Application Firewall Configuration Examples

(1)

SonicOS Application Firewall Configuration Examples

This technote describes practical usage examples with the SonicOS Application Firewall (AF) feature introduced in SonicOS Enhanced 4.0.

The Application Firewall (AF) feature introduced in SonicOS Enhanced 4.0 and higher releases provides network administrators deep visibility of the various types of network traffic traversing the firewall, and provides a powerful tool for granularly controlling it.

1

The specific AF practical examples presented in this document are:

Fingerprint - Prevent a document that contains a specific fingerprint (e.g. embedded corporate watermark)

from being transferred out of the network.

Bandwidth Throttling on a global basis – Detect and apply bandwidth throttling to streaming media on a

global basis (all users).

Bandwidth management on per group basis – Detect and apply individualized bandwidth management

(throttling & guarantees) to streaming media on a per group basis.

Forbidden file type - Prevent risky or forbidden file types (e.g. exe, vbs, scr, dll, avi, mov, etc) from being up

or downloaded.

Disallowing all unnecessary commands - Enhance the security of public facing FTP servers by disallowing

all unnecessary commands.

Disallowing HTTP POST method - Enhance the security of public facing read-only HTTP servers by

disallowing HTTP POST method.

Block web browsers/applications - Block the usage of all non-sanctioned web browsers/applications on the

network.

AF Objects, Applicable Policy Types and Usage Example Table- Provides a matrix of Application Firewall Objects, Applicable Policy Types and Usage Examples and their relationships.

At the end of this document you’ll find and an object and usage matrix that will summarize the AF components.

(2)

2

Fingerprint

To prevent documents which contain a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network, perform the following steps:

SonicWALL_Logo.gif

1. Create a new Word Document and name it ‘ApplicationFirewall_Test.doc’.

2. Create a custom Watermark using the ‘SonicWALL_Logo.gif file embedded above in this document (Specific steps will vary based on MS Office version). Save the document.

3. Run the XVI32 hex-editor tool. You can download it here:

http://www.handshake.de/user/chmaas/delphi/download/xvi32.zip. Navigate to the ‘SonicWALL_Logo.gif’ file and open it.

4. Select ‘Edit>Block <n> chars…’ then select the ‘decimal’ option then type 50 in the space provided, this will mark the first 50 characters in the file which is sufficient to generate a unique “thumbprint” for use in a Custom Application Object. It should look like the following screenshot.

5. Select ‘Edit>Clipboard>Copy as hex string’.

(3)

3

7. Next select ‘Edit > Replace…’ and in the dialog box that opens under ‘Find What’ press the space bar once then click ‘Replace All’. This intermediary step is necessary to remove all the spaces from the Hex string. It should now look like the following screenshot.

8. Select ‘Edit > Select All’ then ‘Edit > Copy’.

9. In the SonicWALL GUI navigate to ‘Application Firewall > Application Objects’ then click ‘Add

(4)

4

(5)

5

11. Navigate to ‘Application Firewall > Policies’ and click ‘Add New Policy’. Create a policy like the one shown in the following screenshot.

Testing

(6)

6

Bandwidth Throttling on a Global Basis

To detect and apply bandwidth throttling to streaming media on a global basis (all users), perform the following steps:

1. Open Internet Explorer and go to the following site: http://www.klif.com/listen.asp

2. Open Wireshark Network Analyzer and start a capture. You can download a copy of Wireshark here:

http://prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.6a.exe 3. Click where it says:

4. Once you hear audio stop the capture and close the streaming radio player.

(7)

7

6. Wireshark will jump to the first frame that contains the requested data. You should see something like the screenshot below. This indicates that the server will be sending a MIME Content-Type of

application/sdp (RTSP). Application Firewall can dynamically detect any MIME type and perform the prescribed action. In this case we will throttle the bandwidth.

Note: Although the example here is for just one MIME type you can use a similar procedure to identify MIME types for other types of media and data transferred over HTTP. The IANA maintains a database of all registered MIME types here: http://www.iana.org/assignments/media-types

(8)

8

8. Navigate to ‘Application Firewall > Actions’ and create and action like the one shown in the following screenshot.

Note: In order to complete this step Bandwidth Management must be enabled on the firewall. Please refer to the SonicOS Enhanced Administrator’s Guide for detailed steps on how to do this. You can download the guide here:

(9)

9

(10)

10

Testing

To test this policy repeat steps 1 & 3 again to listen to the streaming radio. You should see alerts similar to the ones shown below in the log.

To verify the effectiveness of AF bandwidth management, try adjusting the ‘Maximum Bandwidth’ value in the ‘Bandwidth - Throttle’ action to larger and smaller values. You should hear a marked

improvement/degradation in the audio quality demonstrating that that the bandwidth throttling is working as expected.

