Application filtering ensures that the users of your network cannot access unwanted applications, which could be, for example, Facebook, Xing, and others. The filtering process application names and reputation scores and blocks access accordingly. Filtering can also be applied to individual functions of applications.
The following elements are involved in this process:
- Filtering rules that control the process
- Application lists that are used by rules to block applications
- Application system lists that are updated in intervals
Update status and statistics of the application filtering process are shown on the dashboard.
Rules for application filtering
The rules that control application filtering are usually contained in one rule set. They block access to applications and individual functions of applications using the following two methods:
- Block applications and individual functions that are on a list
- Block applications that are assigned a particular risk level
To block applications and individual functions according to a list, the Application.Name property is used.
The value of this property is the name of an application or an individual function of an application that appears in a request sent by a user who wants to access the application or application function. If this name is on a blocking list, access is blocked, as, for example, the following rule does it.
|Block applications according to list|
|Application.Name is in list Unwanted Applications||–> Block<Application Blocked>|
To block applications according to their risk levels, properties, such as Application.IsMediumRisk or Application.IsHighRisk are used, which have true or false as their values.
Risk evaluation is based on the reputation score for an application that is assigned to it by the Global Threat Intelligence system. If the risk for allowing access to an application is considered to be high, it means it has a bad reputation.
If an application reaches or exceeds this level, access to it is blocked, as, for example, the following rule does it.
|Block high-risk applications|
|Application.IsMediumRisk equals true OR Application.isHighRisk equals true||–> Block<Application Blocked>|
Both methods rely on the application system lists. Only applications and application functions that are on these lists can appear on a list that is used by an application filtering rule.
The risk levels for applications and application functions are also those that are shown on the application system lists.
For logging purposes, there are the Application.To String and Application.Reputation properties, which are the name of a requested application converted into a string and a numerical value for its reputation score, respectively.
You can use these properties in rules that record information in log file entries.
Application filtering is not performed by default on an appliance. However, you can import the Application Control rule set from the library.
You can then review the rules in this rule set, modify or delete them, and also create your own rules.
Blocking lists are used by rules to block access to applications that are requested by users. The rules in the library rule set include lists that are already filled with several application names.
You can add application names to a list from the library rule set or remove them and also create your own lists. If you add application names, you must take them from the application system list.
In the same way, you can create and edit lists with names of application functions.
Application system lists
The applications and application functions that can be blocked by application filtering rules appear on lists,
which are provided by the appliance system and updated in intervals.
You can view these lists by expanding the Application Name folder under System Lists on the lists tree of the Lists tab. This folder contains a number of subfolders for different types of applications, for example, File Sharing or Instant Messaging.
A subfolder contains a list of applications, providing the following information for each of them:
- Application name (or application name with application function)
- Risk level
- Description of the application (or application function)
A function of an application appears in parentheses after the application name, for example, Orkut(Orkut Chat). If you include an application function in the list of a blocking rule, only this function is blocked, not the complete application.
The following is an example of an entry for an application in a system list:
MessengerFX | Risk: Minimal: A web-based instant messaging service
The next example shows an entry for an application function:
Orkut(Orkut Chat) | Risk: High: Allows users to send instant messages.
Application filtering information on the dashboard
The dashboard provides the following information on application filtering:
- Update status of the application list
- Statistics on applications and application functions that have actually been blocked