App-ID: Identifying any application on any port
Accurate traffic classification is the heart of any firewall, with the result becoming the basis of the security policy. Traditional firewalls classify traffic by port and protocol, which, at one point, was a satisfactory mechanism for securing the perimeter. Today, applications can easily bypass a port-based firewall; hopping ports, using SSL and SSH, sneaking across port 80, or using non-standard ports. App-IDTM, a patent-pending traffic classification mechanism that is unique to Palo Alto Networks, addresses the traffic classification limitations that plague traditional firewalls by applying multiple classification mechanisms to the traffic stream, as soon as the device sees it, to determine the exact identity of applications traversing the network.
Classify traffic based on applications, not ports.
App-ID uses multiple identification mechanisms to determine the exact identity of applications traversing the network. The identification mechanisms are applied in the following manner:
- Traffic is first classified based on the IP address and port.
- Signatures are then applied to the allowed traffic to identify the application based on unique application properties and related transaction characteristics.
- If App-ID determines that encryption (SSL or SSH) is in use and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow.
- Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP).
- For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.
As the applications are identified by the successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.
Always on, always the first action taken across all ports.
Classifying traffic with App-ID is always the first action taken when traffic hits the firewall, which means that all App-IDs are always enabled, by default. There is no need to enable a series of signatures to look for an application that is thought to be on the network; App-ID is always classifying all of the traffic, across all ports - not just a subset of the traffic (e.g., HTTP). All App-IDs are looking at all of the traffic passing through the device; business applications, consumer applications, network protocols, and everything in between. App-ID continually monitors the state of the application to determine if the application changes midstream, providing the updated information to the administrator in ACC, applies the appropriate policy and logs the information accordingly. Like all firewalls, Palo Alto Networks next-generation firewalls use positive control, default deny all traffic, then allow only those applications that are within the policy. All else is blocked.
All classification mechanisms, all application versions, all OSes.
App-ID operates at the services layer, monitoring how the application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent OS and client signatures that need to be enabled to try and control this application in other offerings.
Systematic management of unknown traffic.
Every network has a small amount of unknown traffic. This traffic can be an internally developed application, a commercial application with no App-ID, or it can be a threat. App-ID categorizes all unknown traffic, allowing administrators to analyze the traffic and make an informed policy decision. If the traffic is an internal application, a custom App-ID can be created; if the traffic is a commercial application with no App-ID, a PCAP can be taken and submitted for App-ID development; finally, the behavioral botnet report and logging tools can be used to determine if the traffic is a threat and take an appropriate action.