SonicOS

Application Firewall Configuration Examples

This technote describes practical usage examples with the SonicOS Application Firewall (AF) feature introduced in SonicOS Enhanced 4.0. The Application Firewall (AF) feature introduced in SonicOS Enhanced 4.0 and higher releases provides network administrators deep visibility of the various types of network traffic traversing the firewall, and provides a powerful tool for granularly controlling it.
1

The specific AF practical examples presented in this document are:

Fingerprint - Prevent a document that contains a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network. Bandwidth Throttling on a global basis Detect and apply bandwidth throttling to streaming media on a global basis (all users). Bandwidth management on per group basis Detect and apply individualized bandwidth management (throttling & guarantees) to streaming media on a per group basis. Forbidden file type - Prevent risky or forbidden file types (e.g. exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded. Disallowing all unnecessary commands - Enhance the security of public facing FTP servers by disallowing all unnecessary commands. Disallowing HTTP POST method - Enhance the security of public facing read-only HTTP servers by disallowing HTTP POST method. Block web browsers/applications - Block the usage of all non-sanctioned web browsers/applications on the network. AF Objects, Applicable Policy Types and Usage Example Table- Provides a matrix of Application Firewall Objects, Applicable Policy Types and Usage Examples and their relationships. At the end of this document youll find and an object and usage matrix that will summarize the AF components.

The examples and screenshots in this document are shown using SonicOS Enhanced 5.0 running on an E-CLASS NSA. These examples are applicable to SonicOS Enhanced 4.0 running on SonicWALL PRO Series.

Fingerprint
To prevent documents which contain a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network, perform the following steps:

SonicWALL_Logo.gif

1. Create a new Word Document and name it ApplicationFirewall_Test.doc. 2. Create a custom Watermark using the SonicWALL_Logo.gif file embedded above in this document (Specific steps will vary based on MS Office version). Save the document. 3. Run the XVI32 hex-editor tool. You can download it here: http://www.handshake.de/user/chmaas/delphi/download/xvi32.zip. Navigate to the SonicWALL_Logo.gif file and open it. 4. Select Edit>Block <n> chars then select the decimal option then type 50 in the space provided, this will mark the first 50 characters in the file which is sufficient to generate a unique thumbprint for use in a Custom Application Object. It should look like the following screenshot.

5. Select Edit>Clipboard>Copy as hex string. 6. Open Notepad then paste the string you just copied into it. It should look like the following screenshot.

7. Next select Edit > Replace and in the dialog box that opens under Find What press the space bar once then click Replace All. This intermediary step is necessary to remove all the spaces from the Hex string. It should now look like the following screenshot.

8. Select Edit > Select All then Edit > Copy. 9. In the SonicWALL GUI navigate to Application Firewall > Application Objects then click Add New Object. Create an Application Object like the one shown below:

10. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown in the following screenshot.

11. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.

Testing
To test this policy attempt to email the AppFirewall_Test.doc you created. You should see an Alert similar to the one below in the log:

Bandwidth Throttling on a Global Basis

To detect and apply bandwidth throttling to streaming media on a global basis (all users), perform the following steps: 1. Open Internet Explorer and go to the following site: http://www.klif.com/listen.asp 2. Open Wireshark Network Analyzer and start a capture. You can download a copy of Wireshark here: http://prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.6a.exe 3. Click where it says:

4. Once you hear audio stop the capture and close the streaming radio player. 5. In Wireshark select Edit > Find Packet select By: String and Search in Packet Details. In filter type: Content-Type: application/sdp then click Find. See screenshot below:

6. Wireshark will jump to the first frame that contains the requested data. You should see something like the screenshot below. This indicates that the server will be sending a MIME Content-Type of application/sdp (RTSP). Application Firewall can dynamically detect any MIME type and perform the prescribed action. In this case we will throttle the bandwidth. Note: Although the example here is for just one MIME type you can use a similar procedure to identify MIME types for other types of media and data transferred over HTTP. The IANA maintains a database of all registered MIME types here: http://www.iana.org/assignments/media-types

7. Navigate to Application Firewall > Application Objects and create and object like the one in the following screenshot.

8. Navigate to Application Firewall > Actions and create and action like the one shown in the following screenshot. Note: In order to complete this step Bandwidth Management must be enabled on the firewall. Please refer to the SonicOS Enhanced Administrators Guide for detailed steps on how to do this. You can download the guide here: http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.0_Administrators_Guide.pdf

9. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.

