UTM: Blocking UltraSurf (upto U997) using DPI SSL and IPS Signatures (SW8182)

  • Title

    UTM: Blocking UltraSurf (upto U997) using DPI SSL and IPS Signatures
  • Resolution

    Article Applies To:

    Affected SonicWALL Security Appliance Platforms:

    Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500.
    Firmware: SonicOS Enhanced or higher
    Software Version: Upto UltraSurf 9.97
    Services: DPI-SSL and IPS.  



    UltraSurf protocol negotiates an SSL key exchange using SSL protocol with no certificate present  - which is legal SSL.  This doesn’t give SonicWALL Intrusion Prevention Service (IPS) anything to distinguish it from other legal SSL exchanges.  The method outlined below is one of the methods to block UltraSurf.

    Intrusion Prevention Service (IPS):

    When a client and a server start the SSL/TLS handshake, the server usually sends its certificate to the client for verification of server's public key. This signature detects the situation that the server omits sending its certificate. This type of traffic is used by some anti-censorship software. for example: Ultrasurf. Although SonicWALL IPS has signature IDs to block IPS, these signatures aren't sufficient to block UltraSurf. The following sections outline the method to block UltraSurf using DPI-SSL and IPS signature IDs.

     IPS Signatures:

    1. Signature Category: PROXY-ACCESS
        Signature Name: Non-SSL traffic over SSL port -- Traffic Anomaly Detection
        Signature ID: 6
        Priority: Low

    2. Signature Category: PROXY-ACCESS
        Signature Name: Potential Ultrasurf/Freegate -- Traffic 5
        Signature ID: 2532
        Priority: Low

    3. Signature Category: POLICY
        Signature Name: Potential Ultrasurf Traffic
        Signature ID: 150
        Priority: Low




    Step 1: Enabling DPI-SSL Service for Intrusion Prevention engine. 

    1. Login to SonicWALL Mangement Interface
    2. Click on DPI-SSL > Client SSL option

    Client DPI-SSL: Used to inspect HTTPS traffic when clients on the SonicWALL security appliance’s LAN access content located on the WAN.

    3. Under General Settings section, Check the options "Enable SSL Client Inspection" and
    "Intrusion Prevention".
    Click on Apply to accept the settings

    Max Concurrent DPI-SSL inspected connections:

    Hardware Model              Max Concurrent DPI-SSL inspected connections

    NSA 3500                             250

    NSA 4500                             350

    NSA 5000                             1000

    NSA E5500                           2000

    NSA E6500                           4000

    NSA E7500                           8000

    Alert: The internal diag.html page setting ‘Allow SSL without proxy when connection limit exceeded’ enabled by default will allow Ultrasurf through undetected when the Client DPI-SSL connection limit (varies per model see above) is reached.

    Importing DPI-SSL certificate into browsers:

    In the Client DPI-SSL scenario, the SonicWALL UTM appliance typically does not own the certificates and private keys for the content it is inspecting. After the appliance performs DPI-SSL inspection, it re-writes the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration. By default, this is the SonicWALL certificate authority (CA) certificate, or a different certificate can be specified. Users should be instructed to add the certificate to their browser’s trusted list to avoid certificate trust errors.

    By default, DPI-SSL uses the Default SonicWALL DPI-SSL CA Certificate to re-sign traffic that has been inspected.

    In order for re-signing certificate authority to successfully re-sign certificates browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.

    Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate.

    Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the Trust this CA to identify websites check box is selected, and click OK.

    Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

    Step 2: Enabling IPS signatures

    1: Login to the SonicWALL Management Interface. Ensure IPS is enabled on the appropriate Interface under Network > Zones page
    2: Go to Security Services > Intrusion Prevention page, ensure that the "Enable IPS" is selected under the IPS Global Settings section.

    3: Select PROXY-ACCESS from the Category menu and edit the Potential Ultrasurf Traffic signature. OR enter the Signature ID 6 in the Lookup Signature ID field.
    4: Click on the drop-down menu for Prevention and Detection setting and select Enable.

    Note: Repeat the above steps to configure Signature ID 150 and 2532.

    5: Click OK to update the settings.  


    Ultrasurf software will never succeed in Contacting the server... and the following log message is displayed under Log > View page.


  • Key Words


SonicWALL NSA Series
4500, 3500
SonicWALL E-Class NSA Series
E7500, E6500, E5500

Technical Solutions

Article History:
Created on: 6/21/2010
Last Update on: 5/13/2014

Feedback submitted.

Did this article help?

[Select Rating]

Thank you for your rating!


Request or Create a KB Article »