Step 3: Create the Application Block Rules

Although the overall goal of your security policy is to safely enable applications using application whitelist rules (also known as
positive enforcement
), the initial best practice rulebase must also include rules to help you find gaps in your policy and identify possible attacks. Because these rules are designed to catch things you didn’t know were running on your network, they allow traffic that could also pose security risks on your network. Therefore, before you can create the temporary rules, you must create rules that explicitly blacklist applications designed to evade or bypass security or that are commonly exploited by attackers, such as public DNS and SMTP, encrypted tunnels, remote access, and non-sanctioned file-sharing applications.
Each of the tuning rules you will define in Step 4: Create the Temporary Tuning Rules are designed to identify a specific gap in your initial policy. Therefore some of these rules will need to go above the application block rules and some will need to go after.
  1. Block applications that do not have a legitimate use case.
    Why do I need this rule?
    Rule Highlights
    • Block nefarious applications such as encrypted tunnels and peer-to-peer file sharing, as well as web-based file sharing applications that are not IT sanctioned.
    • Because the tuning rules that follow are designed to allow traffic with malicious intent or legitimate traffic that is not matching your policy rules as expected, these rules could also allow risky or malicious traffic into your network. This rule prevents that by blocking traffic that has no legitimate use case and that could be used by an attacker or a negligent user.
    • Use the
      Drop
      Action to silently drop the traffic without sending a signal to the client or the server.
    • Enable logging for traffic matching this rule so that you can investigate misuse of applications and potential threats on your network.
    • Because this rule is intended to catch malicious traffic, it matches to traffic from any user running on any port.
    bp-block-bad-apps.png
  2. Block public DNS and SMTP applications.
    Why do I need this rule?
    Rule Highlights
    • Block public DNS/SMTP applications to avoid DNS tunneling, command and control traffic, and remote administration.
    • Use the
      Reset both client and server
      Action to send a TCP reset message to both the client-side and server-side devices.
    • Enable logging for traffic matching this rule so that you can investigate a potential threat on your network.
    bp-block-public-dns.png

Related Documentation