Académique Documents
Professionnel Documents
Culture Documents
This technote describes practical usage examples with the SonicOS Application Firewall (AF) feature introduced in SonicOS Enhanced 4.0. The Application Firewall (AF) feature introduced in SonicOS Enhanced 4.0 and higher releases provides network administrators deep visibility of the various types of network traffic traversing the firewall, and provides a powerful tool for granularly controlling it.
1
Fingerprint - Prevent a document that contains a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network. Bandwidth Throttling on a global basis Detect and apply bandwidth throttling to streaming media on a global basis (all users). Bandwidth management on per group basis Detect and apply individualized bandwidth management (throttling & guarantees) to streaming media on a per group basis. Forbidden file type - Prevent risky or forbidden file types (e.g. exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded. Disallowing all unnecessary commands - Enhance the security of public facing FTP servers by disallowing all unnecessary commands. Disallowing HTTP POST method - Enhance the security of public facing read-only HTTP servers by disallowing HTTP POST method. Block web browsers/applications - Block the usage of all non-sanctioned web browsers/applications on the network. AF Objects, Applicable Policy Types and Usage Example Table- Provides a matrix of Application Firewall Objects, Applicable Policy Types and Usage Examples and their relationships. At the end of this document youll find and an object and usage matrix that will summarize the AF components.
The examples and screenshots in this document are shown using SonicOS Enhanced 5.0 running on an E-CLASS NSA. These examples are applicable to SonicOS Enhanced 4.0 running on SonicWALL PRO Series.
Fingerprint
To prevent documents which contain a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network, perform the following steps:
SonicWALL_Logo.gif
1. Create a new Word Document and name it ApplicationFirewall_Test.doc. 2. Create a custom Watermark using the SonicWALL_Logo.gif file embedded above in this document (Specific steps will vary based on MS Office version). Save the document. 3. Run the XVI32 hex-editor tool. You can download it here: http://www.handshake.de/user/chmaas/delphi/download/xvi32.zip. Navigate to the SonicWALL_Logo.gif file and open it. 4. Select Edit>Block <n> chars then select the decimal option then type 50 in the space provided, this will mark the first 50 characters in the file which is sufficient to generate a unique thumbprint for use in a Custom Application Object. It should look like the following screenshot.
5. Select Edit>Clipboard>Copy as hex string. 6. Open Notepad then paste the string you just copied into it. It should look like the following screenshot.
7. Next select Edit > Replace and in the dialog box that opens under Find What press the space bar once then click Replace All. This intermediary step is necessary to remove all the spaces from the Hex string. It should now look like the following screenshot.
8. Select Edit > Select All then Edit > Copy. 9. In the SonicWALL GUI navigate to Application Firewall > Application Objects then click Add New Object. Create an Application Object like the one shown below:
10. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown in the following screenshot.
11. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.
Testing
To test this policy attempt to email the AppFirewall_Test.doc you created. You should see an Alert similar to the one below in the log:
4. Once you hear audio stop the capture and close the streaming radio player. 5. In Wireshark select Edit > Find Packet select By: String and Search in Packet Details. In filter type: Content-Type: application/sdp then click Find. See screenshot below:
6. Wireshark will jump to the first frame that contains the requested data. You should see something like the screenshot below. This indicates that the server will be sending a MIME Content-Type of application/sdp (RTSP). Application Firewall can dynamically detect any MIME type and perform the prescribed action. In this case we will throttle the bandwidth. Note: Although the example here is for just one MIME type you can use a similar procedure to identify MIME types for other types of media and data transferred over HTTP. The IANA maintains a database of all registered MIME types here: http://www.iana.org/assignments/media-types
7. Navigate to Application Firewall > Application Objects and create and object like the one in the following screenshot.
8. Navigate to Application Firewall > Actions and create and action like the one shown in the following screenshot. Note: In order to complete this step Bandwidth Management must be enabled on the firewall. Please refer to the SonicOS Enhanced Administrators Guide for detailed steps on how to do this. You can download the guide here: http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.0_Administrators_Guide.pdf
9. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.
