4

application identification

Firewall has the ability to identify an application via network traffic.

Implement policy by application rather than by port

App-ID reduces the attack surface

App-ID

  • Enables you to see applications on network and learn how they work

  • Identified using protocol, bit pattern, behavioral heuristics

  • Port Based Versus Next Gen Firewalls

    • Next Gen Firewall - if not specified application, traffic will not pass.

Classifying TCP Traffic

  • From SYN, obtain the source and destination addresses and ports

  • Application data is retrieved from either the client's HTTP GET request or in the server's reply to detect more information about the App-ID

Label
Description

not-applicable

Firewall discards traffic because Security policy does not allow it

incomplete

TCP Handshake does not complete / No data follows after the handshake

insufficient-data

Not enough data is received in payload to identify application

unknown-tcp

App-ID cannot identify application after the three-way TCP handshake

unknown-p2p

App-Id cannot match traffic to a specific application, but traffic exhibits generic peer-to-peer behavior

Classifying UDP Traffic

  • Usually, only the first UDP packets are examined as it inlcudes not only the source, destination ports and address, but also the application data, which will be used to identify the traffic to be processed by the Security policy.

Label
Description

not-applicable

Firewall discards the traffic becasue Security policy does not allow it

unknown-udp

App-ID cannot identify the application

unknown-p2p

App-ID cannot match the UDP traffic to a specific application

If the label is an application name, it means that the App-ID recognizes the application

App-ID concepts and operation

  • Application Shifts - Network traffic can shift from one application to another during the lifetime of a session, becoming even more classified. (eg. web-browsing -> generic-application -> generic-application-chat)

Application Dependencies

  • When applications have several dependencies, the network traffic can shift from one application to another during the lifetime of the session.

  • As such, policies to allow an application's dependencies are also needed, apart from the current application being used.

Unknown and encrypted application traffic

  • For processing traffic that are unknown applications, there are three methods:

  1. Block unknown-tcp, unknown-udp, or unknown-p2p traffic in Security policy

    1. Block more traffic than you intend (eg. internally developed application

  2. Create a custom application rather than block unknown traffic

  3. Configure an Application Override policy rule

    1. Application Override policy rule can be used to identify traffic for application based on its source zone, IP address, destination zone, port and protocol.

Sometimes, the application layer data is encrypted.

App-ID can identify SSL/TLS traffic, and the firewall can be configured to deccrypt teh SSL/TLS traffic to identify the application via signatures, decoders, behvaioural heuristics

Updating App-ID

  • Scheduling of regular downloads and installation of new content updates should be done to maintain the most current protection level possible

Previous3.1Next4.1

Last updated