HP Network Direr Software Products manual Key Considerations

Key Considerations 661

Potential Hazards of Blocking traffic belonging to applications is a powerful feature for Blocking Application preventing the use of undesired applications on your network. However,

Traffic if the wrong application definitions are used for blocking an application this can cause severe problems on your network.

There are two reasons why blocking a particular application definition may cause problems on your network:

■The application definition may not be narrow enough to prevent accidental classification of other application traffic. For example, if an application runs over TCP/IP then specifying a classifier rule of IP protocol 6 (the protocol number of TCP) in the application definition would not be narrow enough for blocking as this would also block all other TCP/IP traffic.

When blocking an application it is important that the definition is as specific as it can be about how to identify traffic belonging to that application. In the example above, it would be better in this case to specify the classifier rule of TCP port 123, assuming that the application uses TCP port 123, as this would only match and so only block TCP/IP traffic using port 123 rather than all TCP/IP traffic.

■The application definition, while still being narrow, may include rules that will incorrectly classify other applications as belonging to the application you wish to block. For example, if the definition for an application A that you wish to block specifies the classifiers TCP port 123 and TCP port 456 and there is another application B running in your network that uses TCP port 456, then blocking application A would also block application B.

For many applications, it is enough to block only some of the traffic that the application generates in order to prevent if from running successfully on the network. Removing the classifiers that overlap with other applications may mean that you are still able to block the application. In the example above, it may be enough to only block TCP port 123 in order to prevent application A from running on your network and this would still allow application B to function correctly.