To effectively block every shape of an application, the best way to go to is by the use of a firewall. Other than DLP (Data Loss Prevention), who focus on controlling data, firewalls keep an eye on applications and that can be very granular if the firewall has layer 7 analysis´ capabilities. 

In this project, the firewall we rely on is part of a SASE (Secure Access Service Edge) solution deployed inline with the client(s). Then the Internet traffic from the brach is monitored as shown at the topology:

cato-ips-2

For the first case, we block applications that fall under a built-in category called Media Stream, which includes Netflix, Spotify, Youtube, MUBI, Amazon Prime Video, TED, among others.

TLS Inspection is not used once we are not monitoring data for this purpose. Rather, we check for metadata, from DPI (Deep Packet Inspection) in conjunction with app signature and header. 

Then we must have #2 firewall rule applied as shown.

internet-firewall-rule-media-stream

Either mobile apps and web apps are scrutinized and events are generated about those sort of traffic.

 

galaxy-spotify

app-control-spotify

evento-spotify-tablet-notebook

 

Just like other apps under that same app category.

 

web app-control-ted

For the second test, a more granular use case: translate, calendar and chat must be blocked when they are part of Google apps pack. Other apps under that suite must be allowed, as configured in the following #2 firewall rule.

 

internet-firewall-rule-google

 

Due services are block. Everything else is permitted.

block-google-translate-calendar

gmail-permitido

block-google-apps

alow-google-apps