Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18845
Views
3
Helpful
6
Replies

Block users from using Tor

Frank Hoeben
Level 1
Level 1

‎09-08-2010 02:49 AM - edited ‎03-11-2019 11:36 AM

The title says it all.

How do I block users from using the Tor network to bypass the firewall?

All I'm able to find is that Tor uses port 9001 (TCP) by default but switches to any other open port (80,443,25,23,22, etc) when it's blocked.

Blocking those 'backup' ports is obviously not the right way, so I'm looking for inspect rules or any other way to classify and block Tor.

1 person had this problem
Labels:
0 Helpful
6 Replies 6

mirober2
Cisco Employee
Cisco Employee

‎09-08-2010 05:45 AM

Hi Frank,

I did a quick capture to look at the Tor client while it is connecting. It looks like it encrypts most of the connection traffic, so all your users would probably need to first connect through a proxy that could decrypt the connection and block it that way. Tor is designed to be very resilient, so I don't think you'll find a feasible way to block it at the firewall.

Hope that helps.

-Mike

Frank Hoeben
Level 1
Level 1
In response to mirober2

‎09-08-2010 06:24 AM

I was afraid of that.

Plan B would be to tell the AV software to block the Tor executables by default, but files are easily renamed and versions change so file hashes are useless.

Plan C is making the use of firewall bypassing software an offense punishable by death.

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee
In response to Frank Hoeben

‎09-08-2010 06:35 AM

Hello,

One alternative could be to tie down the inside interface access-list to a

specific list of allowed ports. From what I understand of working of Tor, it

tries to relay through multiple hosts and for that, the relay servers setup

certain ports. So, if you limit the inside network access to normal ports

like 80/443, and 53, then the access will be limited to these ports. Now,

you can configure HTTP inspection to limit Tor access on port 80 as well

(you might take a performance hit when you configure http inspection). This

will limit the Tor users to use only port 443 for relay.

Hope this helps.

Regards,

NT

0 Helpful

nawir
Level 1
Level 1

‎10-19-2014 06:50 PM

My way to block tor is this

http://nbctcp.wordpress.com/2014/10/20/blocking-tor-browser-in-cisco-asa-5505/

0 Helpful

Tagir Temirgaliyev
Spotlight
Spotlight
In response to nawir

‎10-20-2014 08:38 AM

do you have all IP addresses of TOR servers?

 

palo-alto firewall can block tor because it has protocol inspection

0 Helpful

nawir
Level 1
Level 1
In response to Tagir Temirgaliyev

‎10-20-2014 06:55 PM

If you check my my link, there are around 6500 server I need to copy paste into botnet blacklist.

I admit its not automatic way to block tor, but at least its work. I already test that.

If management have budget, of course they can buy another easier to manage device.

Its just one alternative to block tor

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card