Application Control and Port dependencies

Hi LuCar Toni, Thanks for giving your insight.

I understand your point of view, Nowadays there's even malware using DNS over HTTPS to communicate with C&C over Port 443, making it looks exactly as HTTPS Traffic for the firewall; At the same time making protocol enforcement useless, but in this case most discussions in the community about this is not entirely about security, but management.

LuCar Toni said:

You can build many real L7 scenarios with XG, as the firewall backend allows such processes. But there are certain limitation like groups etc. 

Let's talk about L7 Policies;

The problem here is not being able to create rules directly based on the application, It makes management a hell, you will always ended up with dozens or hundreds of "Application Filters", and every time you need to make a simple change, such as deny Google Drive, you will always see yourself editing a bunch of those filters because there's multiple of those different filters being applied on different users and groups - that needs to be blocked.

In the scenario above, if you could create a L7 aware Rule, all you would have to do is create a new rule on top that block this application, and select the users/groups.

And, well... Protocol Enforcement doesn't work that well anymore since pretty much >80% of the traffic is TLS encrypted; Also, since on v18 the new DPI Engine is capable to identify the known apps on any port, then I don't see It as a issue anymore.

Thanks again!

It highly depends on the size of your setup / network and your goal. If you start to create multiple filters for multiple reasons, you will end up by editing through all of those rules (which you could shortcut by using API or XML). But i understand the issue at hand. I am simply here to tell you, what is possible "as of today". I know, there are other vendors, using different approaches. 

There are certain few point of this story. You can split up this topic into multiple domain, like Security, management, control and enforcement. Also scaling is a huge point of it. With simple setups, it is quite easy to build up a secure application filter. If you go into the more complex scenarios, as you want to deny multiple apps because of different reasons, it can get more complicated. 

There will come up other issue in the future. Lets call them "in-Apps". Something like Outlook in Chrome, Teams in Chrome etc. As such applications use the browser, you will see on application control products only "Chrome" as a user agent or application filter. There is more stuff on the to do list, to interact with the future. 

Hi Prism,

XG does enforce protocol validation and I did the similar test as you mentioned above.

I am not sure exact configuration of your setup but I have done following and seeing protocol enforcement getting imposed. 

a. Created App filter policy with only "HTTP allow" followed by "Deny All".

b. Attached to Firewall rule : [ Have tried both as service "any" and "HTTP" only, there is no difference in result. Rule No #16

c. Initiate SSH traffic over Port 80, Application classified as SSH like yours on port 80 and Denied by App filter.

Hi Alok,

Thanks a lot for your answer, but there's two problems on this.

1) You will have to create hundreds of "Application Filter" to then apply over all firewall policies, this is not intuitive.

2) If the traffic isn't known by the IPS Engine It will bypass the "Action" of the "App Filter", here's an example:

Here's the App Filter Policy I've used.

Here's It showing It can block SSH running on TCP/80.

And here's Iperf3 traffic running on TCP/80 being allowed. Any application that isn't identifiable by the IPS Engine can bypass this.

The same applies for a Firewall Rule that only allows TCP/53 and UDP/53 for DNS, even if you create a Application Filter that only allows DNS traffic, you can still run a WireGuard VPN over UDP/53 and It will be allowed since It's not known by the IPS Engine.

Thanks!

Hi Alok,

There's also another issue. If the traffic have a known application classification on Sophos XG, even If it is HTTP traffic, the IPS Engine will not identify It as HTTP traffic - but as It's own application.

Here's the Application Filter I've used, which allows only HTTP traffic.

And here's the Rule being applied only over TCP/80.

Now here's what happens when I try to access an HTTP application over TCP/80, which should be also identified as HTTP, but as you can see It get's blocked because It didn't got identified as HTTP, but as "Baidu Website" and "Shopify". (Those are examples I used.)

Thanks!

EDIT: I didn't knew this worked on XG. Cool.

Yes, I agree this will allow unclassified traffic by IPS. 

Its very well expected that after protocol analysis in this case HTTP, if further traffic gets classified as specific application in this case"Baidu Website" and "Shopify".  

It should get allow/deny based upon final application classified and policy been configured.

Regards,
Alok

Well, then protocol enforcement doesn't work at all on Sophos XG. The same applies if I allow only SSL/TLS (Application) Traffic only on TCP/443, If the SSL/TLS traffic gets matched to a know application, It won't work.

Good to know, Thanks.