Application Control FAQ
Table of Contents
Click an item to jump directly to that question.
- What's the difference between Application Control Lite and Application Control?
- Is there a list of all applications that can be scanned for?
- Can sessions ever reach the fully classified state with confidence less than 100%?
- Should I use block or tarpit?
- I'm already using the Firewall - isn't Application Control redundant?
- How does Application Control work?
1. What's the difference between Application Control Lite and Application Control?
Application Control Lite runs simple regular expression signatures against the datastream. If a signature/regex matches the action is taken for that particular signature (log or block). Please do not go through the list of signatures and block what you "don't need"; these signatures are not exact matches and can have false positives.
Application Control classifies the attributes and metadata of packets to determine their type and operates on them once classified. False positives are very rare.
2. Is there a list of all applications that can be scanned for?
An exhaustive list of applications and their descriptions is available here.
3. Can sessions ever reach the fully classified state with confidence less than 100%?
Short-lived sessions often die before they become fully classified, so it is not uncommon to see session in the event log with confidence less than 100%. Rarely, the classification engine might have no idea what a session is and considered it fully classified as nothing more will be learned. In this case it will consider the session fully classified but confidence will be less than 100%.
4. Should I use block or tarpit?
The block action resets the connection immediately - this is quick, straight-forward and the application will immediately know it has been disconnected. Unfortunately, many applications are written to be very tolerant towards disconnects and even try alternate connection methods if it detects it's getting blocked. In these cases tarpit can be a better option as it will leave the connection open but silently discard the data, making it much harder for the application to know it has been disconnected. The downside of this method is that it may make any false positives harder to troubleshoot.
5. I'm already using the Firewall - isn't Application Control redundant?
The Firewall application works to block traffic by IP addresses and/or ports. For well-behaved applications (such as legitimate web and email servers) the port can be used to identify the protocol. Less-than-legitimate applications may use different ports, or malicious users may deliberately use unwanted services on obscure ports. Application Control scans all traffic, looking for a match even if traffic was not transported across the expected port for that protocol.
6. How does Application Control work?
Application Control feeds each chunk of data to a classification engine as it passes through NG Firewall. The classification engine continues to analyze the traffic flow and keeps properties of the session, such as the Application property. Each time the classification of the Application property is updated, the Applications settings are checked to see if that application is allowed. If the application property has an action type (block or tarpit), that action is taken. If not, the process continues until the session reaches a fully-classified state where the classification engine believes no more classification of the session is possible. At this point the Rules are evaluated and the session is ultimately blocked or passed based on the rules you've configured.
Please sign in to leave a comment.