Application Control

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

    Application Control
Other Links:
Application Control Description Page
Application Control Demo
Application Control Forums
Application Control Reports
Application Control FAQs

About Application Control

Application Control leverages the Network Application Visibility Library (NAVL) from Procera Networks [1] to perform deep packet (DPI) and deep flow (DFI) inspection of network traffic. This allows the server to accurately identify thousands of today's common applications such as Social Networking, P2P, Instant Messaging, Video Streaming, File Sharing, Enterprise Applications, Web 2.0 and much more. For most common applications you can simply go the list on the Applications tab, check Block for anything you want to stop, then Application Control will take care of the rest. If you need a higher degree of control you can use the Rules tab to create custom rules which target more complex traffic patterns.

How It Works

Application Control feeds each chunk of data to a classification engine as it passes through the application. The classification engine continues to analyze the traffic flow and keeps properties of the session, such as the Application property. Each time the classification of the Application property is updated, the Applications settings are checked to see if that application is allowed. If the application is configured to be blocked in the settings the data is blocked. If not, the process continues until the session reaches a fully classified state where the classification engine believes no more classification of the session is possible. At this point the Rules are evaluated and the session is ultimately blocked or passed based on the rules you've configured.


This section describes the different settings and configuration options available for Application Control.


The Status tab displays a summary of traffic and configuration information. The Traffic Statistics section displays the total number of sessions that have been scanned, along with the number of those sessions that were allowed, flagged, or blocked. The Application Statistics section shows you the total number of applications that can be detected by the application, along with the number of those protocols that will be flagged and/or blocked. Rules Statistics allows you to quickly see how many custom rules you have configured, as well as how many of those rules are active.


The Applications tab is the primary and preferred way for using Application Control to manage network traffic. Simply find the application you want to target, and use the block and flag checkboxes as appropriate. You can sort the list on any of the columns displayed, which should help in finding and managing the protocols you want to target. Simply check Block to stop these applications or Flag to allow them, silently filing them as violations in the Reports. Use the following definitions to set up the Applications tab for your organization:

  • Application: The unique identifier for the application.
  • Block: Enable this checkbox to block/reset sessions of this application. For TCP this will actively reset the connection. For UDP it will drop the packet and kill the session.
  • Tarpit: Enable this checkbox to block/tarpit sessions of this application. For TCP, this makes it appear to both the client and the server that the other party is receiving the data, but it is not responsive. It silently drops the data. For UDP, it is identical in behavior to block except the connection is kept open so the next packet will be dropped instead of recategorized as a new session.
  • Flag: Enable the checkbox to flag the traffic. It will be flagged as a violation in Reports.
  • Name: The standard name for the application.
  • Category: A fairly general and high level category for the application.
  • Productivity: Productivity is best thought of as an index value between 1 and 5 that rates the potential for each application to improve or increase the overall productivity of your network users, assuming of course that listening to music and playing online games is not in their job description. So, applications with a low Productivity index (e.g. MySpace, Hulu, Zynga Games) can be expected to have a negative impact on productivity. Items with a high value (e.g. Active Directory, Network File System) can generally be viewed as critical for maintaining or improving productivity.
  • Risk: Risk is another index value between 1 and 5 that rates the potential for each protocol or application to allow really nasty stuff onto your network. The higher the risk index, the greater the chance of letting in something that could be dangerous or destructive. So low risk items (e.g. Active Directory, Oracle, LDAP) are generally no cause for concern, while applications rated with a high risk (e.g. BitTorrent, Pando, Usenet) increase the possibility you'll find yourself spending long nights deleting pirated software and cleaning up viruses and other exploits that find their way into your infrastructure.
  • Description: Provides a more detailed description for each application in the list. In some cases the description is much larger than will fit within the grid column, so you can click on any description to see a pop-up window with the full text displayed.


If the traffic you need to manage can't be handled via the Applications tab you can create custom rules that will allow you to analyze and control traffic based on much more complex patterns and conditions. For each session, the rules are only evaluated once after the classification engine has completed analysis of the traffic. The rules are then evaluated in order until the first match is found, at which point the configured action will be performed. If there are no matches the session will be tagged as allowed, the traffic will flow unimpeded, and no further analysis of that traffic will occur.

IMPORTANT: These rules are evaluated when the classification engine has completed all analysis. This usually occurs after a few packets have passed. This means the rules are useful because enough has been learned about the session that is not known at the session creation time to have powerful rules, such as HTTP information or protocol/application information. If the full classification is not completed after 15 chunks of data, then the rules are evaluated given the current information.

If an application is blocked or tarpitted in the Applications tab it will be blocked immediately when it is identified before the engine has completed analysis. In this case, the rules will have NO EFFECT because the sessions is blocked before the rules are evaluated.

