How to Block Tor (The Onion Router)

How to Block Tor (The Onion Router)

286567
Created On 09/25/18 18:56 PM - Last Modified 11/05/21 21:50 PM


Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • External Dynamic Lists.


Resolution


The Tor network (The Onion Router) disguises user identity by moving their data across different Tor servers, and encrypting that traffic so it isn't traced back to the user. Anyone who tries to trace would see traffic coming from random nodes on the Tor network, rather than the user's computer. 

 

The following configurations on the Palo Alto Networks Next-Generation firewall can block Tor application traffic on your network.

  1. Security Policy to Block Tor App-ID

  2. Use Application Filters

  3. Block Risky URL Categories 

  4. Deny Unknown Applications

  5. Blocking Untrusted Issues and Expired Certificates with a Decryption Profile

  6. Turn on SSL Decryption

  7. Source/Dest Based Control using External Dynamic List

Note: Blocking any evasive application like Tor needs a combination of different capabilities as outlined above. In many cases, just using a single capability is not enough. Use as many of these configurations as needed to properly block Tor.

 

1. Security Policy to Block Tor App-ID

Palo Alto Networks has created applications such as tor and tor2web to identify Tor connections. Like any other anonymizer, Tor uses different techniques to bypass your security. Just blocking tor and tor2web applications in the security policy is not enough.

 

Create a security policy to block the following applications to the internet:

  • tor
  • tor2web
  • ssh
  • ssh-tunnel
  • ike
  • ipsec-esp
  • http-proxy

Inside the WebGUI > Policy > Security, be sure to create a rule that denies access to the above list, and make sure that the "Service" is set to "Application Default".

Screen Shot 2017-09-19 at 12.25.12 PM.png

 

 

2. Use Application Filters

There are many avoidance applications out there that are being created as demand rises from users wanting to bypass restrictions. A good way to keep up with new applications is to use application filter and block applications based on behavior rather than manually adding each individual application to the security policy.

 

Application Filter dynamically groups applications based on the chosen category. More details on how to create application filters can be found in the PAN-OS Administration Guide (https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/create-an-application-filter) 

 

Using Application Filter,(Objects > Application Filters) we can create a new group (Name - VPN) of applications based on the category "networking" and subcategory "proxy". This filter will include applications such as psiphon, tor2web, your-freedom...etc 

Screen Shot 2017-09-19 at 10.38.14 AM.png

 

Next, inside Policies > Security, create a security policy to block applications that are subcategorized as proxy. Include the application filter "VPN" in the security policy and set the action to "Deny".

Screen Shot 2017-09-19 at 12.29.36 PM.png

 

Note: As a best practice, while white listing applications in your security policy, use "application-default" for the Service. The firewall compares the port used with the list of default ports for that application. If the port used is not a default port for the application, the firewall drops the session and logs the message "appid policy lookup deny"

 

3. Block Risky URL Categories 

Create URL Filtering profile that blocks access to web sites categorized as:

  • proxy-avoidance-and-anonymizers
  • malware
  • phishing
  • dynamic-dns
  • unknown
  • parked
  • phishing
  • questionable 

Associate the URL Filtering profile to security policy to enforce stricter control. Do this inside Objects > Security Profiles > URL Filtering. Find each category and block access to those categories above. 

Screen Shot 2017-09-19 at 11.13.14 AM.png

 

Note: Please follow the link: Create Best Practice Security Profiles for best practices when it comes to configuring security profiles.

 

4. Deny Unknown Applications

As a best practice, it is advised to block any applications that are categorized as unknown-tcp, unknown-udp and unknown-p2p in your network.

If there are applications that users need to access in the internet that gets identified by the firewall as unknown-tcp or unknown-udp and if there is a need to allow access to these applications, create a security policy that allows unknown-tcp or unknown-udp on specific ports used by that specific application.

 

For other traffic that gets identified as "unknown-tcp" or "unknown-udp" or "unknown-p2p", we will create a security policy that denies the traffic.

