how to block apps??

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

nf24eg

Thread Starter
Joined
Feb 15, 2007
Messages
103
hello there, we are trying a program called "Kerio Control" in our systems as a firewall but we face a problem and hope to help on solving it.
the network is Wi-Fi, users are not allowed to download, upload mobile apps or stream videos or use the Play store or apple store etc., Just allowed to check emails, surfing the internet.
we blocked so many IPs but that doesn't work, we blocked ports, but it doesn't work either.
any suggestions ?
 

nf24eg

Thread Starter
Joined
Feb 15, 2007
Messages
103
if allow any that means you allow all, because the apps use the Https protocol same like the website !!
 
Joined
Dec 25, 2014
Messages
1,081
What you probably need to do is to block file types like .exe or .zip. Another thing you could do is set them up as guest accounts with limited privileges.

Is this for a business, school, apartment etc? Different situations may have different answers.
 

nf24eg

Thread Starter
Joined
Feb 15, 2007
Messages
103
tried to block the extensions like, zip, rar, apk, exe, but notice that Apps can still updating, videos still streaming, moreover there is rooted devices that can easily connect to anything.
more ideas ?!
it's a school
 
Joined
Dec 25, 2014
Messages
1,081
Can you answer my question? I see they have a trial version. I'm going to download it and see if I can figure it out.
 

Phantom010

Retired Trusted Advisor
Joined
Mar 9, 2009
Messages
34,801
Simple Software-Restriction Policy is a little program with a lot of power. Free, easy to use, can block the ability to run or install software from any places you choose, including removable media, etc. It may not be what you are looking for to block Internet content, but for software and security, it could be interesting. The program is password protected.
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,647
If you want to do what you're asking at the network level, you need a next gen firewall with the ability to do deep packet inspection. Stateful packet inspection was the old state of the art for firewall protection. It's no longer adequate because it doesn't deal with changes in how ports are being used. For instance, if you allow a benign port like SSH through your firewall (TCP port 22), someone could just use that port for streaming video for instance. Just because port 22, 80, 443 ,etc, are known for what you're supposed to send network traffic wise, doesn't mean you have to follow convention. A DPI firewall guards against this. With a SPI firewall, it examines the source/destination addresses and port(s). With a DPI firewall, the firewall actually looks at the payload of the packet being sent. If it sees anything that isn't what is supposed to be sent over a known port, the firewall will block it. Also, you can set rules to block P2P/streaming traffic for instance. The firewall will recognize the characteristics of this type of traffic and will block it regardless of from where and to where it goes. As long as the network traffic traverses through the firewall.

This type of next gen firewall requires more state of the art processing power as it is doing more than past generation SPI firewalls.
 

nf24eg

Thread Starter
Joined
Feb 15, 2007
Messages
103
@zx10guy's, may you give me examples about the generations of the firewalls which can do this job? as I said we are still trying this firewall and "Kerio control" if you have names of this new firewalls generations kindly share with me.
thank you
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,647
All of SonicWall's firewalls are next gen with DPI capabilities along with UTM (unified threat management). This means these firewalls are capable of doing gateway anti-virus, email scanning, and content filtering. Also the SonicWall firewalls have intrusion detection/prevention features. The model of firewall you select is based on the throughput you want on the firewall with various features running. The more features you have running the more intensive the load is on the firewall. Also, the number of users/sessions, is a consideration.

Cisco has their new line of ASA-X firewalls.
 

nf24eg

Thread Starter
Joined
Feb 15, 2007
Messages
103
I can see you talk about Hardware while I talk about software firewall, isn't there an available software firewall that can do this ?
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,647
I looked at the website for Kerio. It's a bit hard to pull out system specs and I'm still unable to figure out what the operating limitations are for their software appliance. They have specs for their hardware appliance such as how many concurrent users and so on. But if I am to believe them, the software appliance appears to be a DPI next gen firewall. It also has the other features I mentioned which are content filtering, IPS/IDS, etc.

With that said, what issues are you running in to with the Kerio solution?

The reason why I bring up a hardware solution is because the processors used are typically optimized to process the network traffic faster than off the shelf hardware. Hardware solutions also will typically be more reliable as there are less "moving" parts such as no hard drive or larger power supply to fail. And with mission critical applications, there are hardware firewalls with redundancy features such as hot swappable power supplies.

Here's also something to look at. Checkpoint along with SonicWall have links to the latest NSS Labs report measuring max throughput with everything turned on within the firewall. The results are pretty telling. In the case of SonicWall, within the same generation of firewall, the software is basically the same. The only thing different is beefier hardware in units which scale to larger number users, sessions, etc. Just something to think about.

https://www.checkpoint.com/campaigns/nss-fw-ngfw-ips-tests/index.html
 

nf24eg

Thread Starter
Joined
Feb 15, 2007
Messages
103
Thank you so much zx10guy I like your solutions about the hardware firewall, but it's out of my hands, so all I have is software firewall.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top