Application Firewall Configuration Examples

Transcription

1 SonicOS Application Firewall Configuration Examples This technote describes practical usage examples with the SonicOS Application Firewall (AF) feature introduced in SonicOS Enhanced 4.0. The Application Firewall (AF) feature introduced in SonicOS Enhanced 4.0 and higher releases provides network administrators deep visibility of the various types of network traffic traversing the firewall, and provides a powerful tool for granularly controlling it. 1 The specific AF practical examples presented in this document are: Fingerprint - Prevent a document that contains a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network. Bandwidth Throttling on a global basis Detect and apply bandwidth throttling to streaming media on a global basis (all users). Bandwidth management on per group basis Detect and apply individualized bandwidth management (throttling & guarantees) to streaming media on a per group basis. Forbidden file type - Prevent risky or forbidden file types (e.g. exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded. Disallowing all unnecessary commands - Enhance the security of public facing FTP servers by disallowing all unnecessary commands. Disallowing HTTP POST method - Enhance the security of public facing read-only HTTP servers by disallowing HTTP POST method. Block web browsers/applications - Block the usage of all non-sanctioned web browsers/applications on the network. AF Objects, Applicable Policy Types and Usage Example Table- Provides a matrix of Application Firewall Objects, Applicable Policy Types and Usage Examples and their relationships. At the end of this document you ll find and an object and usage matrix that will summarize the AF components. 1 The examples and screenshots in this document are shown using SonicOS Enhanced 5.0 running on an E-CLASS NSA. These examples are applicable to SonicOS Enhanced 4.0 running on SonicWALL PRO Series.

2 Fingerprint To prevent documents which contain a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network, perform the following steps: SonicWALL_Logo.gif 1. Create a new Word Document and name it ApplicationFirewall_Test.doc. 2. Create a custom Watermark using the SonicWALL_Logo.gif file embedded above in this document (Specific steps will vary based on MS Office version). Save the document. 3. Run the XVI32 hex-editor tool. You can download it here: Navigate to the SonicWALL_Logo.gif file and open it. 4. Select Edit>Block <n> chars then select the decimal option then type 50 in the space provided, this will mark the first 50 characters in the file which is sufficient to generate a unique thumbprint for use in a Custom Application Object. It should look like the following screenshot. 5. Select Edit>Clipboard>Copy as hex string. 6. Open Notepad then paste the string you just copied into it. It should look like the following screenshot. 2

3 7. Next select Edit > Replace and in the dialog box that opens under Find What press the space bar once then click Replace All. This intermediary step is necessary to remove all the spaces from the Hex string. It should now look like the following screenshot. 8. Select Edit > Select All then Edit > Copy. 9. In the SonicWALL GUI navigate to Application Firewall > Application Objects then click Add New Object. Create an Application Object like the one shown below: 3

4 10. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown in the following screenshot. 4

5 11. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot. Testing To test this policy attempt to the AppFirewall_Test.doc you created. You should see an Alert similar to the one below in the log: 5

6 Bandwidth Throttling on a Global Basis To detect and apply bandwidth throttling to streaming media on a global basis (all users), perform the following steps: 1. Open Internet Explorer and go to the following site: 2. Open Wireshark Network Analyzer and start a capture. You can download a copy of Wireshark here: 3. Click where it says: 4. Once you hear audio stop the capture and close the streaming radio player. 5. In Wireshark select Edit > Find Packet select By: String and Search in Packet Details. In filter type: Content-Type: application/sdp then click Find. See screenshot below: 6

7 6. Wireshark will jump to the first frame that contains the requested data. You should see something like the screenshot below. This indicates that the server will be sending a MIME Content-Type of application/sdp (RTSP). Application Firewall can dynamically detect any MIME type and perform the prescribed action. In this case we will throttle the bandwidth. Note: Although the example here is for just one MIME type you can use a similar procedure to identify MIME types for other types of media and data transferred over HTTP. The IANA maintains a database of all registered MIME types here: 7. Navigate to Application Firewall > Application Objects and create and object like the one in the following screenshot. 7

