how to block Ultra surf on checkpoint or smoothwall firewall

Question

i'm trying to block this since i've already blocked port80 and 8080 in my firewall, still the user are able to access the web

Answer 1

Wire cutters. :)

Really. Your users are clearly savvy enough to figure out ways to get around whatever measures you put in place. This will end in an arms race that will either completely compromise any security you put in place, or end in a bloody mutiny. If the "no web access" rule is a hard and fast policy, you might consider having people fired - or other disciplinary action - for trying to access the web.

On the other hand, if I assume that since you don't want your users browsing the web at all, your internet access is therefore purely for contacting a specific site for a specific reason, right? Try blocking everything but access to certain IP addresses, like your mail server and VPN to head office or whatever. Then people will have to make a case for getting access to certain resources.

Mind you, that just means that people will have to get outside help to get internet access - ie, a wireless USB stick from their cell phone provider that will probably introduce internet access into your office in ways you REALLY don't want. See paragraph two, including but not limited to the bloody mutiny.

Answer 2

I agree with Ernie.

I already made a briefing in my office, and show them what will happen if they bypassing/abuse network connection. They should know who's the boss when connecting to network, it is us (IT?Network admin).

So far : 1. I installed anti-ultrasurf in all client pc and have their user account as normal user 2. Enforce non-company pc/laptop, cannot join company network

Tried Untangle, but it is not free (application control).

Answer 3

Generally, you're going to have to use proxies to defeat ultrasurf. I'd start by blocking port 443 though, that might help.

It would be useful to know your situation - when we know what you want to allow, it's easier to work out blocking schemes. If these users don't need anything on an external network, for example, you might just remove their default gateway!

Also worth knowing if your firewall is Smoothwall express (the free one) or the commercial UTM software - if the latter, smoothwall support will undoubtedly lend a hand (bias warning: I work for Smoothwall UK)