About Application Control
Application Control leverages the Network Application Visibility Library (NAVL) from Procera Networks [1] to perform deep packet (DPI) and deep flow (DFI) inspection of network traffic. This allows the server to accurately identify thousands of today's common applications such as Social Networking, P2P, Instant Messaging, Video Streaming, File Sharing, Enterprise Applications, Web 2.0 and much more. For most common applications you can simply go the list on the Applications tab, check Block for anything you want to stop, then Application Control will take care of the rest. If you need a higher degree of control you can use the Rules tab to create custom rules which target more complex traffic patterns.
Settings
This section describes the different settings and configuration options available for Application Control.
Status
The Status tab displays a summary of traffic and configuration information. The Traffic Statistics section displays the total number of sessions that have been scanned, along with the number of those sessions that were allowed, flagged, or blocked. The Application Statistics section shows you the total number of applications that can be detected by the application, along with the number of those protocols that will be flagged and/or blocked. Rules Statistics allows you to quickly see how many custom rules you have configured, as well as how many of those rules are active.
Applications
The Applications tab is the primary and preferred way for using Application Control to manage network traffic. Simply find the application you want to target, and use the block and flag checkboxes as appropriate. You can sort the list on any of the columns displayed, which should help in finding and managing the protocols you want to target. Simply check Block to stop these applications or Flag to allow them, silently filing them as violations in the Reports. Use the following definitions to set up the Applications tab for your organization:
- Application: The unique identifier for the application.
- Block: Enable the checkbox to block the traffic. The session will be dropped if it is UDP and reset if it is TCP.
- Flag: Enable the checkbox to flag the traffic. It will be flagged as a violation in Reports.
- Tarpit: Enable the checkbox to tarpit the traffic. Tarpit is a special kind of blocking where the connection is kept open but the data is silently dropped. For TCP, this makes it appear to both the client and the server that the other party is receiving the data, but it is not responsive. For UDP, it is identical in behavior to block except the connection is kept open so the next packet will be dropped instead of recategorized as a new session.
- Name: The standard name for the application.
- Category: A fairly general and high level category for the application.
- Productivity: Productivity is best thought of as an index value between 1 and 5 that rates the potential for each application to improve or increase the overall productivity of your network users, assuming of course that listening to music and playing online games is not in their job description. So, applications with a low Productivity index (e.g. MySpace, Hulu, Zynga Games) can be expected to have a negative impact on productivity. Items with a high value (e.g. Active Directory, Network File System) can generally be viewed as critical for maintaining or improving productivity.
- Risk: Risk is another index value between 1 and 5 that rates the potential for each protocol or application to allow really nasty stuff onto your network. The higher the risk index, the greater the chance of letting in something that could be dangerous or destructive. So low risk items (e.g. Active Directory, Oracle, LDAP) are generally no cause for concern, while applications rated with a high risk (e.g. BitTorrent, Pando, Usenet) increase the possibility you'll find yourself spending long nights deleting pirated software and cleaning up viruses and other exploits that find their way into your infrastructure.
- Description: Provides a more detailed description for each application in the list. In some cases the description is much larger than will fit within the grid column, so you can click on any description to see a pop-up window with the full text displayed.
Rules
If the traffic you need to manage can't be handled via the Applications tab you can create custom rules that will allow you to analyze and control traffic based on much more complex patterns and conditions. For each session, the rules are only evaluated once after the classification engine has completed analysis of the traffic. The rules are then evaluated in order until the first match is found, at which point the configured action will be performed. If there are no matches the session will be tagged as allowed, the traffic will flow unimpeded, and no further analysis of that traffic will occur.
Important: These rules are evaluated once the classification engine has completed analysis. This usually occurs after a few packets have passed. This means the rules are useful because enough has been learned about the session that is not known at the session creation time to have powerful rules, such as HTTP information or protocol/application information. However, if the session does not reach a fully classified state or the session is reset/blocked before reaching a fully classified state, the rules are never evaluated (and thus have no effect.)
Anatomy of a Rule
An Application Control Rule is a standard rule as documented in the Rules documentation. We'll use one of the default rule entries for Ultrasurf to help explain how Rules work. This is exactly the kind of traffic that the Rules engine was created to seek and destroy. For this particular rule, the objective is to block all traffic that: a) uses port 443, b) looks like valid HTTPS traffic, and c) doesn't use a valid SSL certificate. To accomplish this, we created four matchers:
- The first matcher makes sure the rule only looks at TCP traffic.
- The second causes the rule to only look at traffic with a destination port of 443.
- The third matcher is where the real magic starts. In this case, we created Glob matcher that looks for the /SSL tag anywhere in the Application Control/ProtoChain. (Don't worry, we'll cover globs and chains below!)
- The fourth matcher is the frosting on the cake. We tell the rule to look at the Application Control/Detail parameter. This is where the server name from the SSL certificate will be located when an SSL encrypted session is detected. In this case we left the Value field empty, since we're looking for cases where there is no valid certificate.
Application Detail
The Detail field will contain different types of [#Is there a list of session properties? | information] depending on the protocols detected during session classification. For matcher conditions other than those listed below, the Detail field will be empty.
Matcher | Detail Contents | Example |
---|---|---|
Application: FBOOKAPP | The name of the Facebook Application that is being accessed. | wordswithfriends |
Application: HTTP | The contents of the Content-Type header in the session data coming from the server. | image/jpg |
ProtoChain: */SSL* | The server name extracted from the SSL certificate used to encrypt the session. | www.gmail.com |
Actions
- Allow: Allow the traffic.
