Personal tools
Application Control Lite
From UntangleWiki
 Application Control Lite
|
|
About Application Control Lite
Application Control Lite uses an open-source tool, L7-filter. Application Control Lite blocks and logs well-known protocols from entering or leaving your protected network. Unwanted protocols might include Peer-to-Peer (P2P), such Bittorent, and Instant Messaging, such as AOL Instant Messenger. You might also want to block users from playing some video games and from streaming media.
Application Control Lite blocks unwanted protocols on any port. However, you must specify which protocols that you want Application Control Lite to block and log. By default Application Control Lite does not block any protocols; it simply logs Instant Messaging protocols.
Application Control Lite uses signatures to identify unwanted protocols on all ports. Many protocols, such as Instant Messaging and Peer-to-Peer, are difficult to block with a traditional firewall because of their "port hopping" behavior. If clients are blocked after trying to connect through their default port, they will connect over port 80 or port 25. Port 80 and port 25 cannot be blocked without blocking Web and e-mail traffic. Application Control Lite can identify this hopping behavior, and log and block the connections.
If Application Control Lite does not support a protocol that you want to block, you can use the Untangle Server's user interface to create custom new rules to block unsupported protocols. However, not all protocols can be blocked because some protocol designers hide the protocol's signature (for example, Skype).
Settings
This section reviews the different settings and configuration options available for Application Control Lite.
Protocol List
You can choose to block traffic that uses a specific protocol from either entering or leaving your protected network. Application Control Lite lists most well-known protocols. You can also log such traffic in the Application Control Lite Event Log and have it reported in Reports if, for example, you want to determine if anyone within the network is using a particular protocol such as file sharing.
Often System Administrators know that their network is slow due to user activity, but don't know what type of network activity is slowing down their network. If this applies to you, Untangle recommends that you first log all protocols, then review the Application Control Lite's Untangle Report to determine which protocols cause poor network performance. Bittorent is frequently the culprit.
Caution: As with most Untangle Server's Software Products, you can create your own Application Control Lite entries. However, configuring regular expressions to match Internet protocols is an advanced topic. If you create a new entry set to Block and your expression contains errors, legitimate traffic will be blocked.
To block or log a protocol:
- From Application Control Lite, click the Show Settings button.
- Click the Protocol List tab.
- Select the row that corresponds to the protocol that you want to block, and select either the block checkbox, log checkbox or both.
- Click either the OK or Apply button.
Event Log
Use the following terms and definitions to understand the Application Control Lite Event Log:
timestamp The time the event took place. action The action that was taken on the traffic. Valid values are block and pass. client The client IP address of the traffic. request The protocol of the traffic. reason for action The rule that was applied to the traffic. server The intended server IP address of the traffic.
Related Topics
Application Control Lite FAQs
How do I use Application Control Lite?
Application Control Lite runs simple regular expression signatures against the datastream. If a signature/regex matches the action is taken for that particular signature (log or block). Please do not go through the list of signatures and block what you "don't need;" these signatures are not exact matches and can have false positives.
What happens if i set a protocol to block?
A few things could happen:
- It will block the protocol completely
- It will only partially block the protocol (many multi-session protocols only have some sessions identified)
- It will block the protocol and block other things too (false positives)
- It will block the protocol and the application will adapt and use an alternative protocol to communicate
Please be aware of these results and be sure to do some testing when using or adding specific rules.
How do I add a protocol to Application Control Lite?
Application Control Lite provides numerous default protocols that you can block, but if you want to block a protocol that Application Control Lite doesn't list, you must add that protocol. To add a protocol you must provide Application Control Lite the protocol's signature. To determine the signature, you must analyze the packets, and this process can be tricky. Contact Untangle Technical Support to request the signature.
I've already installed the Firewall. Isn't Application Control Lite redundant?
The Firewall application works to block traffic for IP addresses and/or ports. For well-behaved applications (such as legitimate web and email servers) the port can be used to identify the protocol. However, less legitimate applications may use different ports, or malicious users may deliberately use unwanted services on obscure ports.
Application Control Lite scans all traffic, looking for a match even if traffic was not transported across the expected port for that protocol.
I want to block a file sharing protocol for some of my users but not all. How can I do this with Application Control Lite?
The Application Control Lite cannot by itself filter just for some machines, and not others. However, you can create new Policies and Virtual Racks (See Policy Management) to partition some of your users through Application Control Lite with [some file sharing protocol] blocked and not others.