8 8. Navigate to Application Firewall > Actions and create and action like the one shown in the following screenshot. Note: In order to complete this step Bandwidth Management must be enabled on the firewall. Please refer to the SonicOS Enhanced Administrator s Guide for detailed steps on how to do this. You can download the guide here: 8

9 9. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot. 9

10 Testing To test this policy repeat steps 1 & 3 again to listen to the streaming radio. You should see alerts similar to the ones shown below in the log. To verify the effectiveness of AF bandwidth management, try adjusting the Maximum Bandwidth value in the Bandwidth - Throttle action to larger and smaller values. You should hear a marked improvement/degradation in the audio quality demonstrating that that the bandwidth throttling is working as expected. Note: The application object we created in step 7 contains MIME types for other streaming media sites such as and Feel free to try these out as well. 10

11 Bandwidth Management on a per Group Basis To detect and apply individualized bandwidth management (throttling & guarantees) to streaming media on a per group basis, perform the following steps: This example builds on the previous one by demonstrating how AF policies can be configured so that they only apply to the specified included user groups or conversely; so they apply to everyone except for excluded groups. This example also serves to demonstrate how AF can leverage the firewalls LDAP integration capabilities along with Single Sign On (SSO). Descriptions of the various authentication components are used in these examples and corresponding screenshots. Prerequisites: This example assumes you have already enabled and properly configured LDAP authentication and SSO on the firewall and the workstation you will use to test from is a member of the domain. You will also need SonicWALL CFS enabled on the LAN zone so that SSO authentication will occur. Please refer to the SonicOS Enhanced Administrator s Guide for detailed steps on how to do these tasks. You can download the guide here: User Login Settings 11

12 LDAP Schema (Microsoft AD) 12

13 Domain Name (sonicwall-central.com) 13

14 Validation of LDAP authentication functionality and group assignment 14

15 LDAP Groups imported into firewall Local Groups (snwl-managers & snwl-sales) Validation of SSO functionality Login to test workstation twice; once as user who is a member of the snwl-managers and of the snwl-sales group. Open a new browser each time. The screenshot below shows that both users were authenticated by SSO and the bubble is showing that user Paul is a member of the user group snwl-managers. User Syya is a member of the snwl-sales group. 15

16 1. Navigate to Application Firewall > Actions and create a new action, like the one shown in the following screenshot. 16

17 2. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot. 17

18 3. Edit the policy you created in the previous step so that it includes the snwl-sales group and excludes the snwl-managers group. Refer to the following screenshot. 18

19 Testing To test this policy login as a member of the snwl-managers group go to and watch any video. Notice the quality. Next login as a member of the snwl-sales group and repeat the exercise. You should see a marked degradation in the video quality. The corresponding log messages are shown in the following screenshot. Notice the two different policies being invoked; one for manager use that guarantees bandwidth and the other that throttles it. Because the application object we created in the previous step included the MIME type for.exe file transfers (application/octect-stream) another good test you can perform to quantify the effectiveness of AF is to download the Wireshark application we used in the first step: When logged in as a member of the snwl-managers group you should increase in throughput as opposed to when logged in as a member of snwl-sales. 19

20 Forbidden File Types To prevent risky or forbidden file types (e.g. exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded, perform the following steps: 1. Navigate to Application Firewall > Application Objects and click Add New Object. Create an object like the one shown below: 2. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown in the following screenshot. 20

21 3. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot. 21

22 Testing To test this policy open a web browser and try and download any of the file types specified in the Application Object (exe, vbs, scr). Below are a few URL s you can try: You will see an alert similar to the one shown in the following screenshot in the log. 22

23 Disallowing All Unnecessary Commands To enhance the security of public facing FTP servers by disallowing all unnecessary commands, perform the following steps: 1. Navigate to Application Firewall > Application Objects and click Add New Object. Create an object like the one shown in the following screenshot. 2. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown in the following screenshot. 23

24 3. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot. Testing To test this policy you will need to setup an FTP server inside your firewall and create the appropriate security policy to allow external access. Afterwards issue one of the forbidden commands. You will see an alert similar to the one shown below in the log. 24

