The Ultrasurf software isn’t inherently a good thing, or a bad thing. Like many other tools, it all depends on how you use it.
According to Ultrasurf’s own website, it was originally created to help Internet users “find security and freedom online”. This is their way of saying that, by using this tool, you could go on the Internet, search for and read about things that someone didn’t want you to see, and not get caught doing it. Its intended purpose is to allow people to get past censorship in a context where people believe that the users are being denied a basic right. Some people agree, some people don’t. Some people voice the opinion that any kind of censorship or restriction of information to anybody is a bad idea and it infringes upon their basic human rights. These are generally noble and idealistic people that believe humanity is, at its heart, virtuous; that nobody has ulterior motives, and that there is nothing on the Internet that shouldn’t be available to everybody all of the time.
Wouldn’t it be nice if it were true?
The same tool used to circumvent the censorship of an oppressive environment can also be used to bypass the legitimate restrictions of a business environment. The specifics of what kind of content is blocked can vary as much as the justification for blocking it. It can be a school blocking adult content or a business blocking social media, but whether you agree with it or not, it boils down to a simple rule: the owners of the network get to decide what is allowed on the network.
Once you get into the business or organization environments, depending on who you ask, things are a little less black and white and the reasons for limited censorship and what is being censored is more varied, but it is something that SysAdmins are likely to come across and have to deal with. The reality is that if the policy of the organization that a system administrator works for states that certain sites or types of sites are not to be accessed, then it is up to the SysAdmin to do their best to make sure that it does not occur.
Products like Ultrasurf are designed to make that difficult. The people at Ultrasurf are good at what they do. They are constantly improving their product. However, the people at Fortinet are good at what they do as well.
Regardless of whatever well intended purpose Ultrasurf was created for, it is sometimes our job to neutralize it. Let’s look at how we can go about it.
One way in which FortiGates can prevent the use of Ultrasurf is by preventing its download in the first place. If an Antivirus profile is applied to a policy, it should prevent the downloading of the Ultrasurf executable file. The result should be an Alert page letting the person know that the Ultrasurf file is considered a virus.
This doesn’t stop people from downloading the software somewhere else and bringing it in on a USB drive but it does serve two purposes:
- It makes it more inconvenient to get the software on the computer.
- It lets the user know that this software shouldn’t be coming into this network.
If you happen to be in an environment that doesn’t allow USB drives and/or has a whitelist for all of the software allowed on your computers, you may be able to rest easy at this point, but most places aren’t quite as strict as that. In most cases, a determined person may get the software on their computer. We will continue with some more steps on the assumption that it is somewhere on your network.
Preventing Ultrasurf from being usable
These are the basic steps needed to block Ultrasurf from the Internet. One thing that should be mentioned up front is that the main ingredient to get it all to work is the Application Control feature. If your package does not include this, talk to Fortinet’s Customer Service department or your re-seller to see if you can get it.
We may come up with some cookbook recipes that are specific to firmware versions, but the following information should be enough to get someone reasonably comfortable with the firmware through the process.
Step #1 – Current Firmware
There are usually two versions of the firmware that are currently in development. You will need at least FortiOS 5.0 to block Ultrasurf. That is when the Full SSL Inspection mode was added that can properly scan for Ultrasurf traffic using SSL.
As improvements are made to the firmware, the capabilities of the IPS engine can improve and by extension the definitions that it can use. Currently, it appears the IPS engines from the initial appearances of the current firmware versions are handling Ultrasurf, but what is true today may not be true tomorrow. It is just one more reason to make sure that you are up-to-date with your firmware. Right now that means that whether you are running 5.0 or 5.2, make sure that you have your firmware’s latest update.
Step #2 – Current IPS definitions
Without the most up-to-date version of the signature to recognize Ultrasurf traffic, the likelihood of a recent version of Ultrasurf not being blocked from the Internet increases. Make sure that you have the very latest IPS update.
At the time of this writing, the IPS definition version number is 6.682 and is successfully blocking Ultrasurf release 15.0.2.