Application Control Rules provide a very powerful feature that can be used to control application usage. However, understanding how and when the rules are evaluated is essential in their usage.

Anatomy of a Rule

An Application Control Rule is a standard rule as documented in the Rules documentation. We'll use one of the default rule entries for Ultrasurf to help explain how Rules work. This is exactly the kind of traffic that the Rules engine was created to seek and destroy. For this particular rule, the objective is to block all traffic that: a) uses port 443, b) looks like valid HTTPS traffic, and c) doesn't use a valid SSL certificate. To accomplish this, we created four matchers:

  1. The first matcher makes sure the rule only looks at TCP traffic.
  2. The second causes the rule to only look at traffic with a destination port of 443.
  3. The third matcher is where the real magic starts. In this case, we created Glob matcher that looks for the /SSL tag anywhere in the Application Control/ProtoChain. (Don't worry, we'll cover globs and chains below!)
  4. The fourth matcher is the frosting on the cake. We tell the rule to look at the Application Control/Detail parameter. This is where the server name from the SSL certificate will be located when an SSL encrypted session is detected. In this case we left the Value field empty, since we're looking for cases where there is no valid certificate.

Application Detail

The Detail field will contain different types of [#Is there a list of session properties? | information] depending on the protocols detected during session classification. For matcher conditions other than those listed below, the Detail field will be empty.

Matcher Detail Contents Example
Application: FBOOKAPP The name of the Facebook Application that is being accessed. wordswithfriends
Application: HTTP The contents of the Content-Type header in the session data coming from the server. image/jpg
ProtoChain: */SSL* The server name extracted from the SSL certificate used to encrypt the session.


  • Allow: Allow the traffic.
  • Block: When this option is selected, traffic in both directions will be silently dropped, but the session will remain active.


The Reports tab provides a view of all reports and events for all traffic handled by Application Control.


This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries: {{#section:All_Reports|'Application Control'}}

The tables queried to render these reports:

Related Topics

Application Control Lite

Application Control FAQs

What's the difference between Application Control Lite and Application Control?

Application Control Lite runs simple regular expression signatures against the datastream. If a signature/regex matches the action is taken for that particular signature (log or block). Please do not go through the list of signatures and block what you "don't need"; these signatures are not exact matches and can have false positives.

Application Control classifies the attributes and metadata of packets to determine their type and operates on them once classified. False positives are very rare.

I'm already using the Firewall - isn't Application Control redundant?

The Firewall application works to block traffic by IP addresses and/or ports. For well-behaved applications (such as legitimate web and email servers) the port can be used to identify the protocol. Less than legitimate applications may use different ports, or malicious users may deliberately use unwanted services on obscure ports. Application Control scans all traffic, looking for a match even if traffic was not transported across the expected port for that protocol.

When should I use block vs tarpit?

Generally you want to tarpit applications that are hard to block or may attempt to circumvent blocking. Block will reset TCP connections so the client knows immediately the session has been reset. Tarpit will acknowledge the receipt of the data but not send the data so it is silently dropped. For blocking web applications in a browser, block is usually better as tarpit will cause the browser to hang as it waits for data which can cause issues for the user. However, other applications that attempt to detect and circumvent blocking will detect being blocked and attempt alternative methods. For applications like these, tarpit is much more effective at actually stopping and/or interfering with the application.

Can sessions ever reach the fully classified state with confidence less than 100%?

Short lived sessions often die before they become fully classified, so it is not uncommon to see session in the event log with confidence less than 100%. Rarely, the classification engine might have no idea what a session is and considered it fully classified as nothing more will be learned. In this case it will consider the session fully classified but confidence will be less than 100%.

What are the application properties of a session?

Yes, please have a look at the table below:

Property Description Example 1 Example 2 Example 3
Application The name of the application creating the session, updated frequently until the session reaches a fully classified state. GMAIL BITTORRE SSL
ProtoChain The stack (or chain) of protocols being leveraged by this session to communicate, updated frequently until the session reaches a fully classified state. /IP/TCP/HTTP/GMAIL /IP/UDP/BITTORRE /IP/TCP/SSL
Confidence This is a percentage from 0%-100% that the confidence that the classification engine has correctly identified the Application and ProtoChain of the given session. Usually is 0, 50, or 100. 100 50 100
Detail This is a string that stores an application specific parameter. This varies depending on the application. For HTTP this often stores the content type. For SSL it stores the site name in the cert. etc.

Is there a list of all applications that can be scanned for?

An exhaustive list of applications and their description is available here.

How can I allow an individual user to use a blocked application?

You will need to use the Policy Manager to setup a different policy/rack and configuration for that user's traffic.