Better way of doing AppID

I know there has been discussions on URL filtering but I want to discuss App filtering, specifically are there any tools that people are using to control application use on the network.

So lately, I’ve been toying with OpenAppID. This is supported on PFsense for application identification. I build my snort rules around the application.
The problem is that the implementation is not clean. First, you need to see if Cisco has updated the appMapping.data file with the application in question. For example, TikTok
/usr/local/etc/snort/appid/odp: grep -i tiktok appMapping.data | cut -f7
tiktok

Then you need to create a new rule around that application
:alert tcp $HOME_NET any → $EXTERNAL_NET any (msg:“tiktok”;flow:from_client;appid:tiktok; sid:7276621; classtype:misc-activity; rev:1;)

Again…This is workable BUT obviously, you have scaling limitations where you want to block All Social Media applications. The prebuilt rule list in pfsense has not been updated since 2017 so its all but useless.

Is there a better way of doing this? On the endpoints? Not sure

So after some thought, i think the biggest issue I have is that I am trying to force the pfsense to do something its not fully built to do. I want it to do the application control which it technically can but because it’s somewhat of a half-baked solution with no clean way of managing and updating the application rules its going to be more of a headache to get it done. The built-in app rules haven’t been updated since 2017, damn.

The next step up would be Untangle.

pfsense is great but I have to make sure it stays in its lane. Dont try to have it do something its not made to do in a easy managble way (filtering and app control)

1 Like

Personally, I’ve used Cisco, Palo Alto, and Fortinet for application control since they have a large infrastructure to support all the changes/vulnerabilities that come out. I have never considered Untangle since they are small, but I’ll be interested to see where they are at in a year as they integrate into Arista. Fortinet has been my go to for SMB for a while now. Palo Alto is my favorite and I think they set the standard when it comes to this.

You could use pfSense which is free, but there is an expression when it comes to open source and that is “it is free like a puppy.” You may get the software free, but you will pay in other ways. I think it makes sense to look at a vendor such as Untangle or Fortinet in your use case.

BTW, if you are interested in seeing Palo Altos App-id supported applications, here is a link: https://applipedia.paloaltonetworks.com/

Here is Fortinets:Application Control | FortiGuard

What makes those solutions better is they are routinely updated with a GUI that’s easy to use to apply such rules. Yep got a PA 400 I’m working with now. fascinating that the pfsense does in a way support this but not at all intuitively

1 Like