User manual SONICWALL SONICOS 5.8 APPLICATION CONTROL FEATURE MODULE REV A

[. . . ] Application Control / Application Firewall in SonicOS Enhanced 5. 8 Document Scope This document describes how to configure and manage the Application Control and Application Firewall features in SonicOS 5. 8. This document contains the following sections: · · · · · · "Application Control / Application Firewall Overview" on page 1 "Licensing Application Control / Application Firewall" on page 25 "Using Application Firewall and Application Control" on page 26 "Useful Tools" on page 45 "Use Cases" on page 52 "Glossary" on page 80 Application Control / Application Firewall Overview This section provides an introduction to the SonicOS 5. 8 Application Control and Application Firewall features. This section contains the following subsections: · · · · · "What are Application Control and Application Firewall?" on page 1 "Benefits" on page 3 "How Do Application Control and Application Firewall Work?" on page 4 "Supported Platforms" on page 24 "Supported Standards" on page 25 What are Application Control and Application Firewall? In SonicOS 5. 8, the Application Firewall feature of previous SonicOS releases has been significantly enhanced with Application Control functionality. As part of this solution, the set of application relevant signatures have been extracted from the existing set of IPS signatures and placed under the realm of the Application Control feature. [. . . ] For the following policy rules, the wizard displays the Set Application Firewall Object Keywords and Policy Direction screen on which you can select the traffic direction to scan, and the content or keywords to match. · · · · All SMTP policy rule types except Specify maximum email size All POP3 policy rule types All Web Access policy rule types except Look for usage of certain web browsers and Look for usage of any web browser, except the ones specified All FTP policy types except Make all FTP access read-only and Disallow usage of SITE command In the Set Application Firewall Object Keywords and Policy Direction screen, perform the following steps: · · In the Direction drop-down list, select the traffic direction to scan from the drop-down list. Select one of Incoming, Outgoing, or Both. Do one of the following: Note If you selected a choice with the words except the ones specified in the previous step, content that you enter here will be the only content that does not cause the action to occur. See "Negative Matching" on page 14. ­ In the Content text box, type or paste a text or hexadecimal representation of the content to match, and then click Add. Repeat until all content is added to the List text box. ­ To import keywords from a predefined text file that contains a list of content values, one per line, click Load From File. · Click Next. If you selected a policy type in the previous step that did not result in the Set Application Firewall Object Keywords and Policy Direction screen with the standard options, the wizard displays a screen that allows you to select the traffic direction, and certain other choices depending on the policy type. · · · In the Direction drop-down list, select the traffic direction to scan. SMTP: In the Set Maximum Email Size screen, in the Maximum Email Size text box, enter the maximum number of bytes for an email message. Web Access: In the Application Firewall Object Settings screen, the Content text box has a drop-down list with a limited number of choices, and no Load From File button is available. Select a browser from the drop-down list. FTP: In the special-case Set Application Firewall Object Keywords and Policy Direction screen, you can only select the traffic direction to scan. Click Next. · · 22 Application Control and Application Firewall in SonicOS 5. 8 Using Application Control Step 8 In the Application Firewall Action Settings screen, select the action to take when matching content is found in the specified type of network traffic, and then click Next. You will see one or more of the following choices depending on the policy type, as shown below: Policy Type All Types All Types SMTP SMTP SMTP POP3 Web Access Web Access Web Access Web Access Available Action Log Only Bypass DPI Blocking Action - block and send custom email reply Blocking Action - block without sending email reply Add Email Banner (append text at the end of email) Blocking Action - disable attachment and add custom text Blocking Action - custom block page Blocking Action - redirect to new location Blocking Action - Reset Connection Manage Bandwidth Step 9 In the second Application Firewall Action Settings screen (if it is displayed), in the Content text box, type the text or URL that you want to use, and then click Next. The second Application Firewall Action Settings screen is only displayed when you selected an action in the previous step that requires additional text. For a Web Access policy type, if you selected an action that redirects the user, you can type the new URL into the Content text box. Step 10 In the Select Name for Application Firewall Policy screen, in the Policy Name text box, type a descriptive name for the policy, and then click Next. Step 11 In the Confirm Policy Settings screen, review the displayed values for the new policy and do one of the following: · · · To create a policy using the displayed configuration values, click Apply. To change one or more of the values, click Back. To exit the wizard without creating the policy, click Cancel. Step 12 In the Application Firewall Policy Complete screen, to exit the wizard, click Close. Note You can configure Application Firewall policies without using the wizard. When configuring manually, you must remember to configure all components, including match objects, actions, email user objects if required, and finally, a policy that references them. Configuring Match Objects This section describes how to manually create a match object. For detailed information about match object types, see "Match Objects" on page 9. Application Control and Application Firewall 21 Using Application Control To configure a match object, perform the following steps: Step 1 In the navigation pane on the left side, click Firewall and then click Match Objects. Step 2 Step 3 In the Match Objects screen, click Add New Match Object. In the Match Object Settings window, in the Object Name text box, type a descriptive name for the object. Step 4 Step 5 Step 6 Step 7 Select an Match Object Type from the drop-down list. Your selection here will affect available options in this screen. See Table 2 on page 10 for a description of match object types. Select a Match Type from the drop-down list. The available selections depend on the match object type. [. . . ] A reverse shell exploit could be used by an attacker if he or she is successful in gaining access to your system by means of a Zero-day exploit. A Zero-day exploit refers to an attack whose signature is not yet recognized by security software. In an early stage while still unknown, malicious payloads can pass through the first line of defense which is the IPS and Gateway Anti-Virus (GAV) running at the Internet gateway, and even the second line of defense represented by the host-based Anti-Virus software, allowing arbitrary code execution on the target system. In many cases, the executed code contains the minimal amount of instructions needed for the attacker to remotely obtain a command prompt window (with the privileges of the exploited service or logged on user) and proceed with the penetration from there. [. . . ]