WIXLIB

APP-IDA foundation for visibility and control inthe Palo Alto Networks Security PlatformApp-ID uses multiple identification techniques to determine the exact identity of applications traversingyour network – irrespective of port, protocol, evasivetactic, or encryption. Identifying the application is thevery first task performed by App-ID, providing you withthe knowledge and flexibility needed to safely enableapplications and secure your organization.App-ID is a patented trafficclassification technology thatidentifies applications traversingthe network, irrespective ofport, protocol, evasive tactic orencryption (TLS/SSL or SSH). Facilitates a more completeunderstanding of the businessvalue and associated risk ofthe applications traversing thenetwork. Enables creation and enforcementof safe application enablementpolicies. Brings application visibility andcontrol back to the firewall,where it belongs.Palo Alto Networks Technology BriefAs the foundational element of ourenterprise security platform, App-IDprovides visibility and control overapplications – even those that try toevade detection by masquerading aslegitimate traffic, hopping ports orsneaking through the firewall usingencryption (TLS/SSL or SSH).In the past, unapproved or non-workrelated applications on your networkleft you with two choices—eitherblock everything in the interest of datasecurity, or enable everything in theinterest of business. These choices leftlittle room for compromise.App-ID enables you to see the applications on your network and learn howthey work, their behavioral characteristics, and their relative risk. When usedin conjunction with User-ID , you cansee exactly who is using the applicationbased on their identity, not just an IPaddress. Armed with this information,your security team can use positivesecurity model rules to allow theapplications that enable the business,controlling them as needed to improveyour security posture.Firewall Traffic Classification:Applications, not PortsStateful inspection, the basis for mostof today’s firewalls, was created ata time when applications could becontrolled using ports and source/destination IPs. The strict adherence toport-based classification and control isfoundational and cannot be turned off.Even when augmented by “after thefact” classifiers, applications cannot beeffectively controlled.Palo Alto Networks recognized thatapplications had evolved to wherethey can easily slip through the firewalland chose to develop App-ID, aninnovative firewall traffic classificationtechnique that does not rely on anyone single element like port or protocolto identify applications. Instead,App-ID uses multiple mechanisms todetermine what the application is. Theapplication’s identity then becomesthe basis for firewall policy. App-ID hasbeen created to be highly extensibleand, as applications continue to evolve,application detection mechanismscan be added to App-ID or updated1

Decryption(SSL or SSH)DecodeCheckSignaturesPolicyCheckK NO W N P R O T O C O L DEC ODE RCheck ApplicationSignaturesPolicy CheckCheckIP/PortPolicy CheckStartIDE N T IF IE D T R A F F IC (NO DEC ODING)Apply HeuristicsPolicyCheckUNK NO W N P R O T O C O L DEC ODE RREPORT & ENFORCE POLICYFigure 1: How App-ID classifies traffic.as a means of keeping pace with theever-changing application landscape.App-ID Traffic ClassificationTechnologyin place, then decryption is not employed. A similar approach is used withSSH to determine if port forwarding isin use as a means to tunnel traffic overSSH. Such tunneled traffic is identifiedas ssh-tunnel and can be controlled viasecurity policy.Using as many as four differenttechniques, App-ID determines whatthe application is as soon as the traffic Application and Protocol Decoding:hits the firewall appliance, irrespectiveDecoders for known protocols areof port, protocol, encryption (TLS/SSLused to apply additional context-basedor SSH) or other evasive tactic. Thesignatures to detect other applicationsnumber and order of identificationthat may be tunneling inside of themechanisms used to identify theprotocol (e.g., Yahoo! Messenger usedapplication will vary depending onacross HTTP). Decoders validate thatthe application. The general flow forthe traffic conforms to the protocolApp-ID is as follows:specification and they provide support for NAT traversal and opening Application Signatures: Signatures aredynamic pinholes for applications suchused first to look for unique applias VoIP or FTP. Decoders for popularcation properties, and related transapplications are used to identify theaction characteristics, to correctlyindividual functions within the appliidentify the application regardless ofcation as well (e.g., webex-file-sharthe protocol and port being used. Theing). In addition to identifying applicasignature also determines if the applitions, decoders identify files and othercation is being used on its default portcontent that should be scanned foror a non-standard port (for example, threats or sensitive data.RDP across port 80 instead of porthere, to provide visibility into applications that might otherwise elude positive identification. The actual heuristicsused are specific to an application andinclude checks based on such thingsas the packet length, session rate, andpacket source.With App-ID as the foundationalelement of our security platform, yoursecurity team can regain visibility into,and control over, the applicationstraversing your network.App-ID: Dealing with Custom orUnknown ApplicationsNew applications are added to theApp-ID database weekly, yet nearlyevery network will still have caseswhere unknown application trafficis detected. There are typically threescenarios where unknown traffic willbe detected: a commercially availableapplication unknown to App-ID, aninternal custom application, or a threat.Unknown Commercial Applications:Using visibility tools, you can quicklydetermine if the traffic is a commercialoff-the-shelf (COTS) application. If it isa COTS application, you can captureand submit traffic packets to Palo AltoNetworks for App-ID development.The new App-ID is developed, tested,and added to the database for all usersin the form of a weekly update.3389, its standard port). If the identi- Heuristics: In certain cases, evasivefied application is allowed by securityapplications still cannot be detectedpolicy, further analysis of the traffic iseven through advanced signature anddone to identify more granular appliprotocol analysis. In those situations, it iscations as well as scan for threats.necessary to apply additional heuristic,or behavioral analysis to identify cer TLS/SSL and SSH Decryption: If App-IDtain applications, such as peer-to-peerdetermines that TLS/SSL encryptionfile sharing or VoIP applications thatis in use and a decryption policy isuse proprietary encryption. Heuristicin place, the traffic is decrypted and Internal or Custom Applications: If theanalysis is used as needed, with thethen passed to other identificationapplication is internal, or custom, youother App-ID techniques discussedmechanisms as needed. If no policy isPalo Alto Networks Technology Brief2