Testing
To test this policy repeat steps 1 & 3 again to listen to the streaming radio. You should see alerts similar to the ones shown below in the log.
To verify the effectiveness of AF bandwidth management, try adjusting the Maximum Bandwidth value in the Bandwidth - Throttle action to larger and smaller values. You should hear a marked improvement/degradation in the audio quality demonstrating that that the bandwidth throttling is working as expected. Note: The application object we created in step 7 contains MIME types for other streaming media sites such as http://www.youtube.com and http://www.pandora.com Feel free to try these out as well.
10
Prerequisites: This example assumes you have already enabled and properly configured LDAP authentication and SSO on the firewall and the workstation you will use to test from is a member of the domain. You will also need SonicWALL CFS enabled on the LAN zone so that SSO authentication will occur. Please refer to the SonicOS Enhanced Administrators Guide for detailed steps on how to do these tasks. You can download the guide here: http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.0_Administrators_Guide.pdf
11
12
13
14
LDAP Groups imported into firewall Local Groups (snwl-Managers & snwl-Sales)
Validation of SSO functionality Login to test workstation twice; once as user who is a member of the snwl-Managers and of the snwl-Sales group. Open a new browser each time. The screenshot below shows that both users were authenticated by SSO and the bubble is showing that user Paul is a member of the user group snwl-Managers. User Syya is a member of the snwl-Sales group.
15
1. Navigate to Application Firewall > Actions and create a new action, like the one shown in the following screenshot.
16
2. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.
17
3. Edit the policy you created in the previous step so that it includes the snwl-Sales group and excludes the snwl-Managers group. Refer to the following screenshot.
18
Testing
To test this policy login as a member of the snwl-Managers group go to www.youtube.com and watch any video. Notice the quality. Next login as a member of the snwl-Sales group and repeat the exercise. You should see a marked degradation in the video quality. The corresponding log messages are shown in the following screenshot. Notice the two different policies being invoked; one for manager use that guarantees bandwidth and the other that throttles it.
Because the application object we created in the previous step included the MIME type for .exe file transfers (application/octect-stream) another good test you can perform to quantify the effectiveness of AF is to download the Wireshark application we used in the first step: http://prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.6a.exe When logged in as a member of the snwl-Managers group you should increase in throughput as opposed to when logged in as a member of snwl-Sales.
19
2. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown in the following screenshot.
20
3. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.
21
Testing
To test this policy open a web browser and try and download any of the file types specified in the Application Object (exe, vbs, scr). Below are a few URLs you can try: http://download.skype.com/SkypeSetup.exe http://us.dl1.yimg.com/download.yahoo.com/dl/msgr8/us/msgr8us.exe http://g.msn.com/8reen_us/EN/INSTALL_MSN_MESSENGER_DL.EXE You will see an alert similar to the one shown in the following screenshot in the log.
22
2. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown in the following screenshot.
23
3. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.
Testing
To test this policy you will need to setup an FTP server inside your firewall and create the appropriate security policy to allow external access. Afterwards issue one of the forbidden commands. You will see an alert similar to the one shown below in the log.
24
If you dont have access to an FTP server but would like to see this policy in action, go to ftp.sonicwallcentral.com and attempt to execute one of the forbidden FTP commands.
25
4. Wireshark will jump to the first frame that contains the requested data. You should see something like the screenshot below. This indicates that the HTTP POST method is transmitted immediately after the TCP header information and is comprised of the first four bytes (504f5354) of the TCP payload (HTTP application layer). We will use that information to create a custom application firewall object that detects the HTTP POST method in the following step.
5. In the SonicWALL GUI navigate to Application Firewall > Application Objects then click Add New Object. Create an Application Object like the one shown in the following screenshot. Notice that in this particular application object we are using the Enable Settings feature which allows you to create objects that look for a match in a specific part of the payload. Offset specifies which byte in the payload Application Firewall should start matching. Depth specifies at what byte to stop matching. Min & Max allow you to specify a minimum and maximum payload size.
26
6. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.
Testing
To test open the Post.htm document you created earlier type in your name and click Submit. The connection should drop this time and you should see an alert in the log similar to the one below.
