3.7. Application Control
IP rules or IP policies can be set up so they apply only to traffic related to specific applications. An
example of an application that might require this kind of administrator control is traffic related to
BitTorrent. Applying IP rules or IP policies based on the application type is known in
NetDefendOS as Application Control.
The application control subsystem is driven using a database of application signatures. Each
signature corresponding to one type of application. The entire signature database is listed in the
separate document entitled NetDefendOS Application Control Signatures.
Application control is a subscription based feature and a subscription must have been purchased
for application control to function. See Appendix A, Subscribing to Updates for more details about
this.
Enabling Application Control
Application Control can be enabled in two ways:
• Specifying applications directly with an IP Rule or IP Policy object.
This is the basic way of either allowing or denying the data flows associated with a given
application. This is often used when testing application control since it is simple but does not
provide much flexibility.
• Associating an Application Rule Set with an IP Rule or IP Policy object.
This is the recommended method of using application control and provides more flexible
ways to handle the data flows associated with applications. An Application Rule Set is first
created which defines how an application is to be handled, then one or more Application Rule
objects are added to it. The entire rule set is then associated with an IP rule or IP policy object
These two methods of configuring application control are examined next.
Associating Directly with IP Rules or IP Policies
IP rules that use application control are created in the following way:
• Create an IP rule or IP policy with a set of filter parameters to identify connections.
• Use an Action of Allow or NAT.
• Enable application control, select the option to use manual configuration and add the
applications that are to be allowed or denied.
If the Deny option is selected but no applications are selected then everything is allowed. If
the Allow option is selected but no applications are selected then nothing will be allowed.
Example 3.39. Specifying an Application Control Policy
This example creates an IP rule to deny connections originating from the lan network which
match the *_groups signature filter. These will include access to sites such as yahoo_groups and
google_groups.
Command-Line Interface
Chapter 3: Fundamentals
253
To Next Page
Loading...