(11)

11

Bandwidth Management on a per Group Basis

To detect and apply individualized bandwidth management (throttling & guarantees) to streaming media on a per group basis, perform the following steps:

This example builds on the previous one by demonstrating how AF policies can be configured so that they only apply to the specified included user groups or conversely; so they apply to everyone except for excluded groups. This example also serves to demonstrate how AF can leverage the firewalls LDAP integration capabilities along with Single Sign On (SSO). Descriptions of the various authentication components are used in these examples and corresponding screenshots.

Prerequisites: This example assumes you have already enabled and properly configured LDAP

authentication and SSO on the firewall and the workstation you will use to test from is a member of the domain. You will also need SonicWALL CFS enabled on the LAN zone so that SSO

authentication will occur. Please refer to the SonicOS Enhanced Administrator’s Guide for detailed steps on how to do these tasks. You can download the guide here:

http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.0_Administrators_Guide.pdf

(12)

(13)

(14)

14

(15)

15

LDAP Groups imported into firewall Local Groups (snwl-Managers & snwl-Sales)

Validation of SSO functionality

Login to test workstation twice; once as user who is a member of the ‘snwl-Managers’ and of the snwl-Sales group. Open a new browser each time.

(16)

16

(17)

17

(18)

18

(19)

19

Testing

To test this policy login as a member of the ‘snwl-Managers’ group go to www.youtube.com and watch any video. Notice the quality. Next login as a member of the ‘snwl-Sales’ group and repeat the exercise. You should see a marked degradation in the video quality. The corresponding log messages are shown in the following screenshot. Notice the two different policies being invoked; one for “manager use” that guarantees bandwidth and the other that throttles it.

Because the application object we created in the previous step included the MIME type for .exe file transfers (application/octect-stream) another good test you can perform to quantify the effectiveness of AF is to download the Wireshark application we used in the first step:

(20)

20

Forbidden File Types

To prevent risky or forbidden file types (e.g. exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded, perform the following steps:

1. Navigate to ‘Application Firewall > Application Objects’ and click ‘Add New Object’. Create an object like the one shown below:

(21)

21

(22)

22

Testing

To test this policy open a web browser and try and download any of the file types specified in the Application Object (exe, vbs, scr). Below are a few URL’s you can try:

http://download.skype.com/SkypeSetup.exe

http://us.dl1.yimg.com/download.yahoo.com/dl/msgr8/us/msgr8us.exe http://g.msn.com/8reen_us/EN/INSTALL_MSN_MESSENGER_DL.EXE

(23)

23

Disallowing All Unnecessary Commands

To enhance the security of public facing FTP servers by disallowing all unnecessary commands, perform the following steps:

1. Navigate to ‘Application Firewall > Application Objects’ and click ‘Add New Object’. Create an object like the one shown in the following screenshot.

(24)

24

Testing

(25)

25

If you don’t have access to an FTP server but would like to see this policy in action, go to ftp.sonicwall-central.com and attempt to execute one of the forbidden FTP commands.

Disallowing HTTP POST Method

To enhance the security of public facing read-only HTTP servers by disallowing HTTP POST method, perform the following steps:

1. Using Notepad, create a new document called Post.htm that contains the HTML code below and save it to your desktop:

<p>Please enter your name: <input type="Text" name="FullName"></p> <input type="submit" value="Submit"> <INPUT type="reset">

2. Open Wireshark Network Analyzer and start a capture. Open the form you just created type in your name and click ‘Submit’. Stop the capture.

(26)

26

4. Wireshark will jump to the first frame that contains the requested data. You should see something like the screenshot below. This indicates that the HTTP POST method is transmitted immediately after the TCP header information and is comprised of the first four bytes (504f5354) of the TCP payload (HTTP application layer). We will use that information to create a custom application firewall object that detects the HTTP POST method in the following step.

5. In the SonicWALL GUI navigate to ‘Application Firewall > Application Objects’ then click ‘Add

New Object’. Create an Application Object like the one shown in the following screenshot. Notice that

(27)

27

Testing

(28)

28

Block Web Browsers/Applications

To block the usage of all non-sanctioned web browsers/applications on the network, perform the following steps:

(29)

29

(30)

30

3. Navigate to ‘Application Firewall > Policies’ and click ‘Add New Policy’. Create a policy like the one shown below:

Testing

To test this policy, attempt to access a website using any browser other than Internet Explorer.

(31)

31

AF Objects, Applicable Policy Types and Usage Example Table

No

Application Object

Description Valid Policy Type(s) Usage Example

1

ActiveX ClassID An application object that allows the enumeration of the Class ID of an Active-X component.

HTTP Server (Response)

Good for preventing some online games, music sites and other applications based on ActiveX controls. (e.g. Flash & Shockwave).