25 If you don t have access to an FTP server but would like to see this policy in action, go to ftp.sonicwallcentral.com and attempt to execute one of the forbidden FTP commands. Disallowing HTTP POST Method To enhance the security of public facing read-only HTTP servers by disallowing HTTP POST method, perform the following steps: 1. Using Notepad, create a new document called Post.htm that contains the HTML code below and save it to your desktop: <FORM action=" method="post"> <p>please enter your name: <input type="text" name="fullname"></p> <input type="submit" value="submit"> <INPUT type="reset"> 2. Open Wireshark Network Analyzer and start a capture. Open the form you just created type in your name and click Submit. Stop the capture. 3. Using Wiresharks s Edit> Find Packet function, search for the string POST. See the following screenshot for details. 25

26 4. Wireshark will jump to the first frame that contains the requested data. You should see something like the screenshot below. This indicates that the HTTP POST method is transmitted immediately after the TCP header information and is comprised of the first four bytes (504f5354) of the TCP payload (HTTP application layer). We will use that information to create a custom application firewall object that detects the HTTP POST method in the following step. 5. In the SonicWALL GUI navigate to Application Firewall > Application Objects then click Add New Object. Create an Application Object like the one shown in the following screenshot. Notice that in this particular application object we are using the Enable Settings feature which allows you to create objects that look for a match in a specific part of the payload. Offset specifies which byte in the payload Application Firewall should start matching. Depth specifies at what byte to stop matching. Min & Max allow you to specify a minimum and maximum payload size. 26

27 6. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot. Testing To test open the Post.htm document you created earlier type in your name and click Submit. The connection should drop this time and you should see an alert in the log similar to the one below. 27

28 Block Web Browsers/Applications To block the usage of all non-sanctioned web browsers/applications on the network, perform the following steps: 1. Navigate to Application Firewall > Application Objects and click Add New Object. Create an object like the one shown below. Notice the use of Enable Negative Matching in this case which allows us to explicitly specify the allowed User Agent(s) (e.g. Internet Explorer all versions in this case) while implicitly denying all others. 28

29 2. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown below: 29

30 3. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown below: Testing To test this policy, attempt to access a website using any browser other than Internet Explorer. Note: If you do not have another browser type available, uncheck the Enable Negative Matching option in step 1 and try with Internet Explorer. 30

31 AF Objects, Applicable Policy Types and Usage Example Table No Application Object ActiveX ClassID Custom Object Body CC From Size Description Valid Policy Type(s) Usage Example allows the enumeration of the Class ID of an Active- X component. alphanumeric or hexadecimal strings that can be used to match any part of the TCP or UDP payload. alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message body. alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message CC: field. alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message From: field. allows the maximum size that can be sent to be specified. HTTP Server (Response) Custom Policy FTP Client (Request) HTTP Client (Request) HTTP Server (Response) POP3 Client (Request) POP3 Server (Response) SMTP Client (Request) POP3 Server (Response) SMTP Client (Request) POP3 Server (Response) SMTP Client (Request) POP3 Server (Response) SMTP Client (Request) SMTP Client (Request) Good for preventing some online games, music sites and other applications based on ActiveX controls. (e.g. Flash & Shockwave). Prevent file which contains a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network. Detect applications, file downloads and other Internet activities using corresponding MIME types and apply bandwidth limits to them. Block s which contain certain keywords in the body. Block s destined to specific users and/or domains indicated in the CC: field. Block s from specific users and/or domains indicated in the From: field. Block with attachments that exceed a specified size. 31

32 Subject To MIME Custom Header File Content alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message Subject: field. alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message To: field. alphanumeric or hexadecimal strings that can be used to match content in an SMTP or POP3 message custom MIME header. alphanumeric or hexadecimal strings that can be used to match the contents of a file being transferred via FTP or SMTP. The pattern will be matched even if the file is compressed. POP3 Server (Response) SMTP Client (Request) POP3 Server (Response) SMTP Client (Request) POP3 Server (Response) SMTP Client (Request) FTP Data Transfer Policy SMTP Client (Request) Block s which contain certain keywords in the Subject: field. Block s destined to specific users and/or domains indicated in the To: field. Block s which contain a specified custom MIME field(s). Block FTP or SMTP transfers of a confidential file. 32