Testing
To test this policy repeat steps 1 & 3 again to listen to the streaming radio. You should see alerts similar to the ones shown below in the log.

To verify the effectiveness of AF bandwidth management, try adjusting the Maximum Bandwidth value in the Bandwidth - Throttle action to larger and smaller values. You should hear a marked improvement/degradation in the audio quality demonstrating that that the bandwidth throttling is working as expected. Note: The application object we created in step 7 contains MIME types for other streaming media sites such as http://www.youtube.com and http://www.pandora.com Feel free to try these out as well.

10

Bandwidth Management on a per Group Basis

To detect and apply individualized bandwidth management (throttling & guarantees) to streaming media on a per group basis, perform the following steps: This example builds on the previous one by demonstrating how AF policies can be configured so that they only apply to the specified included user groups or conversely; so they apply to everyone except for excluded groups. This example also serves to demonstrate how AF can leverage the firewalls LDAP integration capabilities along with Single Sign On (SSO). Descriptions of the various authentication components are used in these examples and corresponding screenshots.

Prerequisites: This example assumes you have already enabled and properly configured LDAP authentication and SSO on the firewall and the workstation you will use to test from is a member of the domain. You will also need SonicWALL CFS enabled on the LAN zone so that SSO authentication will occur. Please refer to the SonicOS Enhanced Administrators Guide for detailed steps on how to do these tasks. You can download the guide here: http://www.sonicwall.com/downloads/SonicOS_Enhanced_5.0_Administrators_Guide.pdf

User Login Settings

11

LDAP Schema (Microsoft AD)

12

Domain Name (sonicwall-central.com)

13

Validation of LDAP authentication functionality and group assignment

14

LDAP Groups imported into firewall Local Groups (snwl-Managers & snwl-Sales)

Validation of SSO functionality Login to test workstation twice; once as user who is a member of the snwl-Managers and of the snwl-Sales group. Open a new browser each time. The screenshot below shows that both users were authenticated by SSO and the bubble is showing that user Paul is a member of the user group snwl-Managers. User Syya is a member of the snwl-Sales group.

15

1. Navigate to Application Firewall > Actions and create a new action, like the one shown in the following screenshot.

16

2. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.

17

3. Edit the policy you created in the previous step so that it includes the snwl-Sales group and excludes the snwl-Managers group. Refer to the following screenshot.

18

Testing
To test this policy login as a member of the snwl-Managers group go to www.youtube.com and watch any video. Notice the quality. Next login as a member of the snwl-Sales group and repeat the exercise. You should see a marked degradation in the video quality. The corresponding log messages are shown in the following screenshot. Notice the two different policies being invoked; one for manager use that guarantees bandwidth and the other that throttles it.

Because the application object we created in the previous step included the MIME type for .exe file transfers (application/octect-stream) another good test you can perform to quantify the effectiveness of AF is to download the Wireshark application we used in the first step: http://prdownloads.sourceforge.net/wireshark/wireshark-setup-0.99.6a.exe When logged in as a member of the snwl-Managers group you should increase in throughput as opposed to when logged in as a member of snwl-Sales.

19

Forbidden File Types

To prevent risky or forbidden file types (e.g. exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded, perform the following steps: 1. Navigate to Application Firewall > Application Objects and click Add New Object. Create an object like the one shown below:

2. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown in the following screenshot.

20

3. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.

21

Testing
To test this policy open a web browser and try and download any of the file types specified in the Application Object (exe, vbs, scr). Below are a few URLs you can try: http://download.skype.com/SkypeSetup.exe http://us.dl1.yimg.com/download.yahoo.com/dl/msgr8/us/msgr8us.exe http://g.msn.com/8reen_us/EN/INSTALL_MSN_MESSENGER_DL.EXE You will see an alert similar to the one shown in the following screenshot in the log.

22

Disallowing All Unnecessary Commands

To enhance the security of public facing FTP servers by disallowing all unnecessary commands, perform the following steps: 1. Navigate to Application Firewall > Application Objects and click Add New Object. Create an object like the one shown in the following screenshot.

2. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown in the following screenshot.

23

3. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.

Testing
To test this policy you will need to setup an FTP server inside your firewall and create the appropriate security policy to allow external access. Afterwards issue one of the forbidden commands. You will see an alert similar to the one shown below in the log.

24

If you dont have access to an FTP server but would like to see this policy in action, go to ftp.sonicwallcentral.com and attempt to execute one of the forbidden FTP commands.

Disallowing HTTP POST Method

To enhance the security of public facing read-only HTTP servers by disallowing HTTP POST method, perform the following steps: 1. Using Notepad, create a new document called Post.htm that contains the HTML code below and save it to your desktop: <FORM action="http://www.yahoo.com/" method="post"> <p>Please enter your name: <input type="Text" name="FullName"></p> <input type="submit" value="Submit"> <INPUT type="reset"> 2. Open Wireshark Network Analyzer and start a capture. Open the form you just created type in your name and click Submit. Stop the capture. 3. Using Wiresharkss Edit> Find Packet function, search for the string POST. See the following screenshot for details.

25

4. Wireshark will jump to the first frame that contains the requested data. You should see something like the screenshot below. This indicates that the HTTP POST method is transmitted immediately after the TCP header information and is comprised of the first four bytes (504f5354) of the TCP payload (HTTP application layer). We will use that information to create a custom application firewall object that detects the HTTP POST method in the following step.

5. In the SonicWALL GUI navigate to Application Firewall > Application Objects then click Add New Object. Create an Application Object like the one shown in the following screenshot. Notice that in this particular application object we are using the Enable Settings feature which allows you to create objects that look for a match in a specific part of the payload. Offset specifies which byte in the payload Application Firewall should start matching. Depth specifies at what byte to stop matching. Min & Max allow you to specify a minimum and maximum payload size.

26

6. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown in the following screenshot.

Testing
To test open the Post.htm document you created earlier type in your name and click Submit. The connection should drop this time and you should see an alert in the log similar to the one below.

27

Block Web Browsers/Applications

To block the usage of all non-sanctioned web browsers/applications on the network, perform the following steps: 1. Navigate to Application Firewall > Application Objects and click Add New Object. Create an object like the one shown below. Notice the use of Enable Negative Matching in this case which allows us to explicitly specify the allowed User Agent(s) (e.g. Internet Explorer all versions in this case) while implicitly denying all others.

28

2. Navigate to Application Firewall > Actions and click Add New Action. Create an action like the one shown below:

29

3. Navigate to Application Firewall > Policies and click Add New Policy. Create a policy like the one shown below:

Testing
To test this policy, attempt to access a website using any browser other than Internet Explorer. Note: If you do not have another browser type available, uncheck the Enable Negative Matching option in step 1 and try with Internet Explorer.

30

AF Objects, Applicable Policy Types and Usage Example Table

No Application Object ActiveX ClassID Description An application object that allows the enumeration of the Class ID of an ActiveX component. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match any part of the TCP or UDP payload. Valid Policy Type(s) HTTP Server (Response) Usage Example Good for preventing some online games, music sites and other applications based on ActiveX controls. (e.g. Flash & Shockwave). Prevent file which contains a specific fingerprint (e.g. embedded corporate watermark) from being transferred out of the network. Detect applications, file downloads and other Internet activities using corresponding MIME types and apply bandwidth limits to them. Block emails which contain certain keywords in the body.

1 Custom Object

2 Email Body An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message body. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message CC: field. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message From: field. An application object that allows the maximum email size that can be sent to be specified.

Custom Policy FTP Client (Request) HTTP Client (Request) HTTP Server (Response) POP3 Client (Request) POP3 Server (Response) SMTP Client (Request) POP3 Server (Response) SMTP Client (Request)

3 Email CC

POP3 Server (Response) SMTP Client (Request)

Block emails destined to specific users and/or domains indicated in the CC: field.

4 Email From

POP3 Server (Response) SMTP Client (Request)

Block emails from specific users and/or domains indicated in the From: field.

5 Email Size

SMTP Client (Request)

Block email with attachments that exceed a specified size.

31

Email Subject

7 Email To

8 MIME Custom Header

9 File Content

10

An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message Subject: field. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in the SMTP or POP3 message To: field. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match content in an SMTP or POP3 message custom MIME header. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match the contents of a file being transferred via FTP or SMTP. The pattern will be matched even if the file is compressed.

POP3 Server (Response) SMTP Client (Request)

Block emails which contain certain keywords in the Subject: field.

