Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Victor
New Contributor III

Ultrareach

Has anyone dealt with ultrareach. The application is very small; can be renamed; and seems to be able to setup a proxy on IE, even with the group policy greying out that option. The application seems to create a proxy server on the local machine tied to the loopback address. Then it issues a rash of dns queries, some to valid sites and other to their proxy clients. The app then establishes up to three https connections, launches the web browser & you are off to the races. It is meant to provide uncensored access for people in totalitarian countries but provides our students with another end run around the fortigate. Any suggestions would be greatly appreciated. Victor
9 REPLIES 9
FortiRack_Eric
New Contributor III

Have to tried to enable webfiltering and the category proxy avoidance?

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Victor
New Contributor III

Yes I have Eric. The problem is that it uses https and seems to setup a p2p proxy network. The product is called Ultrasurf. You can also look at my post below this explaining the shortcomings of https web filtering. I actually talked to the developer last night. His name is Alan Huang & he is a U of T grad now living in San Jose. The project is/was funded by the US Congress and is a technology aimed at enabling citizens in less democratic countries to get past their countries firewalls/filtering systems. (Undoubtedly sold to them by American companies.) In an email & on the phone, I pointed out that the US government also had mandated web filtering to protect students from the unsavoury aspects of the internet and that it was proving quite popular with students. This was not the target audience for which the US Congress had intended. I asked if there could be a way of blacklisting legitimate sites (such as school boards) from accessing the service but he felt that it would compromise his service. I asked that he at least respond to my email, stating this reply. Perhaps there are some educational customers in the States who could approach their congressmen and point out the shortcomings of this project. Maybe they can provide additional funds so that Alan could research a way of addressing the collateral damage that this federally funded project is having. To Allan' s credit, he has created a very compact program, that can be renamed, has very little network footprint other then the burst of DNS requests to legitimate sites & p2p hosts, and quite easily sets up a proxy to the loopback address despite a group policy that is supposed to lock that option down. Commenting on our imaging teams efforts & my scanning efforts, he chuckled, " Good luck. The Chinese are spending millions trying to crack this program."
FortiRack_Eric
New Contributor III

There' s also another approach. Which is more secure from an security standpoint. I know for a fact that a couple of banks in the Netherlands are enforcing it. Disallow all https traffic and whitelist selected/approved https sites. Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Not applicable

We have the same issue. Students have picked up on this application and they are easily circumventing the filters. Blocking all HTTPS & whitelisting valid sites is something we are considering however its a rather large undertaking. From trace files I do see the same activity. A burst of DNS queries followed by an HTTPS proxy setup. We are looking at perhaps creating an IPS rule surrounding this behaviour (sorry we don' t use the native IPS feature in Fortinet). Another similar app we' ve seen is called globalpass, but ultrareach is easier and more effective as Victor indicated. If anyone else has ideas on this please share them. Rick
rwpatterson
Valued Contributor III

Is there any clue in the DNS queries, ie domain names? You could spoof the domains they query at the server level. (point ultrareach.com to 127.0.0.1)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Victor
New Contributor III

Sorry for the delay. I have been busy on other projects. The burst of dns queries seems to be hard-coded into the app but changes with each machine it is run on. Some of the dns queries go to legit sites though. A tech at Fortinet was able to kill the program by blocking the url on the first dns request but it changes with each install (I suspect the program uses the computer hardware as a randomizer). Besides some of those sites are legit - eg. banking sites, etc.) On top of that, we have 20k computers. Since the program keeps trying until it is shut down you could imagine the self-inflicted denial of service that you might create. The issue has been registered as bug (# 65699) and if I do not hear from fortinet in the next week, I will formally ask for a status report. Victor
rwpatterson
Valued Contributor III

What a diabolical little bugger...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Victor
New Contributor III

Diabolical bugger. I couldn' t have described it better. As promised, I contacted Fortinet and was told that the developers have slated a fix - not for MR6 - but probably for MR7. In the meantime I have been following posts on Ultrasurf by googling it and have found some interesting reading at another filtering company called 8e6. This company states that it can successfully block Ultrasurf. I am by no means urging that people switch products, but their posts on " proxies, spam & botnets" were very informative. Of particular interest was their link to a Microsoft research paper on how to determine dynamically assigned internet addresses & how it correlated to the majority of spam received bt Hotmail. From a client perspective, the information presented laid out the complexities of modern-day filtering. Victor
Not applicable

Thank you Victor for the followup. Bit disappointing to see that a possible fix won' t be addressed until MR7. Given the fact that this utility completely bypasses the Fortigate appliance I would have hoped for a quicker resolve. Another idea we are tossing around is the possibility of authenticating all HTTPS sites. Disruptive yes but an option. Rick
Labels
Top Kudoed Authors