Application Control FAQs

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

What's the difference between Application Control Lite and Application Control?

Application Control Lite runs simple regular expression signatures against the datastream. If a signature/regex matches the action is taken for that particular signature (log or block). Please do not go through the list of signatures and block what you "don't need"; these signatures are not exact matches and can have false positives.

Application Control classifies the attributes and metadata of packets to determine their type and operates on them once classified. False positives are very rare.

I'm already using the Firewall - isn't Application Control redundant?

The Firewall application works to block traffic by IP addresses and/or ports. For well-behaved applications (such as legitimate web and email servers) the port can be used to identify the protocol. Less than legitimate applications may use different ports, or malicious users may deliberately use unwanted services on obscure ports. Application Control scans all traffic, looking for a match even if traffic was not transported across the expected port for that protocol.

When should I use block vs tarpit?

Generally you want to tarpit applications that are hard to block or may attempt to circumvent blocking. Block will reset TCP connections so the client knows immediately the session has been reset. Tarpit will acknowledge the receipt of the data but not send the data so it is silently dropped. For blocking web applications in a browser, block is usually better as tarpit will cause the browser to hang as it waits for data which can cause issues for the user. However, other applications that attempt to detect and circumvent blocking will detect being blocked and attempt alternative methods. For applications like these, tarpit is much more effective at actually stopping and/or interfering with the application.

Can sessions ever reach the fully classified state with confidence less than 100%?

Short lived sessions often die before they become fully classified, so it is not uncommon to see session in the event log with confidence less than 100%. Rarely, the classification engine might have no idea what a session is and considered it fully classified as nothing more will be learned. In this case it will consider the session fully classified but confidence will be less than 100%.

What are the application properties of a session?

Yes, please have a look at the table below:

Property Description Example 1 Example 2 Example 3
Application The name of the application creating the session, updated frequently until the session reaches a fully classified state. GMAIL BITTORRE SSL
ProtoChain The stack (or chain) of protocols being leveraged by this session to communicate, updated frequently until the session reaches a fully classified state. /IP/TCP/HTTP/GMAIL /IP/UDP/BITTORRE /IP/TCP/SSL
Confidence This is a percentage from 0%-100% that the confidence that the classification engine has correctly identified the Application and ProtoChain of the given session. Usually is 0, 50, or 100. 100 50 100
Detail This is a string that stores an application specific parameter. This varies depending on the application. For HTTP this often stores the content type. For SSL it stores the site name in the cert. etc.

Is there a list of all applications that can be scanned for?

An exhaustive list of applications and their description is available here.

How can I allow an individual user to use a blocked application?

You will need to use the Policy Manager to setup a different policy/rack and configuration for that user's traffic.