Application Control Lite FAQs

From Edge Threat Management Wiki - Arista
Revision as of 16:52, 19 April 2016 by Dmorris (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

What's the difference between Application Control and Application Control Lite?

Application Control is based on a commercial third-party application identification engine. It support many many more applications, is more accurate, faster, and is better maintained. False positives are very rare.

Application Control Lite runs simple regular expression signatures against the datastream. If a signature matches the traffic, the chosen action is taken for that particular signature. These signatures are not exact matches and can have false positives.

I've already installed the Firewall. Isn't Application Control Lite redundant?

The Firewall application works to block traffic by IP addresses and/or ports. For well-behaved applications (such as legitimate web and email servers) the port can be used to identify the protocol. Less than legitimate applications may use different ports, or malicious users may deliberately use unwanted services on obscure ports. Application Control Lite scans all traffic, looking for a match even if traffic was not transported across the expected port for that protocol.

How do I add a protocol to Application Control Lite?

To add a protocol you must provide Application Control Lite the protocol's signature. To determine the signature, you must analyze the packets, and this process can be tricky. More information is available at the L-7 Filter site. Please be aware that not all protocols can be blocked because some protocol designers detect and avoid blocking with encryption (for example, Skype).

What happens if I set a protocol to block?

A few things could happen:

  • It will not detect anything.
  • It will block the protocol completely.
  • It will only partially block the protocol (many multi-session protocols only have some sessions identified).
  • It will block the protocol and block other things too (false positives).
  • It will block the protocol and the application will adapt and use an alternative protocol to communicate.

Please be aware of these possible results and be sure to do some testing when using or adding specific rules.

I want to block a file sharing protocol for some of my users but not all. How can I do this with Application Control Lite?

Application Control Lite cannot filter just for some machines and not others by itself - you can use Policy Manager to create a new rack, send specific users to the new rack, then configure Application Control Lite in that rack as you see fit for those users.