2

Custom Object An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match any part of the TCP or UDP payload. Custom Policy FTP Client (Request) HTTP Client (Request) HTTP Server (Response)

POP3 Client (Request) POP3 Server

(Response)

SMTP Client (Request)

Prevent file which contains a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network.

Detect applications, file downloads and other Internet activities using corresponding

MIME types and apply bandwidth limits to them.

3

Email Body An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match content in the SMTP or

POP3 message body.

POP3 Server (Response)

Block emails which contain certain keywords in the body.

4

Email CC An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match content in the SMTP or POP3 message ‘CC:’ field. POP3 Server (Response) SMTP Client (Request)

Block emails destined to specific users and/or domains indicated in the “CC:” field.

5

Email From An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match content in the SMTP or POP3 message ‘From:’ field.

Block emails from specific users and/or domains indicated in the “From:” field.

6

Email Size An application object that allows the maximum email size that can be sent to be specified.

(32)

32

7

Email Subject An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match content in the SMTP or POP3 message ‘Subject:’ field. POP3 Server (Response) SMTP Client (Request)

Block emails which contain certain keywords in the “Subject:” field.

8

Email To An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match content in the SMTP or POP3 message ‘To:’ field.

Block emails destined to specific users and/or domains indicated in the “To:” field.

9

MIME Custom Header

An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match content in an SMTP or POP3 message custom MIME header.

Block emails which contain a specified custom MIME field(s).

10

File Content An application object that allows enumeration of alphanumeric or

(33)

33

11

File Extension An application object that allows enumeration of alphanumeric or

hexadecimal strings that represent file extensions. For POP3 or SMTP, extensions of attachments will be matched. For HTTP, extensions of uploaded attachments (Web mail) will be matched.

For FTP, extensions of uploaded or downloaded files will be matched.

FTP Client File Download (Request) FTP Client File Upload (Request)

HTTP Client (Request) POP3 Server

(Response)

Prevent risky or forbidden file types (e.g. .exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded.

12

File Name An application object that allows enumeration of alphanumeric or

hexadecimal strings that represent file names. For POP3 or SMTP, attachment file names will be matched.

For HTTP, file names of uploaded attachments (Web mail) will be matched.

For FTP, file names of uploaded or downloaded files will be matched.

FTP Client File Download Request FTP Client File Upload Request

HTTP Client (Request) POP3 Server

(Response)

Prevent files with specified names from being up or downloaded.

13

FTP Command An application object that allows enumeration of FTP commands.

(34)

34

14

FTP Command + Value

An application object that allows enumeration of FTP commands with an additional alphanumeric or hexadecimal string(s) that represents a specific parameter (e.g. DELETE word.doc)

FTP Client (Request) Allow users read/write access to FTP servers while selectively blocking the deletion or overwriting of specified files and/or folders

15

HTTP Set Cookie

hexadecimal strings that can be used to match cookies sent by web servers.

Enhance security by blocking specified cookies sent by web servers

16

HTTP Host An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match hostnames contained within the URI of an HTTP request.

HTTP Client (Request) Yet another way to block access to websites...

17

HTTP Referer An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match hostnames of referring servers contained in HTTP requests.

HTTP Client (Request) Block access to sites based upon the FQDN of the host that referred it

18

HTTP Request Custom Header

hexadecimal strings that can be used to match custom HTTP headers

contained in HTTP client (browser) requests.

(35)

35

19

HTTP Response Custom Header

hexadecimal strings that can be used to match custom HTTP headers

contained in HTTP (web) server responses

Enhance Security by controlling data received from web servers in custom HTTP headers

20

HTTP Cookie An application object that allows enumeration of alphanumeric or

hexadecimal strings that can be used to match cookies sent by browsers.

HTTP Client (Request) Enhance security by preventing certain cookies from being sent by the browser

21

HTTP URI

Content

hexadecimal strings that can be used to match any content found inside of the URI in an HTTP request

HTTP Client (Request) Prevent HTTP downloads of forbidden file types.

Prevent access to a variety of web content based on information in the URI

22

HTTP User Agent

hexadecimal strings that can be used to match any content inside the User-Agent header (e.g. MSIE)

HTTP Client (Request) Block the usage of all non-sanctioned web applications on the network

23

Web Browser An application object that allows enumeration of the various textual strings that can be used to match the name various

browsers use to identify themselves. This information is contained in the User-Agent header of an HTTP GET request.

(36)

36

AF Actions & Applicable Policy Types

Action Applicable Policy Type(s)

Bandwidth Management Custom FTP Client Upload/Download HTTP Client HTTP Server Block SMTP E-Mail – Send Error

Reply

SMTP Client Block SMTP E-Mail Without Reply SMTP Client Bypass DPI Custom

FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Client HTTP Server POP3 Client POP3 Server SMTP Client Disable Email Attachment – Add

Text

SMTP Client Email – Add Text SMTP Client FTP Notification Reply FTP Client

(37)