Application Control FAQs

From Edge Threat Management Wiki - Arista
Revision as of 22:04, 2 March 2015 by Dmorris (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

What's the difference between Application Control Lite and Application Control?

Application Control Lite runs simple regular expression signatures against the datastream. If a signature/regex matches the action is taken for that particular signature (log or block). Please do not go through the list of signatures and block what you "don't need"; these signatures are not exact matches and can have false positives.

Application Control classifies the attributes and metadata of packets to determine their type and operates on them once classified. False positives are very rare.

I'm already using the Firewall - isn't Application Control redundant?

The Firewall application works to block traffic by IP addresses and/or ports. For well-behaved applications (such as legitimate web and email servers) the port can be used to identify the protocol. Less than legitimate applications may use different ports, or malicious users may deliberately use unwanted services on obscure ports. Application Control scans all traffic, looking for a match even if traffic was not transported across the expected port for that protocol.

Should I use Block or Tarpit?

The block action resets the connection immediately - this is quick, straight-forward and the application will immediately know it has been disconnected. Unfortunately many applications are written to be very tolerant towards disconnects and even try alternate connection methods if it detects its getting blocked. In these cases tarpit can be a better option as it will leave the connection open but silently discard the data, making it much harder for the application to know it has been disconnected. The downside of this method is that it may make any false positives harder to troubleshoot.

Can sessions ever reach the fully classified state with confidence less than 100%?

Short lived sessions often die before they become fully classified, so it is not uncommon to see session in the event log with confidence less than 100%. Rarely, the classification engine might have no idea what a session is and considered it fully classified as nothing more will be learned. In this case it will consider the session fully classified but confidence will be less than 100%.

Is there a list of session properties?

Yes, please have a look at the table below:

Property Description Example 1 Example 2 Example 3
Application The name of the application creating the session, updated frequently until the session reaches a fully classified state. GMAIL BITTORRE SSL
ProtoChain The stack (or chain) of protocols being leveraged by this session to communicate, updated frequently until the session reaches a fully classified state. /IP/TCP/HTTP/GMAIL /IP/UDP/BITTORRE /IP/TCP/SSL
Confidence This is a percentage from 0%-100% that the confidence that the classification engine has correctly identified the Application and ProtoChain of the given session. Usually is 0, 50, or 100. 100 50 100
Detail This is a string that stores an application specific parameter. This varies depending on the application. For HTTP this often stores the content type. For SSL it stores the site name in the cert. etc.

Is there a list of all applications that can be scanned for?

An exhaustive list of applications and their description is available here.

How can I allow an individual user to use a blocked/tarpitted application?

You will need to use the Policy Manager to setup a different policy/rack and configuration for that user's traffic.