can create a custom App-ID using aset of available protocol and application decoders. Once the customApp-ID is developed, your internal application is classified and inspected inthe same manner as applications withstandard App-IDs. Custom App-IDsare managed in a separate databaseon the device, ensuring they are notimpacted by the weekly (commercial)App-ID updates. Threats: Once the commercial andinternal applications have beenaddressed, the third possible sourceof unknown traffic is threats. Heretoo, you can quickly determine therisk l evels using the behavioral botnet report or other forensics tools toisolate the characteristics and applyappropriate policy control.Even after attempts to identify, sometraffic in the system may remainunknown. Because our firewall supportsa positive enforcement model, theremaining unknown traffic can beblocked (by default) or allowed buttightly controlled by policy if desired.Alternative offerings (e.g., Intrusion Prevention Systems) are based on negativecontrol and will allow unknown trafficto pass through without providing anysemblance of visibility or control.How App-ID Works: IdentifyingWebExWhen a user initiates a WebEx session,the initial connection is an encryptedcommunication. With App-ID, thedevice sees the traffic and the signatures determine that it is using TLS/SSL.The decryption engine and protocoldecoders are then initiated to decryptthe TLS/SSL and detect that it is HTTPtraffic. Once the decoder has the HTTPstream, App-ID can apply contextualsignatures and detect that the application in use is WebEx. At this pointthe session traffic becomes known asWebEx traffic by the firewall. Visibility(e.g., ACC in the user interface) andcontrol of the WebEx traffic via securitypolicy are enabled.traversing your network. Learningwhat the application does, the ports ituses, its underlying technology, and itsbehavioral characteristics is the nextstep toward making a more informeddecision about how to treat the application. Once a complete picture of usageis gained, you can apply policies with arange of responses. Examples include: Allow or deny Allow but scan for exploits, virusesand other threats Allow based on schedule, users orgroups Control file or sensitive data transfer Decrypt and inspect Apply traffic shaping through QoSIf the end user were to initiate the Apply policy-based forwardingWebEx Desktop Sharing feature, this“mode-shift” from conferencing to Allow a subset of applicationremote access would be detected by functionsApp-ID. Again, visibility to this specificapplication function would be provided – Any combination of the aboveand policy control over WebEx DesktopWith App-ID as the foundationalSharing would be possible (distinct fromelement of our firewalls, you cangeneral WebEx use).restore visibility and control over theapplications and traffic traversing yourApplication Identity: The Heart ofnetwork.Policy ControlIdentifying the application is the firststep in learning more about the trafficFigure 2: Application Function Control – maximize productivity by safely enabling theapplication itself (Microsoft SharePoint) or individual functions.Palo Alto Networks Technology Brief3