Skip to content

Application Control

Introduction

About this Document

This document is a reference source for technical personnel, system administrators and network administrators who are looking to secure their network at the application level (layer 7 of the OSI model). This is also known as deep packet inspection, a form of computer network packet filtering that examines packet data and headers as they pass the AXS Guard appliance.

Examples used in this Guide

All setups and configuration examples in this guide are executed as an advanced administrator. Some options are not available if you log in as a full administrator or a user with lower access privileges.

As software development and documentation are ongoing processes, the screenshots shown in this guide may slightly deviate from the current user interface.

Application Control Concepts

Introduction

The application control system monitors the application layer (layer 7 of the OSI model) of the network. This is also known to as Deep Packet Inspection (DPI), a form of computer network packet filtering that examines the data part of a packet as it passes the AXS Guard, searching for defined criteria, such as protocols or websites, to decide whether the packet may pass or needs to be blocked. The AXS Guard also collects and reports statistical information about all layer 7 traffic.

Traffic Matching

The application control system allows application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports, e.g. http traffic on ports other than 80, and also the opposite, e.g. detect Skype traffic on port 80. The system will also detect and block access to certain file types, such as multimedia files (if enabled).

image

Key Benefits

The key benefit of the application control system is that it can "understand" a vast amount of applications and protocols (such as FTP, DNS, RDP or simple web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol or file is being abused in any harmful way.

It also allows administrators to swiftly block certain types of network traffic and files which are harder or impossible to block via the standard firewall (operating at layer 3 and 4 of the OSI model) and the proxy server. See the examples below.

Example 1: Layer 4 vs Layer 7 DoS Attack

A Layer 4 DoS attack is often referred to as a SYN flood. It works at the transport protocol (TCP) layer. A TCP connection is established in what is known as a 3-way handshake. The client sends a SYN packet, the server responds with a SYN ACK, and the client responds to that with an ACK. After the "three-way handshake" is complete, the TCP connection is considered established. It is as this point that applications begin sending data using a Layer 7 or application layer protocol, such as HTTP.

A Layer 7 DoS attack is a different beast and it’s more difficult to detect. A Layer 7 DoS attack is often perpetrated through the use of HTTP GET. This means that the 3-way TCP handshake has been completed, thus fooling devices and solutions which are only examining layer 4 and TCP communications. The attacker looks like a legitimate connection, and is therefore passed on to the web or application server.

Example 2: Flash Player Vulnerabilities

Some versions of Adobe Flash Player allow remote attackers to execute arbitrary code via crafted .swf content or to perform DoS attacks. The impact is severe. In some cases there is a total information disclosure, resulting in all system files being revealed. These vulnerabilities also compromise the integrity of targeted systems. An attacker can also render systems completely unavailable.

Application Categories

The following application types can be blocked:

  • Social Media, e.g. Facebook

  • Remote Desktop, e.g. RDP and VNC

  • VPN, e.g. PPTP

  • P2P, e.g. Bittorrent

  • File Sharing, e.g. Dropbox

  • Messaging and VoIP, e.g. Skype, Viber

  • Multimedia, e.g. Spotify, YouTube, avi files

  • Others, e.g. Gmail, FTP

Situation in the Network Stack

The application control module monitors layer 7 traffic. Depending on the modules that are enabled on your appliance, you should consider the following:

  • Only traffic that is specifically allowed by the AXS Guard firewall and defined in the application control policies is verified.

  • Traffic which is not blocked by the application control module can still be blocked by the AXS Guard IPS (if the IPS feature is enabled on your system).

  • The application control module checks the payload of network packets and acts upon detection of patterns in these packets, which means that it checks established connections.

  • Clients which use the AXS Guard proxy to browse the Internet are subject to the application control policy assigned to the proxy server; computer, group-level and user-level application policies are not applied in this case.

Situation of Application Control in the Network Stack

Policy-based Management

Application Control Policies govern application access rights of users connected to your network, for example, whether a user may or may not access Facebook, Twitter, etc. There are 4 types of policies:

  • System-wide policies are authentication-independent and apply to all users, computers and other devices connected to the appliance. These policies must be as restrictive as possible to avoid possible abuses in your network.

  • Computer policies are authentication-independent and are associated with a given IP in your network, e.g. to allow a server to connect to the Internet to perform automatic updates. Computer policies should be used sparingly and only in cases where user authentication is not possible. Clients using the web access module (AXS Guard proxy server) are subject to the application control policy assigned under Web Access > General. Computer, group-level and user-level application policies are not applied in this case.

  • Group policies are authentication-dependent and affect the members of a group, e.g. whether or not the members of a given group are allowed to access Facebook.

  • User policies are authentication-dependent and affect a single user, e.g. to override a group, computer or system-wide policy, e.g. all members of a group have access to Facebook, except specific members of that group.

Policy-based Management

Important

  • Ideally, system-wide and computer-level policies should block all applications. Applications should only be allowed after successful authentication.
  • The system-wide policies also affect traffic to and from the AXS Guard appliance, except traffic to and from the administrator tool and SSH traffic, which are always allowed.
  • The system default configuration blocks all HTTPS traffic. This affects other AXS Guard services, such as VPN services.

Logging and Statistics

The AXS Guard application control system offers the option to log all dropped traffic. It also offers detailed traffic statistics per category through the use of simple filters.

Application Control Configuration

Configuration Overview

  1. Enable the Application Control feature under System > Feature Activation > Firewall.

  2. Configure your policies under Application Control > Policies and configure the logging options under Application Control > General.

  3. Assign the policies created in step 2 to the appropriate users, groups, computers, the proxy and the system (system-wide policy).

Feature Activation

  1. Log on to the AXS Guard appliance as explained in the System Administration guide.

  2. Go to System > Feature Activation.

  3. Expand the Firewall option and check "Do you use the AXS Guard Application Control Service?".

  4. Update your configuration.

    Application Control Feature Activation

Creating Application Control Policies

  1. Go to Application Control > Policies.

  2. Click on the + button (add new).

  3. Enter the parameters as explained in the table below and save your configuration.

    Creating a new Application Policy

Application Control Policy Settings
Option Description

Name

Enter a name for the application policy.

Description

A policy description (optional field).

Enabled

Uncheck to disable blocking (instead of removing the policy under Users&Groups > Users, Users&Groups > Groups, Computers or Application Control > General).

Add Application Control Protocols

Click to add one or multiple application protocols to the policy.

Assigning Application Control Policies

System-wide Assignment

Important

  • Ideally, system-wide and computer-level policies should block all applications. Applications should only be allowed after successful authentication.

  • The system-wide policies also affect traffic to and from the AXS Guard appliance, except traffic to and from the administrator tool and SSH traffic, which are always allowed.

  1. Go to Application Control > General.

  2. Add the desired application control policies.

  3. Update your configuration.

    Application Control General Configuration

Option Description

Log dropped packets

Check to log all dropped traffic under Application Control > Logs and System > Logs > Network Security.

Add Application Control Policy

Click to add one or several application control policies at the system level. Go to Application Control > Policies for an overview of policies configured on your system.

Computer-level Assignment

Important

Enforce user authentication where possible. Only allow applications that are absolutely necessary at the computer level.

  1. Go to Computers.

  2. Select the appropriate computer from the list.

  3. Select the Application Control tab.

  4. Select the appropriate option from the drop-down list (explained in the table below).

  5. Save your configuration.

    Computer-level Application Control Policy Configuration

Option Description

Use system application control policies

Use the system-wide policies, assigned under Application Control > General.

Add to system application control policies

Assign specific policies to this computer, in addition to the system-wide policies configured under Application Control > General.

Overrule system application control policies

Do not enforce the system-wide policies, but only the specified policies. Specific policies are enforced based on the computer’s IP address.

Group-level Assignment

Info

  • Group-level policies are only enforced if a member of the group successfully authenticates.

  • Separate policies can be configured to govern VPN traffic (remote access tab in the AXS GUARD group), e.g. to block selected applications accessed via a PPTP connection.

  1. Go to Users & Groups > Groups.

  2. Select the appropriate group from the list.

  3. Select the Application Control tab.

  4. Select the desired option from the drop-down list (explained in the table below).

  5. Update your configuration.

    Group-level Application Control Policies

Option Description

Use computer/system application control policies

Enforce the system-wide policies, assigned under Application Control > General and the computer-level policies, if any.

Add to computer/system application control policies

Assign specific policies to this group, in addition to the system-wide policies configured under Application Control > General and computer-level policies, if any.

Overrule computer/system application control policies

Do not enforce the system-wide policies and computer-level policies, but only the specified policies. The specific policies will be enforced when a member of the group successfully authenticates.

User-level Assignment

Important

  • User-level policies are only enforced if the user successfully authenticates.

  • Separate policies can be configured to govern VPN traffic (remote access tab in the AXS Guard user profile), e.g. to block selected applications accessed via a PPTP connection.

  1. Go to Users & Groups > Users.

  2. Select the appropriate user from the list.

  3. Select the Application Control tab.

  4. Select the appropriate option from the drop-down list.

  5. Update your configuration.

    User-level Application Control Policy Configuration

Option Description

Use group application control policies

Only enforce the policies as configured for the user’s group.

Add to group application control policies

Enforce the policies as configured for the user’s group and the policies that are specified in the user profile.

Overrule group application control policies

Only policies configured at the user, computer and system levels are enforced. Group policies are not enforced.

Overrule Group / Computer / System Application Control Policies

Only the application control policies configured at the user level are enforced.

Web Access Application Control Policy

Info

Clients accessing the Internet via the AXS Guard proxy server are subject to the application control policy assigned under Web Access > General. Computer, group-level and user-level application policies are not applied in this case.

  1. Go to Web Access > Server.

  2. Select the application control policy or policies to be applied.

  3. Update your configuration.

    Assigning Application Control Policies to the AXS Guard Proxy

Fields and buttons Description

Add application control policy

Click to select and assign application control policies. Go to Application Control > Policies for an overview of policies on your system or to edit and configure application policies.

Policy

Shows the name of the assigned policy as defined under Application Control > Policies.

Blocked applications

A comma-separated list of applications which are blocked by the application control policy.

Disabling Access Control

There are several methods to disable application control, i.e. to allow traffic otherwise blocked by an application control policy.

  • Go to Application Control > Policies and disable the appropriate policies.

  • By leaving the application control policies empty under Users & Groups, Computers or Web Access > General (whichever applies).

  • By assigning an empty application control policy to a user, a group or the AXS Guard proxy.

Important

  • Ideally, system-wide and computer-level policies should block all applications. Applications should only be allowed after successful authentication.

  • The system-wide policies also affect traffic to and from the AXS Guard appliance, except traffic to and from the administrator tool and SSH traffic, which are always allowed.

Application Control Logging Options

  1. Go to Application Control > General.

  2. Check "Log dropped packets" to see all traffic dropped by the Application Control system.

  3. Update your configuration.

    Application Control General Configuration

Option Description

Log dropped packets

Check to log all dropped traffic under Application Control > Logs and System > Logs > Network Security.

Add Application Control Policy

Click to add one or several application control policies at the system level. Go to Application Control > Policies for an overview of policies configured on your system.

Logging, Statistics and Connection Tracking

Overview

In this section, we explain how to access the following information:

  • Application Control Logs: Information about traffic dropped by the application control system, e.g. blocked Facebook connection attempts.

  • Application Control Statistics: Graphical representation of all connection data.

  • Network Security Logs: A compilation of information related to traffic dropped by the AXS Guard firewall, IPS and application control system.

  • Connection Tracking: Information about active connections, such as the source and destination IP addresses, port number pairs, etc.

Application Control Logs

  1. Go to Application Control

  2. Select "Logs"

  3. Click on the desired log file to open it

    Application Control Logs

Field Description

Time

The time the entry was added to the application control log.

In

The network device that received the network traffic to be forwarded.

Out

The forwarding network device.

Protocol

The protocol used by the application, e.g. TCP, UDP.

Length

The length of exchanged packets in bytes.

Source IP

The IP of the host that initiated the connection.

Destination IP

The IP of the destination host.

Source Port

The source port used by the host which initiated the connection.

Destination Port

The port on the remote host.

Flags

Detected TCP flags.

Application

The application that was blocked. For an overview of applications, go to Application Control > General.

Comment

The action taken by the application control engine, e.g. FORWARD DROP.

Statistics and Reporting

  1. Go to Statistics

  2. Click on "Application Control"

    Application Control Statistics

Option

Description

Application Traffic

  • Through: Network traffic that is forwarded by the appliance.

  • Towards: Network traffic arriving at the appliance.

  • From: Network traffic originating from the appliance.

Unit

The unit to be displayed in the application control statistics, i.e. bytes or packets.

Time interval

Select the appropriate time interval from the drop-down list.

Current Classification

Donut Chart

When the page is initially rendered, the donut chart is populated with data generated since the time the firewall was first started or the application control feature was activated. After 5 seconds, the donut chart will be automatically refreshed and only show current data. This will provide administrators with a live view of traffic passing through the appliance.

Detailed table view

This table contains the raw data shown in the donut chart. The first 5 seconds it will contain statistics that have been collected since the time the firewall was started or the application control feature was activated. After 5 seconds, the table will be refreshed and only show current statistics.

Historical Classification

The line chart allows you to view the evolution of the application use over an extended period. The view consists of a detailed graph and an overview graph. You can change the range of the detailed view by using the selectors or selecting an area in the graph. The range of the overview graph is controllable by pressing the buttons below the chart.

By default, only unrecognized traffic is shown. This default behavior can be changed by checking the appropriate checkboxes in the table under the graph.

Network Security Logs

  1. Go to System > Logs > Network Security.

  2. Click on the desired log file to open it.

    Network Security Logs

Field Description

Time

The time at which the log entry was created.

Triggered by

The process that blocked the network traffic.

In

The network device on the receiving end of the connection.

Out

The forwarding network device.

Source IP

The IP of the sending host.

Source Port

The source port used by the sending host.

Destination IP

The IP of the receiving host.

Destination Port

The destination port on the receiving host.

Comment

The action taken by the application in the Triggered by field, e.g. INPUT DROP.

Connection Tracking (Flow Viewer)

About

The flow viewer allows you to consult active connections and use filters to extract information based on the:

  • Protocol

  • Source IP and port

  • Destination IP and port

  • Network device

  • Connections that are monitored by the application control system

Viewing Active Connections

  1. Go to Network > Tools

  2. Select "Flow Viewer"

    Network Flow Viewer

  3. Click on an empty space in a row to view details about a connection.

    Connection Details

Support

If you encounter a problem

If you encounter a problem with AXS Guard, follow the steps below:

  1. Check the troubleshooting section of the feature-specific manual.

  2. Check the knowledge base on this site for information about special configurations.

  3. If no solution is available in any of the above sources, contact your AXS Guard vendor.

Contact Information

(+32) 15-504-400
support@axsguard.com

Back to top