How to Configure Application Control for the UTM
T a b l e o f C o n t e n t s Contents...2 Concepts...3 Components...3 Configuration Steps...4 Configuring Global Mode...4 Configuring Profile Mode...10 Conclusion...14 2
C o n c e p t s NETGEAR ProSecure and ProSafe security appliances are non-compromising network security solutions for midsized IT environments. They are tailored to deliver reliable, affordable, and simple network protection that businesses demand. Traditional firewalls and routers allow and deny access to combinations of ports and IP addresses. This approach was valid in the 1990 s and early 2000 s. However, they have no way of stopping threats and applications coming in through typically open ports (e.g. port 80, port 443, port 25). Today s web and cloud applications utilize these open ports for communication; even worse, today s threats also exploit the fact that traditional firewalls and routers are basically defenseless on open ports. NETGEAR ProSecure UTMs address this by inspecting traffic on ALL ports regardless of whether the port is open or closed. This gives business owners and network admins visibility and control over application use on their network. Application control in the UTM is available in two modes Global mode and Profile mode. Global mode is a single profile for all traffic on the UTM. Profile mode allows the creation of multiple profiles which can then be attached to different firewall rules. In this application note, we will go over the steps on how to enable application control, configure a global app control profile, and also configure an app control profile and apply it to a firewall rule. In each of these examples we will block all social networking applications except for Facebook, but at the same time still block Facebook games. C o m p o n e n t s The following requirements are needed when using this guide for implementation: Product Model/Release Version NETGEAR ProSecure UTM Series All UTM models Firmware version 3.0.1-x and above 3
C o n f i g u r a t i o n S t e p s Configuring Global Mode Global mode is a single application control policy for the entire network. Go to the Application Security -> Application Control page. Under Global Application Control Profile, click Edit. 4
You will now be taken to the Add or Edit Application Control Profile page. TFTP Server Address Available Yes Yes Host-Specific Router Config File Name Available Yes No TFTP Request Method Issue a unicast request file to the TFTP server. for the host-specific router config Issue a unicast request for a default network or router config file to the TFTP server. 5
Towards the bottom of the page under Categories, select Social Network. Click on the + sign for Social Network. The Social Network Category is now added to the Active Categories and Individual Applications of the current profile. The following policy means that all applications that fall under the Social Network category will be blocked. Next we will allow Facebook. Once you highlight the Social Network category, all applications that fall under this category will show up on the right hand side under Applications. 6
Find Facebook under Applications and click on the + sign. Facebook is now added to the Active Categories and Individual Applications of the current profile. Since the default is to block, we will have to edit the Facebook policy to allow instead. Click Edit. You ll be taken to the Application Control Policy page for Facebook. 7
Change the Application Policy from Drop to Allow and click Apply. The application Facebook is now allowed under the current policy. Keep in mind that individual application rules take priority over category rules. Next, we will block Facebook games. 8
Go back to the bottom of the page and under the Social Network category select the application Facebook Game and click on the corresponding + sign. The application Facebook Game will now be added to the Active Categories and Individual Applications of the current profile. Once you have all three added, click Apply at the bottom of the Add or Edit Application Control Profile page. You ll now be taken back to the Application Control page. Finally, select Yes under Do you want to enable Application Control? and click Apply. We ve now successfully configured the global application control profile. 9
Configuring Profile Mode Profile mode gives the administrator the flexibility to configure multiple profiles and apply them to different firewall rules. Go to the Application Security -> Application Control page. The default is Global mode. We will now change it to Profile mode. Change the Mode: to Profile in the drop down menu and click Apply. 10
The UTM will now run under Profile mode. This will also ignore the Global Application Control profile. Next, we will add a profile that blocks all social networking applications, allows Facebook but also blocks Facebook games. Click the Add button. You ll be taken to the Add or Edit Application Control Profile page. Give the profile a name (in this example we name this profile Test ) and give a brief description. 11
Now follow the instructions in the Global mode section to configure this policy. Once that is done, your Application Control page should look like the following. Next, we will apply this profile to the default outbound firewall policy. Go to the Network Security -> Firewall -> LAN WAN Rules page. 12
We will now add an outbound firewall policy for all users on the LAN and apply the Test application control profile we just created to it. Click on the Add button under Outbound Services. On the Add LAN WAN Outbound Service page, configure it to allow all traffic for all users. For the Application Control drop down menu, select the Test profile. Click Apply. The new outbound firewall policy will now show up. And we re done! 13
C o n c l u s i o n Following the steps above, we have successfully enabled application control and configured a profile for both Global mode and Profile mode. For Profile mode, we ve successfully attached the application control profile to an outbound firewall policy. Users on the network are now blocked from all Social Networking access except for Facebook. In addition to that, they will also be blocked from Facebook games. NETGEAR, the NETGEAR logo, Connect with Innovation, ProSafe and ProSecure are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Other brand names mentioned herein are for identification purposes only and may be trademarks of their respective holder(s). Information is subject to change without notice. 2012 NETGEAR, Inc. All rights reserved. www.netgear.com