Tor is a popular anonymity network that allows users to circumvent network security\surveillance. It uses a layered approach to SSL encryption, which cannot be decrypted by the ProxySG, however the traffic can be blocked if passed through the ProxySG.

Blocking Tor requires a multi-layered approach to security. The ProxySG alone cannot prevent Tor traffic if other paths to the Tor network exist. However if the ProxySG is effectively placed inline on the network, it can transparently block intercepted Tor traffic based on the untrusted certificates used by the Tor nodes. Combined with local endpoint security and network firewalls, Tor can be prevented from accessing its network.

There are two effective ways to block Tor on the ProxySG. Each has its own advantages and disadvantages, depending on the network topology you have deployed. Here is an overview of the Tor network and recommended methods to manage it on your network.

Note: an SSL license is required to effectively block Tor.

Tor Application Overview

Tor runs as an executable on a variety of platforms, including Microsoft Windows, MacOS, and Android. The application works by running a local SOCKS service that applications can connect to. The SOCKS traffic is then sent encrypted through the Tor network. Microsoft Windows defaults to listening on port 9050, however other platforms are able to select dynamic ports at random to listen on.

On initial install, Tor connects to eight hard-coded directory servers to obtain a list of known Tor nodes. This connection occurs over ports 9001, 5001, 8080, 80, and 443. Blocking the eight addresses is not effective since Tor also maintains bridge nodes - nodes which do not exist in the public directory and can be used to download other node locations. Users can configure Tor to use these bridge nodes which can be obtained from Tor (https://bridges.torproject.org), or even via email. Blocking these root directory servers gives the appearance of blocking Tor —but advanced users will still be able to access the network through advanced Tor configuration.

Should the firewall block all attempts to connect to the Tor network, Tor will default to ports 80 and 443. However, it will still communicate using encryption with untrusted certificates, so protocol-aware devices (such as the ProxySG) can interrupt this.

Method One: Force Explicit Proxy

This is the most restrictive method. It involves blocking all ports outbound on the firewall, allowing only common services such as HTTP\HTTPS. If your firewall does not perform packet inspection, Tor can simply tunnel requests through these ports, so only allowing the ProxySG access to the Internet will prevent this. Tor will no longer have direct access to the network.

It is possible to configure Tor with proxy settings in such cases, which attempts to bypass strict firewalls. To address this, the ProxySG will need to be configured as follows:

1. Ensure you have Detect Protocol enabled. This is required to ensure that the ProxySG can detect the top SSL layer between the client and the Tor nodes.
2. Ensure you do not allow untrusted certificate issuers. Tor nodes do not use signed certificates, and by default, the ProxySG will block SSL requests presenting untrusted certificates. Tor will not be able to connect to any node in this state.

Notes:

• The certificate categories of Tor nodes will vary. The most popular are Proxy Avoidance, Computers/Internet and None.
• The hostnames contained in the Tor node certificates will be random, usually a combination of letters and numbers.
• Legitimate sites may also be distrupted, for example. sites which have self-signed certificates. These can be allowed using policy.

Method Two: Transparently Inline Proxy

This method is similar to the first. The ProxySG simply acts as a firewall. In order to block Tor effectively, you'll need to intercept the Default service, as Tor uses a wide range of ports when attempting to connect.

1. Set the Default Action to Intercept. Enable Detect Protocol for this service.
2. Tor may attempt to use ports already defined on the ProxySG as a Bypass service, for example, Other SSL or POP3. You either need to delete these services, therefore allowing the Default service to match. Or intercept them with Detect Protocol enabled.
3. If you find Tor still able to connect, check the Bypassed Connections tab within Statistics > Sessions > Active Sessions to see if the connection matched a predefined service.

In this state, Tor will be unable to connect due to the ProxySG terminating connections that present untrusted certificates.

Tor meek-plugins:

The meek-plugins is made up of meek-amazon, meek-azure and meek-google. When 'Detect Protocol' is enabled on Proxy SG but without a SSL intercept layer applied, the Tor browser will be able to establish a VPN connection to one of the many Tor Anonymous Proxy which would allow for unrestricted internet access because the Proxy SG would not be able to inspect the traffic

The meek-plugin can establish a VPN connection by using a valid CA certs from amazon "*.awsstatic.com", azure "*.vo.msecnd.net via ajax.aspnetcdn.com" and google "www.google.com". ProxySG won't drop the SSL traffic as it has a valid CA certs(amazon, azure or google). In order to prevent the Tor browser from establishing a VPN connection to Tor anonymous Proxy, SSL intercept layer is a must as this will allow ProxySG to intercept the SSL traffic with ProxySG SSL keyring CA certificates. The Tor browser doesn't trust the cert and hence the VPN will break.

Details on meek-plugins - http://www.icir.org/vern/papers/meek-PETS-2015.pdf
​

Further Information

If you wish to monitor connection attempts to Tor, create a new service as follows:

Since Tor almost always attempts to connect using port 9001 first, you can then use policy to monitor connections to this service for logging purposes. Blue Coat Web Filter can also be used to block the Proxy Avoidance category. This will prevent connections to some Tor nodes, and also the Tor download from the official website.