8e6 Proxy Protection

TABLE OF CONTENTS  [Hide]

Overview
Required R3000 Configuration

Overview

Required R3000 Configuration

1. Latest R3000 software release should be installed.   8e6 often bundles in new proxy pattern definitions into software releases.

2. Block Web-based Proxies/Anonymizer category in Rule used for PROFILE.  Alternatively, you can add this category to Minimum Filtering Level (R3000 GUI://Group tab/Global Group/Minimum Filtering Level.     Note:   Web-based Proxies/Anonymizer category is located in "Security" category group (most customer block the entire "Security" category group).
   

3. "HTTPS Filtering" option set to MEDIUM.  This is the default option from factory -- and the recommended setting.  See #1 screenshot below.
   

4. Firewall rules to allow R3000 outbound https/443 to ALL.    This required for HTTPS_Filtering to work correctly for Medium and High settings.
   

5. "Forward lookup to validate qualified DNS" option enabled.   This option validates that SSL certificate CN value on SSL-enabled web server is present in public DNS.   Keep in mind this feature will terminate SSL sessions (TCP_RST) where destination web-server doesn't have CN value of certificate posted in public DNS.
   

6. "Pattern Blocking" option enabled.   This feature enables R3000 "detection engine" to identify and optionally block IM, P2P, and web-based proxy traffic.   This does NOT mean that IM and P2P traffic are immediately blocked.  This must be enabled to apply filter policy to selectively allow end-users the use of various IM and P2P communication (see "Bandwidth" and "Internet Communication" category groups).    This also enables "proxy pattern blocking" which looks for HTTP traffic matching URL pattern.   This "proxy pattern blocking" used in conjunction with specific URL listed in "Web-based Proxies/Anonymizers" category.
   

7. "Range to Detect" must have correct value.   The key:  8e6 R3000 "Pattern Blocking" engine requires R3000 only "see" outbound traffic.   Thus, "Range to Detect" preference is used to enforce this.   The monitored subnet must be in (a) source include, and (b) destination exclude.   Please see 8e6 Setup Highlights 
   

8. UltraSurf block recommendations from 8e6 Labs.  See check article # 283444  on 8e6 Knowledge Base (or just search for "Ultrasurf").   The knowlege base article provides background details on UltraSurf proxy engine (actively developed by Chinese dissidents to circumvent Global Shield content firewall manged by Chinese Government) and provides lists recommendations in PDF "tech note" attached to article.

Summary of 8e6 Labs recommendations to permanently block UltraSurf (in addition to 8e6 R3000 filter configuration detailed above).  Please read tech-note on 8e6 KB for expanded details.

• outbound Firewall rules allow ONLY internal DNS servers to talk DNS (udp/tcp/53) to Internet.   No workstation on network should ever need to talk to public DNS server.    Check HERE for public DNS servers to use in testing. 

• block access to 'docs.google.com'.    UltraSurf posts server information on public Google doc.   Ultrasurf communicates to this doc via SSL/https.   Note:  this comes down to business-level discussion as to priorities of organization (ie. motivating factor should not be few ad-hoc users who want to use for convenience).   Google Apps is a great platform, but it requires full organizational buy-off and support.
  

• delete Ultrasurf files cached to local workstation.   Once Ultrasurf successfully lanched on workstation, various information is cached locally.    Open "%TEMP%" in location bar of Windows Explorer.   With UltraSurf application NOT running, delete everything in %TEMP% location.    Value set via "// System Properties / Advanced tab / Environmental variables" of My Computer (WinXP).  The typical path is "c:/Documents and Settings/<username>/Local Settings/Temp".     Typically, this accomplished via Domain Administration, GPO, and scripts.
  See #2 screenshot below for folder example.