Step 3: Create the Application Block Rules
Although the overall goal of your security
policy is to safely enable applications using application allow
list rules (also known as positive enforcement), the
initial best practice rulebase must also include rules to help you
find gaps in your policy and identify possible attacks. Because
these rules are designed to catch things you didn’t know were running
on your network, they allow traffic that could also pose security
risks on your network. Therefore, before you can create the temporary
rules, you must create rules that explicitly block applications
designed to evade or bypass security or that are commonly exploited
by attackers, such as public DNS and SMTP, encrypted tunnels, remote
access, and non-sanctioned file-sharing applications.
Each
of the tuning rules you will define in Step
4: Create the Temporary Tuning Rules are designed to identify
a specific gap in your initial policy. Therefore some of these rules
will need to go above the application block rules and some will
need to go after.
- Block Quick UDP Internet Connections (QUIC) protocol.Why do I need this rule?Rule Highlights
- Chrome and some other browsers establish sessions using QUIC instead of TLS, but QUIC uses proprietary encryption that the firewall can’t decrypt, so potentially dangerous encrypted traffic may enter the network.
- Blocking QUIC forces the browser to fall back to TLS and enables the firewall to decrypt the traffic.
- It requires two Security policy rules to ensure that QUIC is blocked.
- Before you create the policy rules, you must first create a Service () that specifies UDP ports 80 and 443.
- The first rule blocks QUIC on its UDP service ports (80 and 443) and uses the Service you created to specify those ports.
- The second rule blocks the QUIC application.
Notice that the Service specifies the UDP ports to block for QUIC in the first rule:
- Block applications that do not have a legitimate use case.Why do I need this rule?Rule Highlights
- Block nefarious applications such as encrypted tunnels and peer-to-peer file sharing, as well as web-based file sharing applications that are not IT sanctioned.
- Because the tuning rules that follow are designed to allow traffic with malicious intent or legitimate traffic that is not matching your policy rules as expected, these rules could also allow risky or malicious traffic into your network. This rule prevents that by blocking traffic that has no legitimate use case and that could be used by an attacker or a negligent user.
- Use theDropAction to silently drop the traffic without sending a signal to the client or the server.
- Enable logging for traffic matching this rule so that you can investigate misuse of applications and potential threats on your network.
- Because this rule is intended to catch malicious traffic, it matches to traffic from any user running on any port.
- Block public DNS and SMTP applications.Why do I need this rule?Rule Highlights
- Block public DNS/SMTP applications to avoid DNS tunneling, command and control traffic, and remote administration.
- Use theReset both client and serverAction to send a TCP reset message to both the client-side and server-side devices.
- Enable logging for traffic matching this rule so that you can investigate a potential threat on your network.
