How to use Application Control Lite

dmorris · 07-27-2011, 11:27 AM

I thought this thread already existed, but I can't find it some I'm making a new one and making it sticky.

Protocol Control uses signatures to detect protocols. It does this because many modern applications don't use specific ports, they use ports that they know are likely to be open making detecting and blocking protocols by port impossible.

Protocol Contol just runs simple regular expression signatures against the datastream.
If a signature matches the action is taken for that particular signature (log or block).

DO NOT UNDER ANY CIRCUMSTANCES just go through the list of signatures and say to yourself "well, I don't need this on my network so I'll just click block" and then proceed to click block on all the protocols you don't run or want on your network.
These signatures are not exact matches.

If you care about these protocols click "log" only and then monitor the event log and reports. If you see you have an issue with a user/machine using a protocol you don't want on your network you can do one of several things. You can yell/punish/block that user from the internet. You can also check "block" on that protocol. If you do the latter realize that one of four things will happen:

1) It will block the protocol (ideal)
2) It will only partially block the protocol (many multi-session protocols only have some session identified)
3) It will block the protocol and block other things too (false positives)
4) It will block the protocol and the application will adapt and use an alternative protocol to communicate.

Back to the original point, if you just click "block" on all sorts of things you are likely to get a lot of #3 and likely to have a lot of issues.

Protocol Control is a tool to detect protocol usage and control it when necessary. Don't use it like a shotgun.

sky-knight · 07-27-2011, 12:19 PM

I see you are getting these calls too? Between protocol control issues, and the intrusion prevention module coming alive all over the place all sorts of fun things are happening.

I do want to back Dirk up on each of his points. This explanation is accurate, and complete. The Protocol Control module is a powerful tool, but used inappropriately it will result in hard to troubleshoot issues cropping up in random places. You will turn your hear grey, you will rip it out of your head, and only when you're an odd form of bloody bald will the answer land in your lap.

Take it from someone whom learned this lesson the hard way.

07-27-2011, 11:27 AM	#1 (permalink)
dmorris Untangle Junkie Join Date: Nov 2006 Location: San Mateo, CA URLs submitted: 10 Posts: 10,613	How to use Protocol Control I thought this thread already existed, but I can't find it some I'm making a new one and making it sticky. Protocol Control uses signatures to detect protocols. It does this because many modern applications don't use specific ports, they use ports that they know are likely to be open making detecting and blocking protocols by port impossible. Protocol Contol just runs simple regular expression signatures against the datastream. If a signature matches the action is taken for that particular signature (log or block). DO NOT UNDER ANY CIRCUMSTANCES just go through the list of signatures and say to yourself "well, I don't need this on my network so I'll just click block" and then proceed to click block on all the protocols you don't run or want on your network. These signatures are not exact matches. If you care about these protocols click "log" only and then monitor the event log and reports. If you see you have an issue with a user/machine using a protocol you don't want on your network you can do one of several things. You can yell/punish/block that user from the internet. You can also check "block" on that protocol. If you do the latter realize that one of four things will happen: 1) It will block the protocol (ideal) 2) It will only partially block the protocol (many multi-session protocols only have some session identified) 3) It will block the protocol and block other things too (false positives) 4) It will block the protocol and the application will adapt and use an alternative protocol to communicate. Back to the original point, if you just click "block" on all sorts of things you are likely to get a lot of #3 and likely to have a lot of issues. Protocol Control is a tool to detect protocol usage and control it when necessary. Don't use it like a shotgun. __________________ Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself. If you need Untangle support please call or email support@untangle.com

07-27-2011, 12:19 PM	#2 (permalink)
sky-knight Join Date: Apr 2008 Location: Phoenix, AZ URLs submitted: 8 Posts: 15,460	I see you are getting these calls too? Between protocol control issues, and the intrusion prevention module coming alive all over the place all sorts of fun things are happening. I do want to back Dirk up on each of his points. This explanation is accurate, and complete. The Protocol Control module is a powerful tool, but used inappropriately it will result in hard to troubleshoot issues cropping up in random places. You will turn your hear grey, you will rip it out of your head, and only when you're an odd form of bloody bald will the answer land in your lap. Take it from someone whom learned this lesson the hard way. __________________ Rob Sandling, BS:SWE, MCP Intouch Technology Phone: 480-272-9889 rob@intouchtechllc.com UntangleAppliances.com Phone: 866-794-8879

Protect

Filter

Perform

Connect

Manage

Add-Ons