POP3 Server (Response) SMTP Client (Request)

Block emails destined to specific users and/or domains indicated in the To: field.

POP3 Server (Response) SMTP Client (Request)

Block emails which contain a specified custom MIME field(s).

FTP Data Transfer Policy SMTP Client (Request)

Block FTP or SMTP transfers of a confidential file.

32

File Extension

An application object that allows enumeration of alphanumeric or hexadecimal strings that represent file extensions. For POP3 or SMTP, extensions of attachments will be matched. For HTTP, extensions of uploaded attachments (Web mail) will be matched. For FTP, extensions of uploaded or downloaded files will be matched. An application object that allows enumeration of alphanumeric or hexadecimal strings that represent file names. For POP3 or SMTP, attachment file names will be matched. For HTTP, file names of uploaded attachments (Web mail) will be matched. For FTP, file names of uploaded or downloaded files will be matched. An application object that allows enumeration of FTP commands.

FTP Client File Download (Request) FTP Client File Upload (Request) HTTP Client (Request) POP3 Server (Response) SMTP Client (Request)

Prevent risky or forbidden file types (e.g. .exe, vbs, scr, dll, avi, mov, etc) from being up or downloaded.

11 File Name

FTP Client File Download Request FTP Client File Upload Request HTTP Client (Request) POP3 Server (Response) SMTP Client (Request)

Prevent files with specified names from being up or downloaded.

12 FTP Command 13

FTP Client (Request)

Enhance the security of public facing FTP servers by disallowing all unnecessary commands.

33

FTP Command + Value

14 HTTP Set Cookie

15 HTTP Host

16 HTTP Referer

17 HTTP Request Custom Header

18

An application object that allows enumeration of FTP commands with an additional alphanumeric or hexadecimal string(s) that represents a specific parameter (e.g. DELETE word.doc) An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match cookies sent by web servers. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match hostnames contained within the URI of an HTTP request. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match hostnames of referring servers contained in HTTP requests. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match custom HTTP headers contained in HTTP client (browser) requests.

FTP Client (Request)

Allow users read/write access to FTP servers while selectively blocking the deletion or overwriting of specified files and/or folders

HTTP Server (Response)

Enhance security by blocking specified cookies sent by web servers

HTTP Client (Request)

Yet another way to block access to websites...

HTTP Client (Request)

Block access to sites based upon the FQDN of the host that referred it

HTTP Client (Request)

Enhance Security by controlling browser requests which include custom headers.

34

HTTP Response Custom Header

19 HTTP Cookie

20 HTTP URI Content

21 HTTP User Agent

22 Web Browser

23

An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match custom HTTP headers contained in HTTP (web) server responses An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match cookies sent by browsers. An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match any content found inside of the URI in an HTTP request An application object that allows enumeration of alphanumeric or hexadecimal strings that can be used to match any content inside the UserAgent header (e.g. MSIE) An application object that allows enumeration of the various textual strings that can be used to match the name various browsers use to identify themselves. This information is contained in the User-Agent header of an HTTP GET request.

HTTP Server (Response)

Enhance Security by controlling data received from web servers in custom HTTP headers

HTTP Client (Request)

Enhance security by preventing certain cookies from being sent by the browser

HTTP Client (Request)

Prevent HTTP downloads of forbidden file types. Prevent access to a variety of web content based on information in the URI

HTTP Client (Request)

Block the usage of all non-sanctioned web applications on the network

HTTP Client (Request)

Block the usage of all non-sanctioned web browsers on the network

35

AF Actions & Applicable Policy Types Action Bandwidth Management Applicable Policy Type(s) Custom FTP Client Upload/Download HTTP Client HTTP Server SMTP Client SMTP Client Custom FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Client HTTP Server POP3 Client POP3 Server SMTP Client SMTP Client SMTP Client FTP Client FTP Client Upload/Download HTTP Client HTTP Client Custom FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Client HTTP Server POP3 Client POP3 Server SMTP Client

Block SMTP E-Mail Send Error Reply Block SMTP E-Mail Without Reply Bypass DPI

Disable Email Attachment Add Text Email Add Text FTP Notification Reply

HTTP Block Page HTTP Redirect No Action

36

Reset/Drop

Custom FTP Client FTP Client Upload/Download FTP Data Transfer HTTP Server HTTP Client POP3 Client POP3 Server SMTP Client

Document Edited: 11/21/07

37