Hello, I've been asked by my security folks to look into blocking access to our SSL VPN if a user is coming through an anonymous proxy such as TOR. Does anybody know of a way to do this on SA series?
Equipment: SA-6500 8.0R7 (build 32691)
You can block access based on the user-agent string TOR is using for example as of Dec 2014 the user-agent string for TOR is Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
However, this does change a fair bit from what I understand so it'll be diffcult to keep track of the changes,
Interesting. If your organization manages the client endpoints I think that this could be managed at the endpoint through whitelisting / blacklisting.
Otherwise you may have some luck using Host Checker deny rules based on the ports, files or running process associated with Tor. Depending on how savvy your Tor users are, they may be able to circumvent these types of rules over time. I'd avoid relying on the user agent strings as these are pretty easy to change and fake.
Honestly, I think that this should be part your information security team's responsibility and that they should figure out how to block Tor at the Firewall layer (assuming you have firewalls between your SA/MAG and the Internet). Maybe they could add the addresses of known Tor exit nodes to their Bogons lists or a an explicit deny list.