Download for FREE - Enterprise Application Firewalls for Dummies
Tue, 1/11/11 - 5:44am View comments
I couldn't help myself, I just had to "rename" the book below that's now available for immediate FREE download:
The wide variety of higher-order applications riding on top of HTTP and HTTPS, whether or not they actually serve a legitimate business purpose, are practically indistinguishable for older network security solutions and the most commonly found applications that can port-hop are a combination of business and personal use applications (as shown below). Of these, only three are browser-based (Sharepoint, Mediafire, and Ooyla); the others are peer-to-peer or client-server.
Traditional "port-based" firewalls have basically gone blind. Besides being unable to account for common evasion techniques such as port hopping, protocol tunneling, and the use of nonstandard ports, these firewalls simply lack the visibility and intelligence to discern which network traffic:
Corresponds to applications that serve a legitimate business purpose.
Corresponds to applications that can serve a legitimate business purpose but, in a given instance, are being used for unsanctioned activities.
Should be blocked because it includes malware or other types of threats, even though it corresponds to legitimate business activities.
Port-based firewalls can't see or control applications
Establishing port and protocol is an important first step in application identification but, by itself, is insufficient. Robust application identification and inspection enables granular control of the flow of sessions through a firewall based on the specific applications that are being used, instead of just relying on the underlying set of often indistinguishable network communication services as shown below.
Application-centric traffic classification identifies specific applications flowing across the network, irrespective of the port and protocol in use
Application identification techniques used in NGFWs (next-generation firewalls):
Application protocol detection and decryption - Determines the application protocol (for example, HTTP) and, if SSL is in use, decrypts the traffic so that it can be analyzed further. Traffic is reencrypted after all the identification technologies have had an opportunity to operate.
Application protocol decoding - Determines whether the initially detected application protocol is the "real one," or if it is being used as a tunnel to hide the actual application
(for example, Yahoo! Instant Messenger might be inside HTTP).
Application signatures - Context-based signatures look for unique properties and transaction characteristics to correctly identify the application regardless of the port and protocol being used. This includes the ability to detect specific functions within applications (such as file transfers within IM sessions).
Heuristics - For traffic that eludes identification by signature analysis, heuristic (or behavioral) analyses are applied, enabling identification of any troublesome applications, such as P2P or VoIP tools that use proprietary encryption.
NGFW techniques used to identify applications regardless of port, protocol, evasive tactic, or SSL encryption
