No announcement yet.

How to use Application Control Lite

This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to use Application Control Lite

    This is critical advice for how to use Application Control Lite. This advice does not apply to Application Control (non-Lite).

    Application Control Lite uses signatures (regular expressions actually) to detect protocols. It does this because many modern applications don't use specific ports, they use ports that they know are likely to be open making detecting and blocking protocols by port impossible.

    Application Control Lite just runs simple regular expression signatures against the datastream. If a signature/regex matches the action is taken for that particular signature (log or block).

    DO NOT UNDER ANY CIRCUMSTANCES just go through the list of signatures and say to yourself "well, I don't need this on my network" and then proceed to click block on all the protocols you don't run or want on your network.
    These signatures are not exact matches.

    If you care about these protocols click "log" only and then monitor the event log and reports. If you see you have an issue with a user/machine using a protocol you don't want on your network you can do one of several things. You can yell/punish/block that user from the internet. You can also check "block" on that protocol. If you do the latter realize that one of four things will happen:

    1) It will block the protocol (ideal)
    2) It will only partially block the protocol (many multi-session protocols only have some sessions identified)
    3) It will block the protocol and block other things too (false positives)
    4) It will block the protocol and the application will adapt and use an alternative protocol to communicate.

    Back to the original point, if you just click "block" on all sorts of things you are likely to get a lot of #3 and likely to have a lot of issues.

    Application Control Lite is a tool to detect protocol usage and control it when necessary. It can be extremely powerful and fun if you know regular expressions and can use wireshark, however it is also extremely dangerous. Don't use it like a shotgun.

    The Application Control Lite signatures are community maintained. Most come from the L7-filter project.
    Many are known to have false positives and/or false negatives.
    Last edited by dmorris; 05-30-2012, 09:22 AM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email [email protected]

  • #2
    Hear hear! I'd like to see a page like this set up for each module/app and set it to show the first time a particular user views that app.

    I like these instructions. I'd also like to explicitly add something that I hope is already obvious: running a bunch of regular expressions on a live data stream is potentially VERY performance intensive. Logging or blocking too many protocols you don't need can literally bring down your server, and if it doesn't bring down your server it will add latency to each packet. As an example of the latter situation, you may find that your server still handles plenty of data, but your video conferencing users are suddenly complaining of lag/performance issues, because the packets take too much time to evaluate as they move through your server.

    Personally, I have one rack named "LogEverything" that does have every single option checked, but at present no traffic passes through that rack. Every once in a while I'll set a rule to my move my machine IP or maybe even a student's IP to that rack to troubleshoot some issue, but in this case I'm only evaluating one person's traffic. Even this much can make a noticeable impact on my server's load.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5.2 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty