Application Rule Set not working

Security Gateway Discussions
Post Reply
ENB
Posts: 1
Joined: 07 Jan 2018, 00:50

Application Rule Set not working

Post by ENB » 22 Jun 2022, 00:47

What is the correct procedure to prohibit surfing the internet with (for example) the tor browser?
I have created an application rule set as described in all the documentation:
- application rule set with the default action "allow".
- application rule with default action "deny" and application filters "Tor" and "Tor2web"
- applied to an IP policy with service "https" and activated application control with my defined application rule set

In the application control log i can see that my application rule set detects a program but decides that it is allowed to run. the program is not detected as a "tor browser" but as "ssl" - as i can detect it.

what am i missing? I have never managed to ban a program from accessing the internet with "application rule sets".

Do I need to set something else in another place?
Deployed on different NetWalls with COS 14.00.05.04-37200.

Hope someone can help me.

Regards
Enno

Peter
Posts: 702
Joined: 10 Apr 2008, 14:14
Location: Clavister HQ - Örnsköldsvik

Re: Application Rule Set not working

Post by Peter » 20 Oct 2022, 10:27

Hello.

I would recommend you create a support errand for further inquires as the forums is pretty much inactive / not actively watched currently.

When it comes to TOR it's a very difficult application to block as it's encrypted and one of the main reasons that AC detects it as SSL. If memory serves me right the main point of the problem is to mask what it is doing in order to get through firewalls and whatnot.

Simply blocking SSL would not be a good alternative either as then you would hinder other valid traffic in the network. A combination of AC and FQDN rules would potentially be a way to attempt to block it if you know which domain(s) TOR is using.

Our vendor also releases updates to the application signature database so it's not impossible at the time of this writing that there is an updated signature available.

Best regards
/Peter

Post Reply