Determining which applications to block on your network
Note: You will need SSL Inspector installed, enabled, and configured with the root certificate deployed to all client devices to get the most from Application Control.
The Applications tab in Application Control may seem daunting at first glance, but here are some tips for determining which applications to block on your network.
Sorting by Risk or Productivity:
- Productivity: Productivity is best thought of as an index value between 1 and 5 that rates the potential for each application to improve or increase the overall productivity of your network users. Applications with a low Productivity index (e.g. MySpace, Hulu, Zynga Games) can be expected to have a negative impact on productivity. Items with a high value (e.g. Active Directory, Network File System) can generally be viewed as critical for maintaining or improving productivity.
- Risk: Risk is another index value between 1 and 5 that rates the potential for each protocol or application to allow really nasty stuff onto your network. The higher the risk index, the greater the chance of letting in something that could be dangerous or destructive. So low risk items (e.g. Active Directory, Oracle, LDAP) are generally no cause for concern, while applications rated with a high risk (e.g. BitTorrent, Pando, Usenet) increase the possibility you'll find yourself spending long nights deleting pirated software and cleaning up viruses and other exploits that find their way into your infrastructure.
Sorting by Application Categories:
Applications all reside within categories. Sorting this page by category allows you to view all of the signatures in that category and enable some quick blocks. It's up to you to determine what you consider acceptable traffic on your network. Each one has valid and legitimate uses that can also be used for nefarious purposes. Here is a breakdown of what some of these categories entail and why you may want to explore blocking some of the applications they contain:
- Proxy - Today, most proxies are web proxies, facilitating access to content on the World Wide Web and providing anonymity. Often users will connect to a proxy site or use a proxy application to circumvent web filtering and/or obfuscate their web history.
- File Transfer - Torrents, Torrentz, P2P file sharing. File transfer is a generic term for the act of transmitting files over a computer network like the Internet. There are numerous ways and protocols to transfer files over a network. Many file sharing applications are used to transmit pirated, illegal, or not-suitable for work/school consumption material.
- Remote Access - Plenty of users work from home and access company resources while away from the office however; those same mechanisms that provide that functionality for legitimate reasons can be utilized to gain illegitimate access as well. Remote control software should be limited to a few approved applications on your network with access restricted. Block any of these applications that you are not actively using on your network.
- Network Monitoring - Like remote access applications you should be aware of what network monitoring applications are used and approved on your network. The existence of unapproved network monitoring software may indicate that someone unauthorized is gathering data about your network. Block any network monitoring software that is not approved or known.
- VPN Tunneling - A virtual private network (VPN) extends a private network across a public network or internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. VPNs can provide functionality, security and/or network management benefits to the user but they can also lead to new issues, and some VPN services, especially "free" ones, can actually violate their users' privacy by logging their usage and making it available without their consent, or make money by selling the user's bandwidth to other users. Block any unknown and unapproved VPN services being utilized on your network.
- Messaging - Instant messaging, chats, online texting, etc. These programs keep people in the loop but many of them also come with risks of viruses in attachments, phishing and social engineering, and of course loss of productivity. Keep your users connected but block all other chat/messaging programs.
- Social Networking - While increasingly used in business settings to collaborate and communicate, social networking sites can be used as threat vector that could potentially cause a breach on your network. If some of your users do require access to these sites, create a different policy in Policy Manager that allows them access while blocking access to others.
- Mail - Some well-known mail protocols are included in this section to easily block antiquated such as POP and IMAP. You can also block applications like EXCHANGE, GMAIL, and even Outlook.
- Networking - These are legitimate (current and some legacy) applications/protocols with valid purposes on enterprise and SOHO networks. Many of these applications have very specific purposes; for this section you may find success flagging these applications to determine what is being used on your network.
- Games - There are multiple reasons to block games. Productivity is usually the primary reason however there are significant social engineering risks and many online games are havens for malware distribution. (Web/browser-based games can be blocked by the Web Filter > Block Categories > Games category.)
- Streaming Media - Online video and radio. Most commonly blocked due to productivity and bandwidth saturation issues.
- Collaboration - Remote meeting and team project collaboration applications. If not properly monitored they can be utilized to facilitate unwanted communications and even file transfers.
- Web Services - a mix of many different web-based applications that don't fall into any of the previous categories.
Flagging and Reporting:
Enabling the flag on an Application Control signature ensures that if this application traffic is encountered on the network, it will be recorded in the reporting. Some signatures are flagged by default but most of the signatures are not flagged to reduce the event logging on the appliance. To view the flagged traffic in Application Control, navigate to Reports > Application Control > 'Flagged Sessions'.
Follow
Comments
0 comments
Please sign in to leave a comment.