Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:11 PM
Sometimes, applications can be rather evasive. As a result, blocking only the application might still allow parts of the traffic through because it's recognized as something different.
In our discussion of the week we will go over one such example. Community member rmiller1 was having a problem blocking Snapchat:
Discussion of the Week
Even though our member was blocking the application Snapchat, it seemed like some of the traffic was still leaking through.
More precisely, pictures were still passing through the firewall, whereas text messages were being blocked correctly.
Let's have a look at the app:
Snapchat Application Details
As you can see in the application details, 'Snapchat' can go over an encrypted channel (port 443 / ssl). That being said, it might be necessary to decypt the traffic. Otherwise, we might be missing some stuff we'd like to see. If you don't decrypt the traffic, then we depend on the IP address information, the information provided in the CN (common name) of the certificate or the SNI (Server Name Indication) information.
Sometimes the IP address, CN or SNI information might not be enough to identify the application correctly. Therefore we do recommend decrypting this traffic! In addition to decryption, you might want to add other restrictions to your policy.
Blocking specific IP addresses or blocking certain URL categories might also help you in some cases, but you need to make sure not to overdo it. You don't want to block legitimate traffic in doing so.
Community members bmorris1 and BPry joined the discussion and provided additional tips and tricks using URL filtering and/or IP/domain blocking.
In this specific use case, community member rmiller1 was able to stop the functionality of the app by adding specific URLs to a block list.