App Control Use Cases
683
SonicOS 5.8.1 Administrator Guide
When you configure the policy or policies for this purpose, you can select Direction > Basic >
Outgoing to specifically apply your file transfer restrictions to outbound traffic. Or, you can
select Direction > Advanced and then specify the exact zones between which to prevent file
transfer. For example, you can specify LAN to WAN, LAN to DMZ, or any other zones that you
have defined.
Server Protection
Servers are typically accessed by many untrusted clients. For best protection of these valuable
resources, you should have multiple lines of defense. With Application Control on your
gateway, you can configure policies to protect your servers. For example, you can create a
policy that blocks all FTP put commands to prevent anyone from writing a file to a server (see
“Blocking FTP Commands” on page 695). Even though the server itself may be configured as
read-only, this adds a layer of security that is controlled by the firewall administrator. Your
server will still be protected even if its configuration is changed by an error, a side-effect of a
patch, or by someone with malicious intent. With Application Control, you can effectively control
content upload for servers using HTTP, SMTP, POP3, and FTP.
An example of policies that affect servers might be a small ISP providing three levels of service
to its customers, whose servers are sitting in its rack. At the gold level, a customer can host a
Web server, Email server, and FTP server. At the silver level, a customer can host only a Web
server and Email server. At the bronze level, the hosting package only allows a Web server.
The ISP could use Application Control to enforce these restrictions, by creating a policy for
each customer.
E7500
Network Security Appliance
Internet
E7500
Network Security Appliance
HTTP
SMTP/
POP3
FTP
Client