- Block: Block the traffic using the standard mechanism of resetting both sides of the connection.
- Tarpit: Block the traffic via the tarpit mechanism. When this option is selected, instead of resetting the connection, traffic in both directions will simply be dropped into the bit bucket, but the session will remain active. This can be particularly effective for blocking traffic in cases where the disconnect from a standard block causes the offending application to quickly attempt to reconnect, such as Facebook.
Event Log
Use the following terms and definitions to understand the Event Logs:
Event Log
Name | Description |
---|---|
Timestamp | The time the event took place. |
Username | The Active Directory name of the user associated with the session. |
Client IP | The client IP address of the traffic. |
Client Port | The client port of the traffic. |
Server IP | The server IP address of the traffic. |
Server Port | The server port of the traffic. |
Application | The name of the detected protocol or application. (e.g. DNS, HTTP, GOOGLE) |
ProtoChain | The full hierarchy of protocols that were detected. (e.g. /TCP/HTTP/FACEBOOK/FBOOKAPP) |
Blocked | Indicator for blocked traffic. |
Flagged | Indicator for flagged traffic. |
Confidence | The degree of confidence in the application or protocol classification. A value of 50 indicates the classification was determined based on source and destination address and port information only. A value of 100 indicates the classification was determined using deep packet and deep flow inspection. |
Detail | Additional classification details. This field will contain different information depending on the Application that was detected.
|
Rule Event Log
Name | Description |
---|---|
Timestamp | The time the event took place. |
Username | The Active Directory name of the user associated with the session. |
Client IP | The client IP address of the traffic. |
Client Port | The client port of the traffic. |
Server IP | The server IP address of the traffic. |
Server Port | The server port of the traffic. |
Application | The name of the detected protocol or application. (e.g. DNS, HTTP, GOOGLE) |
Rule ID | |
ProtoChain | The full hierarchy of protocols that were detected. (e.g. /TCP/HTTP/FACEBOOK/FBOOKAPP) |
Blocked | Indicator for blocked traffic. |
Flagged | Indicator for flagged traffic. |
Confidence | The degree of confidence in the application or protocol classification. A value of 50 indicates the classification was determined based on source and destination address and port information only. A value of 100 indicates the classification was determined using deep packet and deep flow inspection. |
Detail | Additional classification details. This field will contain different information depending on the Application that was detected.
|
Related Topics
Application Control FAQs
How does Application Control work?
Application Control feeds each chunk of data to a classification engine as it passes through Untangle. The classification engine continues to analyze the traffic flow and keeps properties of the session, such as the Application property. Each time the classification of the Applicationproperty is updated, the Applications settings are checked to see if that application is allowed. If the application is set is blocked the session is reset, blocked or tarpit depending on your settings. If not, the process continues until the session reaches a fully classified state where the classification engine believes no more classification of the session is possible. At this point the Rules are evaluated and the session is ultimately blocked or passed based on the rules you've configured.
What's the difference between Application Control Lite and Application Control?
Application Control Lite runs simple regular expression signatures against the datastream. If a signature/regex matches the action is taken for that particular signature (log or block). Please do not go through the list of signatures and block what you "don't need"; these signatures are not exact matches and can have false positives.
Application Control classifies the attributes and metadata of packets to determine their type and operates on them once classified. False positives are very rare.
I'm already using the Firewall - isn't Application Control redundant?
The Firewall application works to block traffic by IP addresses and/or ports. For well-behaved applications (such as legitimate web and email servers) the port can be used to identify the protocol. Less than legitimate applications may use different ports, or malicious users may deliberately use unwanted services on obscure ports. Application Control scans all traffic, looking for a match even if traffic was not transported across the expected port for that protocol.
Should I use Block or Tarpit?
The block action resets the connection immediately - this is quick, straight-forward and the application will immediately know it has been disconnected. Unfortunately many applications are written to be very tolerant towards disconnects and even try alternate connection methods if it detects its getting blocked. In these cases tarpit can be a better option as it will leave the connection open but silently discard the data, making it much harder for the application to know it has been disconnected. The downside of this method is that it may make any false positives harder to troubleshoot.
Can sessions ever reach the fully classified state with confidence less than 100%?
Short lived sessions often die before they become fully classified, so it is not uncommon to see session in the event log with confidence less than 100%. Rarely, the classification engine might have no idea what a session is and considered it fully classified as nothing more will be learned. In this case it will consider the session fully classified but confidence will be less than 100%.
Is there a list of session properties?
Yes, please have a look at the table below:
Property | Description | Example 1 | Example 2 | Example 3 |
---|---|---|---|---|
Application | The name of the application creating the session, updated frequently until the session reaches a fully classified state. | GMAIL | BITTORRE | SSL |
ProtoChain | The stack (or chain) of protocols being leveraged by this session to communicate, updated frequently until the session reaches a fully classified state. | /IP/TCP/HTTP/GMAIL | /IP/UDP/BITTORRE | /IP/TCP/SSL |
Confidence | This is a percentage from 0%-100% that the confidence that the classification engine has correctly identified the Application and ProtoChain of the given session. Usually is 0, 50, or 100. | 100 | 50 | 100 |
Detail | This is a string that stores an application specific parameter. This varies depending on the application. For HTTP this often stores the content type. For SSL it stores the site name in the cert. etc. | www.wellsfargo.com |
Is there a list of all applications that can be scanned for?
An exhaustive list of applications and their description is available here.