Zscaler TOR

Traffic

Prepared for ACME

©2020 Zscaler, Inc. All rights reserved.

Blocking TOR Browser

Overview
This document has been prepared to provide an overview of Zscaler ZIA platform
capabilities of detecting and blocking TOR browser traffic.

TOR Blocking Considerations

As TOR is decentralized, anonymized, and uses multiple transport options, it is difficult to
fully block its traffic.

Zscaler ZIA platform offers multiple mechanisms to disrupt its traffic and minimize TOR client
usage:

• P2P anonymizer protection under Advanced Threat Protection

o This allows Zscaler to block users from downloading TOR client (Already
enabled in ACME environment)
• Configure Firewall Control rule to block TOR Network Application
o Firewall Control DPI engine can enhance TOR traffic detection and disrupt
the connections. (Not enabled in ACME environment)
• Block Untrusted and Revoked Certificates under SSL Inspection
o As many connections that TOR is establishing are to bogus websites blocking
untrusted and revoked certificates will stop it from establishing a successful
SSL handshake (enabled in ACME environment)
• “Caution” or “Block” Miscellaneous and Unknown URL categories under URL
Filtering Polices
o As connections that TOR is establishing are to bogus websites or IP
addresses these URLs are classified as Miscellaneous or Unknown.
Configuring “Caution” action for these types of URL categories helps breaking
the flow and connections that TOR client is trying to establish. (Not utilized in
ACME environment yet)
• Cloud IPS Control
o Zscaler offers IPS Control that this utilizes the signatures capable of detection
TOR traffic using obfuscations methods like OBFS4 (Not utilized in ACME
environment yet)
Blocking TOR Browser

ACME’s Configuration
As listed earlier, ACME is currently using 2 out of 5 methods to disrupt TOR traffic going via
Zscaler ZIA platform:

• P2P anonymizer protection

In addition, following four methods can be configured to further block TOR traffic traversing
via Zscaler cloud:

• Configure Firewall Control rule to block TOR Network Application

• Block Untrusted and Revoked Certificates under SSL Inspection
• “Caution” or “Block” Miscellaneous and Unknown URL categories
• Cloud IPS Control

P2P anonymizer Protection

P2P Anonymizer refers to applications and methods used to obscure the destination and
content accessed by the user. The use of anonymizers may enable users to bypass policies
controlling what websites they may visit or Internet resources they may access.

Choose to Block the usage of Tor, a popular P2P anonymizer protocol. Zscaler then blocks
users from downloading TOR client. Content downloaded with Tor is encrypted, therefore it
cannot be inspected.

Procedure
To configure the Advanced Threat Protection policy:

1. Go to Policy > Advanced Threat Protection.

2. In the Advanced Threat Policy tab, Block Tor.

For detailed instructions, see Configuring the Advanced Threat Protection Policy.
Blocking TOR Browser

Configure Firewall Control rule to block TOR Network

Application

The Zscaler service provides firewall capabilities that allow granular control over your
organization’s outbound TCP, UDP, and ICMP traffic. Firewall Control Deep Packet
Inspection (DPI) engine can enhance TOR traffic detection and disrupt the connections.

Configure Tor under Network Applications and Block it. For detailed instructions, see
Configuring the Firewall Filtering Control Policy.

Blocking Untrusted and Revoked Certificates

SSL inspection policies are used to perform scanning of the SSL traffic based on the source
and destination of the traffic. These policies help you to:

• Simplify the deployment and ongoing operations of SSL inspection.

• Address the compliance and operational environment requirements.
• Pre-defined Special Rules

Many connections established by TOR are to bogus websites. Blocking untrusted and
revoked certificates will stop it from establishing a successful SSL handshake.

In SSL Inspection policy,

1. You can block the untrusted certificates. E.g. path validation failure, unknown issuer,
certificate expired, and common name does not match.
2. Configure OCSP Revocation Check. Enable this flag to include certificate
revocation check in the untrusted server certificate validation. The service uses
OCSP (Online Certificate Status Protocol) to obtain the revocation status of a
certificate. If the OCSP check fails, the action is determined by the Untrusted Server
Certificates setting.
Blocking TOR Browser

For detailed instructions, see Configuring SSL Inspection Policy.

Configure Caution/Block in Miscellaneous and Unknown

URL categories recommendations
To bypass company restrictions TOR browser is encrypting the packets and communicating
with the TOR relay servers hence its traffic is often seen as destined to an unknown URL or
an URL in form of an IP address. This traffic is then classified by Zscaler system under
Miscellaneous URL parent category.

An organization can use this fact to either caution or block this type of traffic utilizing the
Zscaler URL Filtering policies. Result of action “Block” on this TOR traffic is self-explanatory.
Caution action by design redirects the user to a “Caution” page that the user must click
through and accept the warning before being redirected to the origin URL. As this
mechanism interferes with the communication flow this method is able to break TOR
browser session.

ACME currently is allowing the Miscellaneous URL categories as part of the “Internet_basic”
rule.
Blocking TOR Browser

Enforcing the “Caution” or “Block” action can impact other, no TOR related traffic hence it is
recommended to:

• Review current and historic logs for traffic classified as Miscellaneous and Unknown
and identify business related websites/applications that should be either
recategorized or exempted from “Caution/Block” rule
• Use “Caution” action as it is less intrusive and allows users to visit valid websites
which are part of Miscellaneous or Unknown category
• Gradually enforce/test the “Caution” action by utilizing Users/Department/Location
criteria under the URL Filtering policies
Below you can find an article describing “Caution notification” in more detail:

https://help.zscaler.com/zia/configuring-caution-notification

Cloud IPS Control recommendations

With IPS Control, you can use signature-based detection to control and protect your traffic
from intrusion over all ports and protocols.

The Zscaler service uses custom signatures built and updated by Zscaler's security research
team, as well as signatures from industry-leading vendors. Using these signatures, the
Zscaler service is able to monitor your traffic in real time. As soon as the Intrusion
Prevention System (IPS) has examined the contents of your traffic and found a pattern
match, it can enforce your policies inline.

Zscaler has built-in signature for TOR traffic and can detect it when TOR browser is utilizing
an OBFS4 obfuscation bridge-mode.

By default, IPS control policy is set to Block/Drop traffic when a threat is detected.
Blocking TOR Browser

For the configured rule to be enforced IPS control must be explicitly enabled per location
bases:

As enabling IPS Control can have a potential impact to customer traffic, Zscaler
recommends considering the following:

• Configure rule with action “Allow” which will allow packets to pass through IPS but
will still log matching signatures. This type of rule allows a deploying customer to
understand the potential impact of enabling IPS. Example below:

• When ready to transition to Block/Drop action to utilize the available criteria to limit
the enforcement of the rule and potential impact

• Enable IPS Control on selected Locations only based on company policy and
requirements
Blocking TOR Browser

Additional information on IPS Control can be found here:

https://help.zscaler.com/zia/recommended-ips-control-policy

https://help.zscaler.com/zia/recommended-ips-control-policy