Chapter 26: Application Control

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

Overview

The Application Control feature in cOS Stream allows IP rules to generate log messages which identify the type of application that is causing an IP rule set entry to trigger. A simple example of such an application might be the peer-to-peer file sharing protocol BitTorrent.

The current application control implementation provides an auditing function only and it is not possible to automatically block specific applications. However, it is possible to manually close specific flows based on the related application using the flow command.

Behavior on License Validity Expiry

Note that if the Upgrades Valid Until date in the firewall's license has passed, the application control subsystem will no longer scan traffic even if it has been enabled to do so. Application control will also not block any traffic.

Application Control Setup Steps

The following steps are required to set up application control:

Application control must be enabled globally for the configuration. By default, application control is enabled. If application control has been switched off and needs to be re-enabled, the command would be the following:
```
System:/> set Settings AppControlSettings AppControlEnabled=Yes
```
Enable application control log message generation for a given IP rule entry in the main IP rule set. For example:
```
System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> set IPRule 1 AppControl=Yes
```
Note that the index number of the entry must be specified.

Application Control Signatures

The application control engine is driven using a database of application signatures. Each signature is a definition used by the engine to identify the application in a flow. The latest database update is integrated into each software release for cOS Stream. Each signature in the database corresponds to one type of application.

The complete application signature database is listed in a separate document titled Application Control Signatures. In this document, it can be seen that each signature has the following properties associated with it:

Name

This is a unique name for each signature and used to identify individual applications. For example, bittorrent.
Family

This is a parent grouping to Name and collects together related signatures. For example, the signature BitTorrent belongs to the family called peer_to_peer. The signature called yahoo_groups belongs to the family forum.

A signature can belong to only one family.
Tag

There can be multiple Tag values for each signature and each provides alternative ways of grouping signatures which can be used in searches. For example, the signature called bittorrent has the Tag value of p2p_file_sharing associated with it.
Risk

The Risk value is a number between 1 and 5 which indicates the seriousness of the security risk posed by the application. A value of 1 is the lowest risk and 5 is the highest.

This grading of risk reflects the degree of danger which allowing the application's data traffic poses to protected resources. For example, some applications with a high risk might facilitate the transmission of malicious software.

Naming Conventions in the CLI and Signature Reference Guide

Application control names, for example for applications and tags, can have two different forms. One form is that used as the description in the signature reference guide that includes uppercase and spaces. The second form is all lowercase and spaces are replaced by underscore characters. This second form is used with the CLI. For example, bittorrent. In some isolated cases, the names can have different lengths. For example, the tag Software Update becomes updater in the CLI. The best approach to naming in the CLI is to use the tab completion feature for the correct name.

Browsing the Application Control Signature Database

In the CLI, the command appcontrol can be used to examine the database of application signatures. Without any parameters, this command shows a summary of all the signatures in the current database. Here is an example of the output for an example database version:

System:/> appcontrol

 Application control system information

Number of applications 3208
Number of families 32
Number of tags 40
Active Yes
License until 2025-11-22
Application library version 1.420.2
Application engine version 5.4.0-46
Application definition version 1.420.0-43
Application data version 1.420.0-43
Number of flows currently being analyzed 1

To display individual application signatures, use the -show-applications parameter. Without any other parameters, this will display the entire database in blocks of 20 entries. This is obviously a long list so other command parameters can be used to restrict the selection. For example, the -num parameter determines the number of signatures displayed by the command:

System:/> appcontrol -show-applications -num=5
		
Name        Full Name
----------  ---------------------------
base        Base virtual protocol
unknown     Unknown virtual protocol
malformed   Malformed virtual protocol
incomplete  Incomplete virtual protocol
8021q       802.1Q Ethernet VLAN

Displaying Application Families

The -family parameter can be used to filter the signatures within a given family. The following incomplete command uses a tab character to display all the families:

System:/> appcontrol -show-applications -family=<tab>
		
 antivirus            file_server        network_management  telephony
 application_service  file_transfer      network_service     terminal
 audio_video          forum              peer_to_peer        thin_client
 authentication       game               printer             tunneling
 compression          instant_messaging  qosmos              unclassified
 database             mail_protocols     routing             wap
 encrypted            microsoft_office   security_service    web
 erp                  middleware         standard            webmail

These families contain the individual signature definitions. For example, to view the signatures in the compression family, use the command:

System:/> appcontrol -show-applications -family=compression

Name  Full Name
----  ----------------------------
ccp   Compression Control Protocol
comp  COMP

To view the details of signatures, the -verbose option can be used with the other criteria such as the -name option. For example, to display details of the comp application from the list above, the following command can be used:

System:/> appcontrol -show-applications -name=comp -verbose
		
Listing applications with NamesFilter='comp'.

comp - COMP
COMP protocol is used for data compression over PPP.
Family:      Compression
Risk Level:  1 - Very low risk
Tags:        Network Layer Protocols
Revision:    18

The Risk Level indicates the degree of threat that this particular application poses. The Tag data (there can be multiple tags) provides more information about the data traffic related to the application. For example, the High Bandwidth tag indicates that the application has the ability to consume significant amounts of bandwidth.

