As everyone is getting ready to watch the World Cup, so should security admins
byreaper06-13-201805:14 AM - edited 06-13-201806:27 PM
Every four years, the world seems to grind to a screeching halt when everyone gathers around the television, in the bar or a pub, a makeshift stadium or behind their monitor at work to cheer their favorite teams on.
But that last location could create some undesirable situations. While watching sporting events at work could certainly improve morale, unfettered streaming could lead to network congestion and reduced productivity. For security and network admins, this could pose a big problem if business critical processes get choked out of resources.
Luckily, there are several steps one can take to reduce the potential negative effects a big sporting event can have on the corporate network. The obvious one is having a policy in place that restricts when users are allowed to access such content, but this may not be enough or could be too strict if some non-business-impacting participation is condoned.
The next best thing is controlling the flow from the firewall: QoS policies and custom App-ID can help control how much bandwidth is consumed, helps retain control which endpoints are allowed access and when, and helps you generate reports so you can adjust and maintain high-level overview.
One such Custom App-ID has already been prepared for US-based customers, who can access it here: Custom App-ID for World Cup 2018 (you will require a valid support account to access this resource).
In Europe, most countries will have their own broadcasting stations that also provide online streaming, so we will need to apply a little elbow grease and create our own App-IDs, based on our country of origin -- I'm Belgian, so yay Belgium!
To be able to build efficient custom applications, SSL decryption will need to be enabled as this allows inspection of the data passed through encrypted web connections. Some sites may host their video on an easily identified location, but some may embed it into their regular content, making it hard to distinguish between regular content (like news) and sports.
As an example, let's take a quick look at eurosport: their video section is located at video.eurosport.co.uk, which is TLS enabled. Their site's certificate is a wildcard certificate:
This makes it a little harder to identify just the video subdomain without SSL decryption, which may also not make some of the next steps work for you (but it won't be impossible to build a custom App-ID).
You'll probably need a copy of Wireshark to 'read' firewall packetcaptures and the chrome net-internals (put "chrome://net-internals/" in the address bar) and dev tools (command+option+I for Mac and Ctrl+shift+I for Windows) may come in handy as well.
When you're on the eurosport page and continue on to the World Cup page, the URL path will be "football/world-cup/2018/" and a lot of background componets (of course) will start to load. The video player used by eurosport is supplied by players.brightcove.net, the actual video content will be loaded from vod-eurosport.akamaized.net
So in regards with signatures, I'd create something along these lines:
*depending on your location and requirements, these signatures could be different. Use as example only
Repeat this for every streaming site you'd like to positively identify and then add these to a security policy. If needed, add a schedule and/or add the application to a QoS policy.
I've added my example custom App-ID below as attachment. Please feel free to use as a template (treat as example only) and feel free to add your own custom App-IDs as comments below so other members may benefit.
ProTip: if you run an Application Usage Report (Monitor > PDF Reports > SaaS Application Usage > Add > Run Now) several times over the course of the events, you will gain better insight on the actual usage over time:
optionally, you can mark the custom app as sanctioned so it gets a more prominent position on the report: