Академический Документы
Профессиональный Документы
Культура Документы
Check
Decryption
Policy
Check
Decode
(SSL or SSH) Signatures
Start
Policy Check
Policy Check
Check Check Application IDE N T IF IE D T R A F F IC (NO DEC ODING)
IP/Port Signatures
Check
Policy
Apply Heuristics
as a means of keeping pace with the in place, then decryption is not em- here, to provide visibility into applica-
ever-changing application landscape. ployed. A similar approach is used with tions that might otherwise elude posi-
SSH to determine if port forwarding is tive identification. The actual heuristics
App-ID Traffic Classification in use as a means to tunnel traffic over used are specific to an application and
Technology SSH. Such tunneled traffic is identified include checks based on such things
Using as many as four different as ssh-tunnel and can be controlled via as the packet length, session rate, and
techniques, App-ID determines what security policy. packet source.
the application is as soon as the traffic • Application and Protocol Decoding: With App-ID as the foundational
hits the firewall appliance, irrespective Decoders for known protocols are element of our security platform, your
of port, protocol, encryption (TLS/SSL used to apply additional context-based security team can regain visibility into,
or SSH) or other evasive tactic. The signatures to detect other applications and control over, the applications
number and order of identification that may be tunneling inside of the traversing your network.
mechanisms used to identify the protocol (e.g., Yahoo! Messenger used
application will vary depending on across HTTP). Decoders validate that App-ID: Dealing with Custom or
the application. The general flow for the traffic conforms to the protocol Unknown Applications
App-ID is as follows: specification and they provide sup- New applications are added to the
• Application Signatures: Signatures are port for NAT traversal and opening App-ID database weekly, yet nearly
used first to look for unique appli- dynamic pinholes for applications such every network will still have cases
cation properties, and related trans- as VoIP or FTP. Decoders for popular where unknown application traffic
action characteristics, to correctly applications are used to identify the is detected. There are typically three
identify the application regardless of individual functions within the appli- scenarios where unknown traffic will
the protocol and port being used. The cation as well (e.g., webex-file-shar- be detected: a commercially available
signature also determines if the appli- ing). In addition to identifying applica- application unknown to App-ID, an
cation is being used on its default port tions, decoders identify files and other internal custom application, or a threat.
or a non-standard port (for example, content that should be scanned for
threats or sensitive data. • Unknown Commercial Applications:
RDP across port 80 instead of port
Using visibility tools, you can quickly
3389, its standard port). If the identi- • Heuristics: In certain cases, evasive
determine if the traffic is a commercial
fied application is allowed by security applications still cannot be detected off-the-shelf (COTS) application. If it is
policy, further analysis of the traffic is even through advanced signature and a COTS application, you can capture
done to identify more granular appli- protocol analysis. In those situations, it is and submit traffic packets to Palo Alto
cations as well as scan for threats. necessary to apply additional heuristic, Networks for App-ID development.
• TLS/SSL and SSH Decryption: If App-ID or behavioral analysis to identify cer- The new App-ID is developed, tested,
determines that TLS/SSL encryption tain applications, such as peer-to-peer and added to the database for all users
is in use and a decryption policy is file sharing or VoIP applications that in the form of a weekly update.
in place, the traffic is decrypted and use proprietary encryption. Heuristic
analysis is used as needed, with the • Internal or Custom Applications: If the
then passed to other identification
other App-ID techniques discussed application is internal, or custom, you
mechanisms as needed. If no policy is
Figure 3: Browse up-to-date application research and analysis at the Palo Alto Networks
Application Research Center, https://applipedia.paloaltonetworks.com
4401 Great America Parkway © 2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark
Santa Clara, CA 95054 of Palo Alto Networks. A list of our trademarks can be found at http://www.
Main: +1.408.753.4000 paloaltonetworks.com/company/trademarks.html. All other marks mentioned
Sales: +1.866.320.4788 herein may be trademarks of their respective companies.
Support: +1.866.898.9087 pan-tb-app-id-092115
www.paloaltonetworks.com