Key Considerations 661Potential Hazards ofBlocking ApplicationTrafficBlocking traffic belonging to applications is a powerful feature forpreventing the use of undesired applications on your network. However,if the wrong application definitions are used for blocking an applicationthis can cause severe problems on your network.There are two reasons why blocking a particular application definitionmay cause problems on your network:■ The application definition may not be narrow enough to preventaccidental classification of other application traffic. For example, if anapplication runs over TCP/IP then specifying a classifier rule of IPprotocol 6 (the protocol number of TCP) in the application definitionwould not be narrow enough for blocking as this would also block allother TCP/IP traffic.When blocking an application it is important that the definition is asspecific as it can be about how to identify traffic belonging to thatapplication. In the example above, it would be better in this case tospecify the classifier rule of TCP port 123, assuming that theapplication uses TCP port 123, as this would only match and so onlyblock TCP/IP traffic using port 123 rather than all TCP/IP traffic.■ The application definition, while still being narrow, may include rulesthat will incorrectly classify other applications as belonging to theapplication you wish to block. For example, if the definition for anapplication A that you wish to block specifies the classifiers TCP port123 and TCP port 456 and there is another application B running inyour network that uses TCP port 456, then blocking application Awould also block application B.For many applications, it is enough to block only some of the trafficthat the application generates in order to prevent if from runningsuccessfully on the network. Removing the classifiers that overlap withother applications may mean that you are still able to block theapplication. In the example above, it may be enough to only block TCPport 123 in order to prevent application A from running on yournetwork and this would still allow application B to function correctly.
