Last week @kiwi and I attended the Fuel user group Spark User Summit event in London where we talked to several professionals about their deployments and fielded some questions and even gave a presentation about some best practices.
One of the questions I was asked by several people boils down to: How can I reliably create a group of applications I want to allow, without actually knowing which applications my users may need?
Besides the most basic applications of DNS, web-browsing and SSL, today's dynamic environment of 'applications' rather than static web pages makes for a complex landscape of options for an adminstrator to navigate and wrong choices can turn out to be landmines.
An approach I find myself recommending regularly that a lot of administrators are not aware of, or have not explored thoroughly, are Application Filters.
The application filters allow an administrator to create a group of applications that behave in a certain way, without needing to learn each application. This can be made to work for the admin both in a permissive and restrictive tone: all 'bad' behavior which an admin deems unacceptable in the network can be added to a 'deny' security policy while all 'good' applications can be allowed.
The application filter is automatically updated every time a dynamic updates pckage is installed, ensuring any new applications are immediately enforced in the security policy without anyone needing to go investigate which brand new applications are getting blocked and causing phonencalls from users because they can no longer work: 'the firewall is blocking everything'.
Or worse: which new and exciting 'bad' applications are getting alowed through because they are not included in the group of blocked applications?
So how does it work ?
First, you need to create a baseline of what 'type' of applications are acceptable. Depending on your organization, this can vary wildly: a school may need to be very open to rogue applications and only block the very worst, a government organization that has their main base of operations in a bunker inside of a mountain will need to be extremely strict with what is being allowed out, a hospital and a run-of-the-mill office environment will also have their own 'type' of network traffic and applications.
Once you've decided how to proceed, tailoring the application filter will be easier than you might think:
When you hear peer-to-peer, you'll probably think 'bittorrent', but many good applications also use peer-to-peer functionality to optimize network performance like some sip-applications (Asterisk, Facetime, Teamspeak, Skype, just to name a few). That's why applications also come loaded with a risk factor of 1 to 5. This allows you to create a permissive application filter with low-risk applications or a restrictive one for high-risk peer-to-peer apps:
Want to prevent users from using proxy/proxy-bypass applications to try and access restricted content? Select the proxy subcategory and prone-to-misuse characteristic:
You can allow anything that's collaboration, general-internet or media, risk factor 1 through 3, is browser based but is NOT gaming or video streaming, by selecting all the desirable sub-categories. This will also impact which 'child' applications are available:
With my desired set of sub-categories, only 4 out of 11 Facebook applications are allowed (saving me the work of needing to split them out manually).
My application filter only allows 4 facebook applications
The full set of Facebook applications which would all be allowed if you simply picked 'facebook' in your security policy:
The original set of facebook applications
As always, I hope this information will help you make your environment safer and more efficient! Feel free to post any questions or remarks below!