 

Make sure you create this rule inside of Policies > Security, to look like below.

Screen Shot 2017-09-19 at 12.44.05 PM.png

  

5. Blocking Untrusted Issues and Expired Certificates with a Decryption Profile

This can be achieved without having to actually decrypt traffic and can be quite effective in blocking Tor. We reccommend customers use a "decryption profile" as shown below as part of a no-decrypt rule to limit Tor from connecting. 

 

To do this, go into Objects > Decryption Profile. If you do not already have a no-decrypt rule, please add it with the "Add" button. Inside the "No Decryption" tab, make sure the 2 options are selected.

Screen Shot 2017-09-19 at 11.03.33 AM.png

 

Then inside Policies > Decryption and again, if you do not have a No Decryption rule, please add it with the "Add" button, and then inside of that rule, in the Options tab, 

2017-09-22_no-decrypt.png

 

Once done, you should see the Decryption Profile name listed in the rules.

Screen Shot 2017-09-19 at 11.05.53 AM.png

 

 

6. Turn on SSL Decryption

If, despite implementing all the controls suggested above, Tor can still connect, then we reccommend turning on SSL decryption for this traffic, which will help blocking Tor.

 

Create a decryption profile iniside Objects > Decryption Profile. Click "Add" at the bottom and give it a name. I used "decrypt". Be sure to select any options for Server Certificate Verification and Unsupported Mode Checks.

Screen Shot 2017-09-19 at 1.03.51 PM.png

 

Then be sure to go into Policies > Decryption and associate the decrypt profile to a decrypt policy. Do this inside the "Options" tab inside the Decryption Policy Rule. 

Screen Shot 2017-09-19 at 1.04.20 PM.png

 

For more information on setting up SSL Decryption, please see:

How to Implement and Test SSL Decryption

 

7. Source/Dest Based Control using External Dynamic List

In addition to precautions taken in previous steps to prevent tor traffic, we can use the external dynamic list feature to block connectivity from the Tor application to Tor nodes. This will block based on the destination IP address matching a security policy that has an EDL configured in it.

Note: The documented List in the diagram below https://panwdbl.appspot.com/lists/ettor.txt  and https://check.torproject.org/torbulkexitlist are currently not available. So one cannot use it as the source of EDL. Instead, one can use the other available exit node list such as https://www.bigdatacloud.com/insights/tor-exit-nodes or   https://raw.githubusercontent.com/jtschichold/panwdbl-actions/tor/exit-nodes.txt. Note that these lists/sites are not verified by Palo Alto Networks.

  • Please refer to the PAN-OS administration guide to create External Dynamic List.
  • Newer content update of Palo Alto (Dynamic Updates 8435 from 7/7/21) supports Built-In External Dynamic Lists. This list can be used in the EDL configuration to block unwanted traffic.

To set the External Dynamic List, go into Objects > External Dynamic Lists and create a new list with "Add". Give it a name - Tor. Be sure to put the URL inside of the source field.

Screen Shot 2017-09-19 at 10.24.35 AM.png

 

Then inside of Policies > Security, create a new rule (Add) for the new EDL (External Dynamic List). 

Screen Shot 2017-09-19 at 10.28.09 AM.png

 

Inside of the Destination tab, be sure to use the EDL you just created "Tor".

Screen Shot 2017-09-19 at 10.28.20 AM.png

  

 Blocking any evasive application like Tor needs a combination of different capabilities as outlined above. In many cases, just using a single capability is not enough. 
 


Additional Information


Applications and Threats Content Release Notes
Version 8435

...
(7/7/21) Threat Prevention subscriptions for firewalls running PAN-OS 9.0 and later releases now include a built-in external dynamic list (EDL) that you can use to block Tor exit nodes. The entries in the list include IP addresses supplied by multiple providers and that Palo Alto Networks threat intelligence data verified as active 
...



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language