Personal tools
Application Control Lite
From UntangleWiki
 Application Control Lite
|
|
About Application Control Lite
Application Control Lite blocks and logs well-known protocols from entering or leaving your protected network. Unwanted types of protocols might include Peer-to-Peer, such as Gnutella, or Instant Messenging, such as AIM. Application Control Lite uses signatures to identify unwanted protocols on all ports. Many protocols, such as Instant Messaging and Peer-to-Peer, are difficult to block with a traditional firewall because of their "port hopping" behavior. If clients are blocked after trying to connect through their default port, they will connect over port 80 or port 25, which cannot be blocked without blocking web and e-mail traffic. Application Control Lite can identify this hopping behavior and act upon the traffic whereas a static port block will not.
Settings
This section reviews the different settings and configuration options available for Application Control Lite.
Status
The Status tab will show you current information on signatures Available, Logged and Blocked.
Signatures
The Signatures tab allows you to block or log traffic that uses a specific protocol. Application Control Lite lists most well-known protocols. You can also log such traffic and have it reported in Reports if, for example, you want to determine if anyone within the network is using a particular protocol such as file sharing. Often system administrators know that their network is slow due to user activity, but don't know what type of network activity is slowing down their network. If this applies to you, Untangle recommends that you first log all protocols, then review the Application Control Lite's Report to determine which protocols cause poor network performance. BitTorrent is frequently a culprit.
If you want to block a procotol, simply check Block and when the regular expression matches it will be blocked. Selecting Log will allow the traffic to flow, however it will be logged as a violation in Reports. Please remember these signatures are not exact matches and can have false positives, so please do not go through the list and block protocols you "don't need".
Event Log
Use the following terms and definitions to understand the Event Log:
| Name | Description |
|---|---|
| Timestamp | The time the event took place. |
| Client | The IP address of the client that made the request. |
| Username | The username of the client that made the request, if available. |
| Protocol | The protocol associated with this event. |
| Blocked | True is the site was blocked, false if it was not. |
| Server | The IP address of the server that received the request. |
Related Topics
Application Control Lite FAQs
Is Application Control Lite based on an open source project?
Yes, Application Control Lite is based on L7-filter.
What's the difference between Application Control and Application Control?
Application Control classifies the attributes and metadata of packets to determine their type and operates on them once classified. False positives are very rare.
Application Control Lite runs simple regular expression signatures against the datastream. If a signature matches the traffic, the chosen action is taken for that particular signature. These signatures are not exact matches and can have false positives.
I've already installed the Firewall. Isn't Application Control Lite redundant?
The Firewall application works to block traffic by IP addresses and/or ports. For well-behaved applications (such as legitimate web and email servers) the port can be used to identify the protocol. Less than legitimate applications may use different ports, or malicious users may deliberately use unwanted services on obscure ports. Application Control Lite scans all traffic, looking for a match even if traffic was not transported across the expected port for that protocol.
How do I add a protocol to Application Control Lite?
Application Control Lite provides numerous default protocols that you can block, however if one isn't listed you can add it. To add a protocol you must provide Application Control Lite the protocol's signature. To determine the signature, you must analyze the packets, and this process can be tricky. More information is available at the L-7 Filter site. Please be aware that not all protocols can be blocked because some protocol designers hide the signature (for example, Skype).
What happens if I set a protocol to block?
A few things could happen:
- It will block the protocol completely.
- It will only partially block the protocol (many multi-session protocols only have some sessions identified).
- It will block the protocol and block other things too (false positives).
- It will block the protocol and the application will adapt and use an alternative protocol to communicate.
Please be aware of these possible results and be sure to do some testing when using or adding specific rules.
I want to block a file sharing protocol for some of my users but not all. How can I do this with Application Control Lite?
Application Control Lite cannot filter just for some machines and not others by itself - you can use Policy Manager to create a new rack, send specific users to the new rack, then configure Application Control Lite in that rack as you see fit for those users.
