14
How to Configure Application Control for the UTM Application Notes
How to Configure Application Control for the UTM
Application Notes
Ta b l e o f C o n t e n t s
Contents ........................................................................................................................................2
Concepts ......................................................................................................................................3
Components ..................................................................................................................................3
Configuration Steps ........................................................................................................................4
Configuring Global Mode ....................................................................................................4
Configuring Profile Mode ....................................................................................................10
Conclusion ..................................................................................................................................14
2
Application Notes
C o n c e p t s
NETGEAR® ProSecure® and ProSafe® security appliances are non-compromising network security solutions for midsized ITenvironments. They are tailored to deliver reliable, affordable, and simple network protection that businesses demand.
Traditional firewalls and routers allow and deny access to combinations of ports and IP addresses. This approach wasvalid in the 1990’s and early 2000’s. However, they have no way of stopping threats and applications coming in throughtypically open ports (e.g. port 80, port 443, port 25). Today’s web and cloud applications utilize these open ports forcommunication; even worse, today’s threats also exploit the fact that traditional firewalls and routers are basicallydefenseless on open ports.
NETGEAR ProSecure UTMs address this by inspecting traffic on ALL ports – regardless of whether the port is open orclosed. This gives business owners and network admins visibility and control over application use on their network.
Application control in the UTM is available in two modes – Global mode and Profile mode. Global mode is a singleprofile for all traffic on the UTM. Profile mode allows the creation of multiple profiles which can then be attached todifferent firewall rules.
In this application note, we will go over the steps on how to enable application control, configure a global app controlprofile, and also configure an app control profile and apply it to a firewall rule. In each of these examples we will blockall social networking applications except for Facebook, but at the same time still block Facebook games.
C o m p o n e n t s
The following requirements are needed when using this guide for implementation:
3
Application Notes
Product Model/Release Version
NETGEAR ProSecure UTM Series All UTM models Firmware version 3.0.1-x and above
C o n f i g u r a t i o n S t e p s
Configuring Global Mode
Global mode is a single application control policy for the entire network.
Go to the Application Security -> Application Control page.
Under Global Application Control Profile, click Edit.
4
Application Notes
You will now be taken to the Add or Edit Application Control Profile page.
5
Application Notes
TFTP Server AddressAvailable
Host-Specific Router Config File Name Available
TFTP Request Method
gifnoc retuor cificeps-tsoh eht rof tseuqer tsacinu a eussIseYseYfile to the TFTP server.
retuor ro krowten tluafed a rof tseuqer tsacinu a eussIoNseYconfig file to the TFTP server.
Towards the bottom of the page under Categories, select Social Network. Click on the + sign for Social Network.
The Social Network Category is now added to the Active Categories and Individual Applications of the current profile. Thefollowing policy means that all applications that fall under the Social Network category will be blocked.
Next we will allow Facebook.
Once you highlight the Social Network category, all applications that fall under this category will show up on the righthand side under Applications.
6
Application Notes
Find Facebook under Applications and click on the + sign.
Facebook is now added to the Active Categories and Individual Applications of the current profile.
Since the default is to block, we will have to edit the Facebook policy to allow instead. Click Edit.
You’ll be taken to the Application Control Policy page for Facebook.
7
Application Notes
Change the Application Policy from Drop to Allow and click Apply.
The application Facebook is now allowed under the current policy. Keep in mind that individual application rules takepriority over category rules.
Next, we will block Facebook games.
8
Application Notes
Go back to the bottom of the page and under the Social Network category select the application Facebook Game andclick on the corresponding + sign.
The application Facebook Game will now be added to the Active Categories and Individual Applications of the current profile.
Once you have all three added, click Apply at the bottom of the Add or Edit Application Control Profile page. You’ll nowbe taken back to the Application Control page. Finally, select Yes under Do you want to enable Application Control? andclick Apply.
We’ve now successfully configured the global application control profile.
9
Application Notes
Configuring Profile Mode
Profile mode gives the administrator the flexibility to configure multiple profiles and apply them to different firewall rules.
Go to the Application Security -> Application Control page. The default is Global mode. We will now change it to Profile mode.
Change the Mode: to Profile in the drop down menu and click Apply.
10
Application Notes
The UTM will now run under Profile mode. This will also ignore the Global Application Control profile.
Next, we will add a profile that blocks all social networking applications, allows Facebook but also blocks Facebook games.
Click the Add button. You’ll be taken to the Add or Edit Application Control Profile page.
Give the profile a name (in this example we name this profile “Test”) and give a brief description.
11
Application Notes
Now follow the instructions in the Global mode section to configure this policy. Once that is done, your Application
Control page should look like the following.
Next, we will apply this profile to the default outbound firewall policy.
Go to the Network Security -> Firewall -> LAN WAN Rules page.
12
Application Notes
We will now add an outbound firewall policy for all users on the LAN and apply the “Test” application control profile wejust created to it. Click on the Add button under Outbound Services.
On the Add LAN WAN Outbound Service page, configure it to allow all traffic for all users. For the Application Controldrop down menu, select the “Test” profile.
Click Apply.
The new outbound firewall policy will now show up. And we’re done!
13
Application Notes
Application Notes
NETGEAR, the NETGEAR logo, Connect with Innovation, ProSafe and ProSecure are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United Statesand/or other countries. Other brand names mentioned herein are for identification purposes only and may be trademarks of their respective holder(s). Information is subject to change withoutnotice. © 2012 NETGEAR, Inc. All rights reserved.
www.netgear.com
C o n c l u s i o n
Following the steps above, we have successfully enabled application control and configured a profile for both Globalmode and Profile mode. For Profile mode, we’ve successfully attached the application control profile to an outboundfirewall policy. Users on the network are now blocked from all Social Networking access except for Facebook. In additionto that, they will also be blocked from Facebook games.