In summary, it is possible to search the signature database by using any combination of the following filter parameters with the command appcontrol -show-applications:

-name
-family
-risk
-tag

Using Wildcards with Name

Only the -name parameter can accept the asterisk "*" character as a wildcard. For example:

System:/> appcontrol -show-applications -name=n* -family=web -risk=HIGH

Name     Full Name
-------  ----------
netload  Netload.in
ngrok    ngrok

Risk Guidelines

The following are guidelines for how the risk parameter for each application control signature should be viewed by the administrator:

Risk Level 5

Very high risk. This traffic should be blocked unless special circumstances or requirements exist. For example, PHP-, CGI-, HTTPS-proxies; known attack sites.
Risk Level 4

High risk. This traffic should be reviewed and a block or allow action taken. Site-to-site tunneling should be used where possible. For example, SSH, LDAP, RADIUS, Dropbox and similar.
Risk Level 3

Medium risk. Signatures with this risk level can affect network security, bandwidth usage and company integrity if care is not taken. For example, Facebook and other social networks, Google Analytics and similar aggregators, P2P/filesharing
Risk Level 2

Moderate risk. Signatures with this risk level can affect network security and/or affect bandwidth usage. For example, video streaming sites, Java/Flash game sites
Risk Level 1

Low-risk. Signatures that could be candidates for blocking. Typically not a threat. For example, E-commerce sites, news portals.

Log Message Generation

When configured on an IP rule set entry, application control will generate a log message when either of the following occurs:

Application Detected for a New Flow

A new flow is established and the current application for that flow is classified. Below is a typical example of such a log message where the application dns is detected:

APPCONTROL: prio=information id=00000 event=application_identified
flow_proto=UDP flowfwd_recvif=if1 flowfwd_recvzone=n/a
flowfwd_srcip=192.168.10.20 flowfwd_srcport=54701
flowfwd_destip=192.168.5.120 flowfwd_destport=53
flowrev_recvif=if3 flowrev_recvzone=n/a
flowrev_srcip=192.168.5.120 flowrev_srcport=53
flowrev_destip=192.168.10.20 flowrev_destport=54701
flowfwd_totpkts=4 flowfwd_totbytes=300 flowrev_totpkts=0
flowrev_totbytes=0 app_new=dns app_old=unclassified
appfwd_totpkts=3 appfwd_totbytes=225 apprev_totpkts=0
apprev_totbytes=0 user=n/a userid=n/a action=none

Detected Application Changes for an Existing Flow

The application for an established flow changes. Below is a typical example of this type of log message where the dns application found in the previous log message changes to the dns_tunnel application which indicates an attempt at DNS tunneling:

APPCONTROL: prio=information id=00000 event=application_changed
flow_proto=UDP flowfwd_recvif=if1 flowfwd_recvzone=n/a
flowfwd_srcip=192.168.10.20 flowfwd_srcport=22223
flowfwd_destip=192.168.5.120 flowfwd_destport=53
flowrev_recvif=if3 flowrev_recvzone=n/a
flowrev_srcip=192.168.5.120 flowrev_srcport=53
flowrev_destip=192.168.10.20 flowrev_destport=22223
flowfwd_totpkts=4 flowfwd_totbytes=503 flowrev_totpkts=0
flowrev_totbytes=0 app_new=dns_tunnel app_old=dns
appfwd_totpkts=3 appfwd_totbytes=279 apprev_totpkts=0
apprev_totbytes=0 user=n/a userid=n/a action=none

Displaying Flows with Application Information

By adding the -app option to the flow -show command, an extra column called App will appear in the output which shows the application classification for each flow. Below is an example which shows a single flow classified by application control as being DNS traffic:

System:/> flow -show -app
		
         Source                          Dest                   ID /            
Proto    Iface    IP              Port   Iface  IP              Port
-------  -------  --------------  -----  -----  --------------  -----
UDP      if1(0)   192.168.10.20   39415  if3    192.168.5.120   53

Timeout  App
-------  ------------------
    126  dns

Here, the individual signature name appears in the App column. If application control has not yet classified the flow, the text not_yet_classified will appear. If the flow cannot be classified, the text n/a will appear.

If the -verbose option is added to the above command, a path appears in the App column which reflects the internal hierarchy of the signature database:

System:/> flow -show -app -verbose
		
         Source                          Dest                   ID /            
Proto    Iface    IP              Port   Iface  IP              Port
-------  -------  --------------  -----  -----  --------------  -----
UDP      if1(0)   192.168.10.20   39415  if3    192.168.5.120   53

Timeout  App
-------  ------------------
    126  ip.udp.dns

In addition, the -verbose option will also show the return part of a bi-directional flow.

To filter the applications displayed by the flow command, the -appfilter= option can be used. For example, to display DNS flows, the following command might be used:

System:/> flow -show -app -appfilter=dns

The string specified with -appfilter cannot contain wildcards and cannot be a list. However, the -appfilter option works by searching for all flows that contain the specified text string anywhere in the full application path of the flow. An example application path is ip.udp.dns and the string .udp. would match this path (and all other UDP flows).

Closing Flows Based on the Application

The flow command with the -close and -appfilter options can be used to close all flows for a single or range of applications. For example, the following would close all flows that are currently classified as being bittorrent traffic:

System:/> flow -close -appfilter=bittorrent

As described previously, the whole application path will be searched for the string specified in the -appfilter option. For example, the following would close all flows with application paths that contain the characters ".udp." anywhere (and consequently, all UDP flows):

System:/> flow -close -appfilter=.udp.

Application Control Licensing

Application control is a subscription service and the expiry date for the current subscription is specified by a line in the system license. The current status of the application control system can be viewed by using the command appcontrol with no parameters. Example output when the feature has not expired is shown earlier in this section. After expiry, the following will be seen:

System:/> appcontrol
Application control is not allowed by the current license.

When the application control subscription expires, the following will happen:

A log message is generated at system startup or on reconfiguration to indicate subscription expiry.
A console warning message is generated at system startup or on reconfiguration for each entry in the main IP rule set that is configured to use application control.
No application control log messages are generated if a flow triggers an entry in the main IP rule set which has application control enabled. However, the rule set entry will function as normal.