Referencing Applications and Application Groups in Security Policies
After years of development, the Internet has penetrated into every aspect of the public work and life. The services carried on the Internet have undergone profound changes, and colorful applications have become the mainstream of the Internet. The biggest obstacle for network administrators is to identify and control various applications effectively.
As mentioned in the previous chapter, firewalls can identify common application protocols based on services and service groups. However, the identification service depends on the port identification technology, which is mainly based on the port number. Therefore, the identification service can only be used to identify basic protocols such as FTP and HTTP. A large number of applications are carried over HTTP, and only service identification cannot meet the requirements of application management and control.
Service Awareness (SA) Technology
Firewalls use the SA technology to accurately identify applications. Since the traditional protocol identification technology only checks 5-tuple information of packets and cannot identify applications, the SA technology can take a further step to inspect the application-layer data of packets. Traffic sent by different applications has their own signatures, which may be specific commands or bit sequences. These signatures constitute the "fingerprint" of an application. As long as you abstract the fingerprints that can identify specific applications and establish a fingerprint database, you can compare traffic against such a database.
Huawei Security Competence Center uses the SA technology to analyze and extract traffic signatures of a large number of Internet applications, and establishes a signature database of more than 6000 applications. The signature database is classified into five categories and 57 sub-categories. You can visit the Huawei Security Competence Center website and query the current application identification capability in the application encyclopedia. In the application encyclopedia, you can filter applications by category, sub-category, label, data transmission mode, and risk level, or enter an application name to search for the application. For each application, the application signature database also provides multi-dimensional description information to help you formulate targeted management and control policies.
Pre-defined Applications and Application Groups
After the application signature database is loaded to a firewall, the database becomes the pre-defined application. New applications are emerging on the Internet, and the signatures of existing applications change. Therefore, the application signature database must be upgraded periodically to ensure better identification effect.
An application group is a set of applications, facilitating management. You can create an application group for applications with the same access policy and reference the application group in a security policy. For example, to create a NetDisk application group, you can add applications based on the list or tree structure.
1. Adding an application based on the list
The displayed page is similar to the application page. You can filter applications by category, subcategory, label, data transmission mode, and risk level, or enter an application name for fuzzy search.
2. Adding an application based on the tree structure
Tree structure is a new form of application organization. You can select an application based on the tree structure of application categories and sub-categories. You can also filter applications by Label/Software and then use the fuzzy search.
Referencing a Group of Applications in a Security Policy
Referencing a group of applications in a security policy is a common operation. You can select applications based on the application category, subcategory, label, software, and user-defined application group. The operation page and operation method are similar to those of adding applications to an application group based on the tree structure. The only difference is that you can directly select a created application group in a security policy.
Referencing a Single Application in a Security Policy
When referencing a single application in a security policy, you need to consider the dependent and associated applications of the application.
The dependent applications are underlying applications of an application, and correspondingly, the application is an upper-layer application of the dependent applications. During application identification, a firewall first identifies the dependent applications and then the upper-layer application. During security policy check, the firewall first searches for security policies based on the dependent applications. The firewall continues to identify the upper-layer application and searches for the corresponding security policies only when the action of the security policies that the dependent applications match is permit. Therefore, when the traffic of an application needs to be permitted, traffic of its dependent applications also needs to be permitted synchronously.
Associated applications are those with an association relationship with the application, and are typically multiple similar applications developed by the same company. They have similar traffic signatures. When an application needs to be blocked, you need to block the associated applications in the security policy to ensure that the application is completely blocked.
When a single application is referenced in a security policy, dependent applications and associated applications need to be configured synchronously, as shown in Table 3-4. Pay attention to the prompt information provided by a firewall.
Action of a Security Policy |
Specifying a Single Application in the Matching Condition |
Specifying a Single Application in the Matching Condition and Configuring a Content Security Profile |
|---|---|---|
permit |
You do not need to configure dependent applications. If no upper-layer application is identified, the traffic is preferentially permitted. |
If the application has dependent applications, a firewall prompts the user to configure the dependent applications. For example, the dependent applications of Dropbox include HTTP, HTTPS, and SSL. When Dropbox is allowed to be accessed and content security check is performed on the access behavior, you need to configure these dependent applications. |
Deny |
If the application is associated with an application, the firewall prompts the user to configure the associated application. For example, GoogleTalk_VolP is associated with GoogleTalk_IM. To block GoogleTalk_VolP, you must configure GoogleTalk_IM as well. |
N/A |
The following example is used to allow access to Dropbox and perform antivirus check and file filtering as well as shows the prompt information and configuration page of a firewall. In the security policy, set Application to Dropbox, Action to Permit, and Antivirus and File Blocking to default. When the configuration is delivered, the firewall verifies the configuration and prompts you to select dependent applications.
Click Configure in the prompt information. The dependent applications of Dropbox include HTTP, HTTPS, and SSL, as shown in Figure 3-8. You need to select all dependent applications and the security policy configuration can be properly delivered.
Pending Policy
After an application is referenced in a security policy, traffic needs to be sent to the content security engine for application identification. A firewall needs to obtain multiple packets to identify applications. Therefore, before application identification is complete, the firewall cannot determine the matched security policy, that is, the firewall is in the policy pending state. The firewall matches the first packet with conditions (mainly 5-tuple) other than the application in the security policy, temporarily permits the traffic, and establishes a session. The application information is empty. After application identification is complete, the firewall match traffic against security policies again and updates session information.