Using An Application Control Rule Set - D-Link NetDefendOS User Manual

these define an application and what actions are to be taken when the application is recognized
by NetDefendOS.
An application rule set has a Default Action property which has a value of either Allow or Deny. If
the action is set to Allow, everything is allowed unless it is specifically denied by a rule. If set to
Deny, everything is denied unless it is specifically allowed by a rule.
Using application rule sets allows not only data for a certain application to be allowed or denied
but also the following additional controls:
• Authentication Settings
For an Allow application rule, the requesting client is only permitted the connection if they
have already been authenticated by NetDefendOS and are also one of any usernames
specified in that application rule or belong to one of the groups specified in the rule. In
addition, the specified group or username should also be specified for the source network
address object used with the associated IP rule or policy and this is explained further later in
this section.
For a Deny rule, the requesting client is denied the connection if they are authenticated and
are one of the usernames specified or belong to one of the specified groups.
Authentication may have performed using any of the methods available in NetDefendOS
Authentication Rule objects, including Identity Awareness.
If no groups or usernames are specified in an Application Rule object, authentication is
ignored.
• Traffic Shaping Settings
Predefined NetDefendOS Pipe objects can be associated with the rule so the bandwidth limit
specified by pipe objects can be placed on the either direction of data flow or both.
This feature therefore allows bandwidth limits to be placed on a given application and, if
used in conjunction with the authentication setting, on particular users or user groups using
that application.
Traffic shaping is only relevant if the Application Control Rule has an action of Allow.
Applying Application Control to Specific Groups or Usernames
Sometimes, application control will need to be applied to a specific group of users or specific
individual users. This can be achieved by doing the following:
• Specify a list of the specific groups and/or usernames for the Authentication Settings property
of the relevant Application Rule object.
• The Source Network property of the associated IP Rule or IP Policymust be set to an address
book IP object for which either of the following is true:
i. The address object has the property No defined credentials enabled.
ii. The address object has the same groups and/or usernames as the Application Rule
defined for its User Auth Groups property.
Example 3.40. Using an Application Control Rule Set
255
Chapter 3: Fundamentals