33 File Extension alphanumeric or hexadecimal strings that represent file extensions. For POP3 or SMTP, extensions of attachments will be matched. FTP Client File Download (Request) FTP Client File Upload (Request) HTTP Client (Request) POP3 Server (Response) SMTP Client (Request) Prevent risky or forbidden file types (e.g..exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded. For HTTP, extensions of uploaded attachments (Web mail) will be matched. 11 File Name For FTP, extensions of uploaded or downloaded files will be matched. alphanumeric or hexadecimal strings that represent file names. For POP3 or SMTP, attachment file names will be matched. FTP Client File Download Request FTP Client File Upload Request HTTP Client (Request) POP3 Server (Response) SMTP Client (Request) Prevent files with specified names from being up or downloaded. For HTTP, file names of uploaded attachments (Web mail) will be matched FTP Command For FTP, file names of uploaded or downloaded files will be matched. FTP commands. FTP Client (Request) Enhance the security of public facing FTP servers by disallowing all unnecessary commands. 33

34 FTP Command + Value HTTP Set Cookie HTTP Host HTTP Referer HTTP Request Custom Header FTP commands with an additional alphanumeric or hexadecimal string(s) that represents a specific parameter (e.g. DELETE word.doc) alphanumeric or hexadecimal strings that can be used to match cookies sent by web servers. alphanumeric or hexadecimal strings that can be used to match hostnames contained within the URI of an HTTP request. alphanumeric or hexadecimal strings that can be used to match hostnames of referring servers contained in HTTP requests. alphanumeric or hexadecimal strings that can be used to match custom HTTP headers contained in HTTP client (browser) requests. FTP Client (Request) HTTP Server (Response) HTTP Client (Request) HTTP Client (Request) HTTP Client (Request) Allow users read/write access to FTP servers while selectively blocking the deletion or overwriting of specified files and/or folders Enhance security by blocking specified cookies sent by web servers Yet another way to block access to websites... Block access to sites based upon the FQDN of the host that referred it Enhance Security by controlling browser requests which include custom headers. 34

35 HTTP Response Custom Header HTTP Cookie HTTP URI Content HTTP User Agent Web Browser alphanumeric or hexadecimal strings that can be used to match custom HTTP headers contained in HTTP (web) server responses alphanumeric or hexadecimal strings that can be used to match cookies sent by browsers. alphanumeric or hexadecimal strings that can be used to match any content found inside of the URI in an HTTP request alphanumeric or hexadecimal strings that can be used to match any content inside the User- Agent header (e.g. MSIE) the various textual strings that can be used to match the name various browsers use to identify themselves. This information is contained in the User-Agent header of an HTTP GET request. HTTP Server (Response) HTTP Client (Request) HTTP Client (Request) HTTP Client (Request) HTTP Client (Request) Enhance Security by controlling data received from web servers in custom HTTP headers Enhance security by preventing certain cookies from being sent by the browser Prevent HTTP downloads of forbidden file types. Prevent access to a variety of web content based on information in the URI Block the usage of all non-sanctioned web applications on the network Block the usage of all non-sanctioned web browsers on the network 35

36 AF Actions & Applicable Policy Types Action Bandwidth Management Block SMTP Send Error Reply Block SMTP Without Reply Bypass DPI Disable Attachment Add Text Add Text FTP Notification Reply HTTP Block Page HTTP Redirect No Action Applicable Policy Type(s) Custom FTP Client Upload/Download HTTP Client HTTP Server SMTP Client SMTP Client Custom FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Client HTTP Server POP3 Client POP3 Server SMTP Client SMTP Client SMTP Client FTP Client FTP Client Upload/Download HTTP Client HTTP Client Custom FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Client HTTP Server POP3 Client POP3 Server SMTP Client 36

37 Reset/Drop Custom FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Server HTTP Client POP3 Client POP3 Server SMTP Client Document Edited: 11/21/07 37