Tor is a popular anonymity network that allows users to circumvent network security\surveillance. It uses a layered approach to SSL encryption, which cannot be decrypted by the ProxySG, however the traffic can be blocked if passed through the ProxySG.
Blocking Tor requires a multi-layered approach to security. The ProxySG alone cannot prevent Tor traffic if other paths to the Tor network exist. However if the ProxySG is effectively placed inline on the network, it can transparently block intercepted Tor traffic based on the untrusted certificates used by the Tor nodes. Combined with local endpoint security and network firewalls, Tor can be prevented from accessing its network.
There are two effective ways to block Tor on the ProxySG. Each has its own advantages and disadvantages, depending on the network topology you have deployed. Here is an overview of the Tor network and recommended methods to manage it on your network.
Note: an SSL license is required to effectively block Tor.
Tor runs as an executable on a variety of platforms, including Microsoft Windows, MacOS, and Android. The application works by running a local SOCKS service that applications can connect to. The SOCKS traffic is then sent encrypted through the Tor network. Microsoft Windows defaults to listening on port 9050, however other platforms are able to select dynamic ports at random to listen on.
On initial install, Tor connects to eight hard-coded directory servers to obtain a list of known Tor nodes. This connection occurs over ports 9001, 5001, 8080, 80, and 443. Blocking the eight addresses is not effective since Tor also maintains bridge nodes - nodes which do not exist in the public directory and can be used to download other node locations. Users can configure Tor to use these bridge nodes which can be obtained from Tor (https://bridges.torproject.org), or even via email. Blocking these root directory servers gives the appearance of blocking Tor —but advanced users will still be able to access the network through advanced Tor configuration.
Should the firewall block all attempts to connect to the Tor network, Tor will default to ports 80 and 443. However, it will still communicate using encryption with untrusted certificates, so protocol-aware devices (such as the ProxySG) can interrupt this.
This is the most restrictive method. It involves blocking all ports outbound on the firewall, allowing only common services such as HTTP\HTTPS. If your firewall does not perform packet inspection, Tor can simply tunnel requests through these ports, so only allowing the ProxySG access to the Internet will prevent this. Tor will no longer have direct access to the network.
It is possible to configure Tor with proxy settings in such cases, which attempts to bypass strict firewalls. To address this, the ProxySG will need to be configured as follows:
This method is similar to the first. The ProxySG simply acts as a firewall. In order to block Tor effectively, you'll need to intercept the Default service, as Tor uses a wide range of ports when attempting to connect.
In this state, Tor will be unable to connect due to the ProxySG terminating connections that present untrusted certificates.
The meek-plugins is made up of meek-amazon, meek-azure and meek-google. When 'Detect Protocol' is enabled on Proxy SG but without a SSL intercept layer applied, the Tor browser will be able to establish a VPN connection to one of the many Tor Anonymous Proxy which would allow for unrestricted internet access because the Proxy SG would not be able to inspect the traffic
The meek-plugin can establish a VPN connection by using a valid CA certs from amazon "*.awsstatic.com", azure "*.vo.msecnd.net via ajax.aspnetcdn.com" and google "www.google.com". ProxySG won't drop the SSL traffic as it has a valid CA certs(amazon, azure or google). In order to prevent the Tor browser from establishing a VPN connection to Tor anonymous Proxy, SSL intercept layer is a must as this will allow ProxySG to intercept the SSL traffic with ProxySG SSL keyring CA certificates. The Tor browser doesn't trust the cert and hence the VPN will break.
Details on meek-plugins - http://www.icir.org/vern/papers/meek-PETS-2015.pdf
If you wish to monitor connection attempts to Tor, create a new service as follows:
Since Tor almost always attempts to connect using port 9001 first, you can then use policy to monitor connections to this service for logging purposes. Blue Coat Web Filter can also be used to block the Proxy Avoidance category. This will prevent connections to some Tor nodes, and also the Tor download from the official website.