27
28
2. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown below:
29
3. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown below:
Testing
To test this policy, attempt to access a website using any browser other than Internet Explorer. Note: If you do not have another browser type available, uncheck the Enable Negative Matching option in step 1 and try with Internet Explorer.
30
1 Custom Object
2 Email Body An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message body. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message CC: field. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message From: field. An application object that allows the maximum email size that can be sent to be specified.
Custom Policy FTP Client (Request) HTTP Client (Request) HTTP Server (Response) POP3 Client (Request) POP3 Server (Response) SMTP Client (Request) POP3 Server (Response) SMTP Client (Request)
3 Email CC
Block emails destined to specific users and/or domains indicated in the CC: field.
4 Email From
Block emails from specific users and/or domains indicated in the From: field.
5 Email Size
31
Email Subject
7 Email To
9 File Content
10
An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message Subject: field. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message To: field. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in an SMTP or POP3 message custom MIME header. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match the contents of a file being transferred via FTP or SMTP. The pattern will be matched even if the file is compressed.
Block emails destined to specific users and/or domains indicated in the To: field.
32
File Extension
An application object that allows enumeration of alphanumeric or hexadecimal strings that represent file extensions. For POP3 or SMTP, extensions of attachments will be matched. For HTTP, extensions of uploaded attachments (Web mail) will be matched. For FTP, extensions of uploaded or downloaded files will be matched. An application object that allows enumeration of alphanumeric or hexadecimal strings that represent file names. For POP3 or SMTP, attachment file names will be matched. For HTTP, file names of uploaded attachments (Web mail) will be matched. For FTP, file names of uploaded or downloaded files will be matched. An application object that allows enumeration of FTP commands.
FTP Client File Download (Request) FTP Client File Upload (Request) HTTP Client (Request) POP3 Server (Response) SMTP Client (Request)
Prevent risky or forbidden file types (e.g. .exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded.
11 File Name
FTP Client File Download Request FTP Client File Upload Request HTTP Client (Request) POP3 Server (Response) SMTP Client (Request)
12 FTP Command 13
Enhance the security of public facing FTP servers by disallowing all unnecessary commands.
33
15 HTTP Host
16 HTTP Referer
18
An application object that allows enumeration of FTP commands with an additional alphanumeric or hexadecimal string(s) that represents a specific parameter (e.g. DELETE word.doc) An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match cookies sent by web servers. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match hostnames contained within the URI of an HTTP request. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match hostnames of referring servers contained in HTTP requests. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match custom HTTP headers contained in HTTP client (browser) requests.
Allow users read/write access to FTP servers while selectively blocking the deletion or overwriting of specified files and/or folders
Block access to sites based upon the FQDN of the host that referred it
34
19 HTTP Cookie
22 Web Browser
23
An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match custom HTTP headers contained in HTTP (web) server responses An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match cookies sent by browsers. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match any content found inside of the URI in an HTTP request An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match any content inside the UserAgent header (e.g. MSIE) An application object that allows enumeration of the various textual strings that can be used to match the name various browsers use to identify themselves. This information is contained in the User-Agent header of an HTTP GET request.
Enhance Security by controlling data received from web servers in custom HTTP headers
Enhance security by preventing certain cookies from being sent by the browser
Prevent HTTP downloads of forbidden file types. Prevent access to a variety of web content based on information in the URI
35
AF Actions & Applicable Policy Types Action Bandwidth Management Applicable Policy Type(s) Custom FTP Client Upload/Download HTTP Client HTTP Server SMTP Client SMTP Client Custom FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Client HTTP Server POP3 Client POP3 Server SMTP Client SMTP Client SMTP Client FTP Client FTP Client Upload/Download HTTP Client HTTP Client Custom FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Client HTTP Server POP3 Client POP3 Server SMTP Client
Block SMTP E-Mail Send Error Reply Block SMTP E-Mail Without Reply Bypass DPI
Disable Email Attachment Add Text Email Add Text FTP Notification Reply
36
Reset/Drop
Custom FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Server HTTP Client POP3 Client POP3 Server SMTP Client
37