on 03-19-201510:29 AM - last edited on 05-09-201705:30 PM by editeur
Sure you have heard of App-ID, but what is it? How does it work and how can you best use this amazing technology only available in Palo Alto Networks firewalls?
App-ID, a patented traffic classification system, determines what the application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the
application. It applies multiple classification mechanisms—application signatures, application protocol decoding, and heuristics—to your network traffic stream to accurately identify applications.
• Facilitates a more complete understanding of the business value and associated risk of the applications traversing the network.
• Enables creation and enforcement of safe application enablement policies.
• Brings application visibility and control back to the firewall, where it belongs.
Here's how App-ID identifies applications traversing your network:
Traffic is matched against policy to check whether it is allowed on the network.
Signatures are then applied to allowed traffic to identify the application based on unique application properties and related transaction characteristics. The signature also determines if the application is being used on its default port or it is using a non-standard port. If the traffic is allowed by policy, the traffic is then scanned for threats and further analyzed for identifying the application more granularity.
If App-ID determines that encryption (SSL or SSH) is in use, and a decryption policy is in place, the session is decrypted and application signatures are applied again on the decrypted flow.
Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP). Decoders validate that the traffic conforms to the protocol specification and provide support for NAT traversal and opening dynamic pinholes for applications such as SIP and FTP.
For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.
When the application is identified, the policy check determines how to treat the application, for example— block, or allow and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.
An important point to highlight is that our firewall uses a positive enforcement model, which means that all traffic can be denied except those applications that are expressly allowed via policy. This means that unknown traffic can be easily blocked or tightly controlled merely by expressly allowing what is needed to run the business. Alternative offerings that are based on IPS (negative control) will allow unknown traffic to pass through without providing any semblance of visibility or control.