Application Network Access Control
In this section:
- About Application Network Access Control
- Network Connection Items
- Add a Network Connection
- Add a Network Item Directly to a Rule
- Edit a Network Connection Directly in a Rule
- Assign a Network Connection Item to a Group
- Edit a Network Connection Item in a Group
- Application Network Access Control and Reverse DNS Lookup
- Configure Reverse DNS Lookup Entries
- Distributed File Systems
About Application Network Access Control
Application Network Access Control (ANAC) provides the ability to control outbound network connections by IP Address, Host name, URL, UNC, or Port, based on the outcome of the rules processing. For example, access based on location of requestor - connecting through VPN or directly to network.
Application Network Access Control is designed to control access within a company network infrastructure. This control is achieved by intercepting application requests made through the WINSOCK layer. For example,
Network Connection Items can be created individually or as part of a Group. Groups and Items can be applied to any rule in Allowed Items to allow access or in Denied Items to deny access. Application Control intercepts and blocks network access if requests are made to deny network resources. The execution of applications is not controlled.
Access is allowed to all network resources until actively denied.
Network Connection Items
Network Connection Items can be created for any network resource and can be added to a configuration in the following ways:
- Directly to a Rule - Adding single Network Connection Items to Allowed and Denied Item lists are advantageous when a more granular level of control is required, or when only a few items are required. However, using this method could prove time consuming.
- Assign to Group - Duplicate Network Connection Items are not allowed in the same Group.
- Copy and Paste - Network Connection Items can be cut, copied, or dragged and dropped between rules. There are no default Network Connection Items in a configuration. The full path of the Network Connection Item cannot exceed 400 characters.
Add a Network Connection
Connection Type
Select one of the following types:
- IP Address - Select to control access to a specific IP Address.
- Network Share - Select to control access to UNC paths. The prefix \\ is added to the Host field.
- Host Name - Select to control access to a specific Host Name.
Connection Options
The combined number of characters for all three fields, Host, Port and Path must not exceed 400.
Host
The IP Address or Host Name for the network connection. This depends on the type of connection selected. The ? and * wildcards can be used. The - (hyphen) can be used to specify a range, but only when IP Address is selected.
An IP Address must be in IP4 octal format. For example, n.n.n.n
If Network Share is selected as the connection type, the \\ prefix is required.
The full path for the target resource can be entered in Host.
Enter http://server1.company.local:80/resource1/ in the Host field.
Move focus away from Host and the path is automatically split into the separate connection options:
- http:// is removed from the Host field and server1.company.local remains.
- : is removed and 80 is moved to Port.
- /resource1/ is moved to Path.
This allows a full path to be copied and pasted with ease.
Port
The port number of the network connection. This can be used in combination with IP Address or Host Name to control access to a specific port. Ranges and comma separated values are allowed as a part of the port number.
Click Ports to display a list of commonly used ports. Select as many ports as required.
Path
The path of the network connection. The ? and * wildcards can be used. To use
The Path is only relevant for controlling HTTP and
- Text contains wildcard characters - Select to use the characters ? and * as wildcards in the Path. If not selected, ? and * are treated as URL delimiters.
- Use Regular Expressions - Select this option to use regular expressions for the selected path.
- Include subdirectories - Select to include subdirectories in the rules processing.
- Only applicable if the connection type Network Share is selected.
Description
Enter a meaningful description to describe the network connection.
Add a Network Item Directly to a Rule
Network Items can be added to any Allowed Items or Denied Items node. For example, A Network Connection Item is set up for an IP Address. The Network Connection Item is assigned to Denied Items, in a Group Rule. The group members of that rule, will not have access to any network resources with that IP Address.
- Navigate to the required node, for example, Denied Items or Allowed for a specific user group.
-
From the Rule Items ribbon, select Add Item > Denied (or Allowed) > Network Connection Item.
The Add a Network Connection dialog displays.
- Fill in the details of the connection type.
- Click Add.
Edit a Network Connection Directly in a Rule
- Navigate to the Rule node in the navigation tree where the Network Connection Item to be amended is located.
- The relevant work area displays.
- Click on the Network Connection Item to be amended, listed under Network Connections.
- Select Edit Network Connection on the Rule Items ribbon.
- The Edit a Network Connection dialog displays.
- Make the required amendments.
- Click OK to save the changes and close the dialog.
Assign a Network Connection Item to a Group
- Navigate to the Group Management node.
- Select the group, to which to add the Network Connection Item, in the navigation tree.
-
Right-click within the work area and select Add > Network Connection.
The Add a Network Connection dialog displays.
- Specify the Network Connection details and click Add.
Edit a Network Connection Item in a Group
-
Navigate to relevant Group in the navigation tree.
The Group Management work area displays.
- Select the Network Connection Item to be amended, listed under Network Connections.
-
Select Edit Item on the Groups ribbon.
The Edit a Network Connection dialog displays.
- Make the required amendments.
- Click OK to save the changes and close the dialog.
Application Network Access Control and Reverse DNS Lookup
The Application Network Access Control feature can use reverse DNS lookups when evaluating Network Connection rules. The feature is turned off by default, as the time it takes to retrieve this information from DNS servers, may degrade the performance of network applications.
Enabling this feature ensures the network rules are more effective, in situations when users or applications make requests for network resources, using IP addresses when the configuration is based upon host names.
The reverse DNS lookups can be enabled by configuring a set of engineering keys.
This feature requires an administrator to enable and configure Reverse DNS Zones on the DNS servers.
Configure Reverse DNS Lookup Entries
If using the engineering keys to configure reverse DNS lookup entries only add IP Addresses that are within the company network infrastructure to the relevant engineering key.
Distributed File Systems
A distributed file system or network file system allows access to files from multiple hosts sharing via a computer network. This makes it possible for multiple users on multiple machines to share files and storage resource. Using DFS, System administrators can make it easy for users to access and manage files that are physically distributed across a network.
There are two ways of implementing DFS on a server:
- Standalone DFS Namespaces
- Domain-Based DFS Namespaces
For examples of that can be part of both a domain and standalone scenario, refer to Microsoft guidelines.
For Application Network Access Control (ANAC) rules using a network share and files or folders that refer to items on a DFS share, you must specify the target server, rather than the namespace server in the UNC path. Application Control Agent substitutes the namespace server path with the target server path, so the namespace server path never gets passed through the rules engine.