Best Practices for Configuring Application Control
We recommend controlling applications' access to the network as follows:
-
To allow or block application access from a less secure network to a more secure network: Use Port (Selected Destination Port) conditions on the access control rule
For example, allow ICMP traffic from the internet (less secure) to an internal network (more secure.)
-
To allow or block applications being accessed by user groups: Use Application conditions on the access control rule
For example, block Facebook from being accessed by members of the Contractors group
Caution | Failure to set up your access control rules properly can have unexpected results, including traffic being allowed that should be blocked. In general, application control rules should be lower in your access control list because it takes longer for those rules to match than rules based on IP address, for example. Access control rules that use specific conditions (such as networks and IP addresses) should be ordered before rules that use general conditions (such as applications). If you're familiar with the Open Systems Interconnect (OSI) model, use similar numbering in concept. Rules with conditions for layers 1, 2, and 3 (physical, data link, and network) should be ordered first in your access control rules. Conditions for layers 5, 6, and 7 (session, presentation, and application) should be ordered later in your access control rules. For more information about the OSI model, see this Wikipedia article. |
The following table provides an example of how to set up your access control rules:
|
Type of control |
Action |
Zones, Networks, VLAN Tags |
Users |
Applications |
Ports |
URLs |
SGT/ISE Attributes |
Inspection, Logging, Comments |
|---|---|---|---|---|---|---|---|---|
|
Application from more secure to less secure network when application uses a port (for example, SSH) |
Your choice (Allow in this example) |
Destination zones or networks using the outside interface |
Any |
Do not set |
Available Ports : SSH Add to Selected Destination Ports |
Any |
Use only with ISE/ISE-PIC. |
Any |
|
Application from more secure to less secure network when application does not use a port (for example, ICMP) |
Your choice (Allow in this example) |
Destination zones or networks using the outside interface |
Any |
Do not set |
Selected Destination Ports Protocol: ICMP Type: Any |
Do not set |
Use only with ISE/ISE-PIC. |
Any |
|
Application access by a user group |
Your choice (Block in this example) |
Your choice |
Choose a user group (Contractors group in this example) |
Choose the name of the application ( Facebook in this example) |
Do not set |
Do not set |
Use only with ISE/ISE-PIC. |
Your choice |