Application Control Best Practices

Note: You will need SSL Inspector installed, enabled, and configured with the root certificate deployed to get the most out of Application Control.

Application Control is an often-overlooked yet incredibly robust module that is relatively simple to configure. There are three tabs in Application Control: Status, Applications, Rules. The meat and potatoes of the Application Control settings lie in the Applications and Rules tabs. 

Rules Tab:

The Rules tab allows you to create custom Application control rules to control application usage. For example, some of the default rules that are implemented but not enabled in Application Control are very powerful and useful. We recommend reviewing these rules and enabling those appropriate for your network.

It is important to note that Rules do not supersede any blocking or tarpitting created in the Applications tab. For more details, please review this article: Why are my Application Control Rules not taking effect?

Default Rules:

app_control.png

  • Rule ID 100001 - 'Block all HTTPS (encrypted) YouTube traffic'
    Blocks any HTTPS-encrypted traffic on port 443 which matches the YouTube application signature.
  • Rule ID 100002 - 'Block all TCP port 80 traffic that is not HTTP'
    Similar to port 443, port 80 is most commonly associated with HTTP web traffic. If you do not have any applications that require port 80 for anything other than web-based HTTP traffic, we recommend enabling this rule.

  • Rule ID 100003 - 'Block all TCP port 22 traffic that is not SSH'
    SSH is a protocol that provides secure command-line access to remote systems. This is a common protocol and very few (if any) other legitimate applications utilize port 22 for anything other than SSH. If SSH is being used on your network we recommend enabling this rule. (If you wish to block all SSH access, we recommend doing so via a Forward Filter Rule.)

  • Rule ID 100004 - 'Tarpit all traffic classified as "Proxy" applications'
    Tarpitting is ideal for 'proxy' or 'anonymizer' applications. These applications are designed to circumvent Application Control detection by dynamically changing port numbers and callouts to evade detection. Setting anonymizer or proxy applications to tarpit will often prevent them from functioning on your network if the block option is not effectively blocking this traffic.

Tarpitting - What to do when Applications that are set to block are no longer being blocked:

app_control_2.png

Tarpitting is the process of purposely delaying or dropping incoming connections. For TCP, this makes it appear to both the client and the server that the other party is receiving the data, but it is not responsive. It silently drops the data. For UDP, it is identical in behavior to block except the connection is kept open so the next packet will be dropped instead of recategorized as a new session. Tarpitting is sometimes a workaround when an application has changed its signature and is no longer blocking traffic.

Follow
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk