Tweet
This is critical advice for how to use Application Control Lite. This advice does not apply to Application Control (non-Lite).
Application Control Lite uses signatures (regular expressions actually) to detect protocols. It does this because many modern applications don't use specific ports, they use ports that they know are likely to be open making detecting and blocking protocols by port impossible.
Application Control Lite just runs simple regular expression signatures against the datastream. If a signature/regex matches the action is taken for that particular signature (log or block).
DO NOT UNDER ANY CIRCUMSTANCES just go through the list of signatures and say to yourself "well, I don't need this on my network" and then proceed to click block on all the protocols you don't run or want on your network.
These signatures are not exact matches.
If you care about these protocols click "log" only and then monitor the event log and reports. If you see you have an issue with a user/machine using a protocol you don't want on your network you can do one of several things. You can yell/punish/block that user from the internet. You can also check "block" on that protocol. If you do the latter realize that one of four things will happen:
1) It will block the protocol (ideal)
2) It will only partially block the protocol (many multi-session protocols only have some sessions identified)
3) It will block the protocol and block other things too (false positives)
4) It will block the protocol and the application will adapt and use an alternative protocol to communicate.
Back to the original point, if you just click "block" on all sorts of things you are likely to get a lot of #3 and likely to have a lot of issues.
Application Control Lite is a tool to detect protocol usage and control it when necessary. It can be extremely powerful and fun if you know regular expressions and can use wireshark, however it is also extremely dangerous. Don't use it like a shotgun.
The Application Control Lite signatures are community maintained. Most come from the L7-filter project.
Many are known to have false positives and/or false negatives.
Application Control Lite uses signatures (regular expressions actually) to detect protocols. It does this because many modern applications don't use specific ports, they use ports that they know are likely to be open making detecting and blocking protocols by port impossible.
Application Control Lite just runs simple regular expression signatures against the datastream. If a signature/regex matches the action is taken for that particular signature (log or block).
DO NOT UNDER ANY CIRCUMSTANCES just go through the list of signatures and say to yourself "well, I don't need this on my network" and then proceed to click block on all the protocols you don't run or want on your network.
These signatures are not exact matches.
If you care about these protocols click "log" only and then monitor the event log and reports. If you see you have an issue with a user/machine using a protocol you don't want on your network you can do one of several things. You can yell/punish/block that user from the internet. You can also check "block" on that protocol. If you do the latter realize that one of four things will happen:
1) It will block the protocol (ideal)
2) It will only partially block the protocol (many multi-session protocols only have some sessions identified)
3) It will block the protocol and block other things too (false positives)
4) It will block the protocol and the application will adapt and use an alternative protocol to communicate.
Back to the original point, if you just click "block" on all sorts of things you are likely to get a lot of #3 and likely to have a lot of issues.
Application Control Lite is a tool to detect protocol usage and control it when necessary. It can be extremely powerful and fun if you know regular expressions and can use wireshark, however it is also extremely dangerous. Don't use it like a shotgun.
The Application Control Lite signatures are community maintained. Most come from the L7-filter project.
Many are known to have false positives and/or false negatives.
Comment