To get the update, use the CLI to run the command:
or if you want to update both IPS and antivirus, run the command:
While you should manually verify what your IPS update version is periodically just to be sure, you can also set up your FortiGate to automatically update the IPS definitions on a regular schedule.
Step #3 – Application Control list
Now that you have the latest signatures, it’s time to put them to use. Create a new Application Control profile or edit an existing one to include the appropriate signatures.
To target Ultrasurf, add these signatures to the security profile:
If you want to include all proxy applications, you can choose the Proxy category.
Step #4 – SSL inspection
Proxy applications can use SSL and port 443, or any other port they want, to communicate with the associated servers so that they can, in effect, use the security of the system against itself. The Ultrasurf protocol mimics legitimate SSL handshake behaviour and can produce false positives if the actual session is not inspected.
Make sure that Full SSL inspection is in effect on the firewall policies or if you prefer the term, Deep Inspection. This is normally set in the configuration window found at Policy & Objects > Policy > SSL/SSH Inspection. The location may change in various firmware versions but you should be able to find it.
Step #5 – Apply Application Control profile to firewall policies
Make sure that your firewall policies are using the Application profile that targets Ultrasurf. It makes no sense to go to all the trouble of building the profile if you’re not going to use it. If you are going to have some policies for special situations that are not going to block Ultrasurf, make sure that those policies are specific enough and in the correct sequence so that only the intended computers match the policy.
Step #6 DNS queries
One of the things that the signatures do is to detect DNS queries to the Ultrasurf servers. This means that the Application control profile has to be between the computers and the DNS servers. If you happen to be running internal DNS servers, this can sometimes be a little tricky. If they are on a separate subnet like a DMZ it is easier to make sure that you can apply the security profile to the traffic but if the DNS server is on the same subnet as the computer, you may have to verify that the DNS addresses of the Ultrasurf servers are not cached on the DNS server.
If you have a computer that has been running Ultrasurf, it may have cache one or more of the Ultrasurf server IP addresses. You can clean this up by deleting the following:
- Temp folder “utmp” in the Ultrasurf folder
- Ultrasurf temporary files in
"C:\Documents and Settings\<your windows account>\Local Settings\Temp"
- In Windows 7 systems, the files may be located in “
C:\users\<your windows account>\Appdata\Local\Temp\“
The temp file names are random. If you don’t know which are Ultrasurf temp files, it is advisable to delete all files in the folder.
Note: In fact, this step may be considered optional due to Ultrasurf automatically clearing the cache after about 24 to 48 hours. When testing to see if everything is working you probably want to manually delete the files so that you don’t have to wait that long for the results.
Step # 7 – Kill Ultrasurf
Admit it. You liked the heading of this step. What it means is to kill the Ultrasurf process on computers running Ultrasurf. You may not be able to get them all, but you should definitely make sure you kill the process on the computer you are using to test with. You could wait until a normal reboot, but some users leave their computers on for long periods of time.
Step #8 – Flush the DNS
Make sure that there are no cached references to Ultrasurf servers by flushing the DNS cache of the computers where Ultrasurf may have been used. Use the command:
Step #9 – Test
If you don’t test, how will you know for your own peace of mind that it is actually working? To test to make sure that the procedure is working
The ongoing struggle between Fortinet and Ultrasurf and other proxy services
In this area, the goals of Ultrasurf (and similar applications) and Fortinet are mutually opposed. Ultrasoft is developing software to bypass technology that limits a users ability to go to any website, while the IPS team at Fortinet is working on technology that is intended to block users from going to certain sites. Any time you have a struggle like this with smart people on both sides, there are going to be times when one side temporarily pulls into the lead. Because Fortinet is in the position where it has to react to a new tactic employed by Ultrasurf, there is likely to be times when Ultrasurf will successfully bypass the protection of a FortiGate. This is usually short lived, because as soon as Fortinet is aware of the change in status, work begins on correcting the situation. For this reason, maintenance is the key.
Make sure that:
- Your firmware is current
- Your IPS definitions are up to date
- You perform periodic tests
If the status changes inform Fortinet. One point of contact to let Fortinet know that there is a change in the effectiveness of the IPS definitions is to email email@example.com.