled:

    And I made these exceptions (disabling https decryption etc.):

    skypeexceptions.xml
    <?xml version="1.0" encoding="UTF-8"?>
    <Request>
    	<Login>
    		<UserName>admin</UserName>
    		<Password>admin</Password>
    	</Login>
    	<Set Operation="add">
    			<WebFilterCategory transactionid="">
    			<Name>Skype Exceptions</Name>
    			<Classification>Productive</Classification>
    			<ConfigureCategory>Local</ConfigureCategory>
    			<QoSPolicy>None</QoSPolicy>
    			<Description>Skype whitelist</Description>
    			<OverrideDefaultDeniedMessage>Disable</OverrideDefaultDeniedMessage>
    			<DomainList>
    			<Domain>conn.skype.com</Domain>
    			<Domain>api.skype.com</Domain>
    			<Domain>pipe.skype.com</Domain>
    			<Domain>messenger.live.com</Domain>
    			<Domain>download.skype.com</Domain>
    			<Domain>metrics.skype.com</Domain>
    			<Domain>www.skypeassets.com</Domain>
    			<Domain>static.skypeassets.com</Domain>
    			<Domain>registrar-rr.prod.registrar.skype.com</Domain>
    			<Domain>config.edge.skype.com</Domain>
    			<Domain>prod.registrar.skype.com</Domain>
    			<Domain>location.live.net</Domain>
    			<Domain>vo.msecnd.net</Domain>
    			<Domain>www.auslogics.com</Domain>
    			<Domain>wns.windows.com</Domain>
    			<Domain>ocsp.msocsp.com</Domain>
    			<Domain>vassg142.ocsp.omniroot.com</Domain>
    			<Domain>amsg.skype.com</Domain>
    			<Domain>adc.trouter.io</Domain>
    			<Domain>gfx.login.live.com</Domain>
    			<Domain>msagfx.live.com</Domain>
    			<Domain>clientconfig.passport.net</Domain>
    			<Domain>msagfx.live-int.com</Domain>
    			<Domain>auth.gfx-int.ms</Domain>
    			<Domain>gfx.login.live-int.com</Domain>
    			<Domain>clientconfig.passport-int.net</Domain>
    			<Domain>auth.gfx.ms</Domain>
    			<Domain>login.live.com</Domain>
    			<Domain>ec2-52-6-101-221.compute-1.amazonaws.com</Domain>
    			<Domain>microsoftonline.com</Domain>
    			<Domain>microsoftonline-p.com</Domain>
    			<Domain>onmicrosoft.com</Domain>
    			<Domain>sharepoint.com</Domain>
    			<Domain>outlook.com</Domain>
    			<Domain>lync.com</Domain>
    			<Domain>verisign.com</Domain>
    			<Domain>verisign.net</Domain>
    			<Domain>public-trust.com</Domain>
    			<Domain>sa.symcb.com</Domain>
    			<Domain>live.com</Domain>
    			<Domain>skype.net</Domain>
    			<Domain>skype.com</Domain>
    			<Domain>dc.trouter.io</Domain>
    			<Domain>config.skype.com</Domain>
    			<Domain>consumer.entitlement.skype.com</Domain>
    			<Domain>skypeassets.com</Domain>
    			<Domain>nexus.officeapps.live.com</Domain>
    			<Domain>my.sharepoint.com</Domain>
    			<Domain>skydrive.wns.windows.com</Domain>
    			</DomainList>
    		</WebFilterCategory>
    	</Set>
    </Request>
    

    Also, I additionally made a firewall rule with the above URLs as allowed destination networks and disabled decrypt https & scan.

    But no success: Skype can't establish calls and Tor Browser (version 9.0.9/macos) still is capable to connect to the internet. The only way to disable Tor Browser right now is to disallow UDP completely. And for sake of clarity: I made these settings at the very beginning: Application filter recommended settings for better application detection.

    I am curious.

  • In reply to rfcat_vk:

    Concerning the import of Tor Exit Nodes: unfortunately, it is not possible to import all exit nodes via API into a Host IP List, because the number of entries is limited:

    <Status code="522">Maximum limit reached for entity.</Status>

  • In reply to Sacha Roland:

    Dont waste your time, it has to be loaded manually and it has a limit or 1000 or so, which make it basically useless for any CTI purpose

    Even snort could handle this and block a given IP list but is simply not implemented in Sophos from the interface so you can not load a custom list in snort.

  • In reply to Sacha Roland:

    You have a cap of 1000 IPs per List. Therefore you would have this list to split into two Lists and use them in one firewall rule.

    The update can be used on the object, without touching the firewall object. 

    You can actually use this process:

    Load the current List from the website.

    Split the List into two objects, or make three, to be sure. 

    Split the List in your Cache by 2 or 3 and update each Object in XG with their own List.

    Repeat this every day with a script and Cron and thats it.