It tells the story of Palo Alto Networks’ history and points towards our future potential. It also articulates the desire of enterprise IT organizations to safely enable applications, rather than just blocking them outright. Like Nir says, “Our customers don’t want to block Facebook. They want to use it, but they also want some control.” David Cohen of All Facebook weighed in on the topic today with this post.

Vance also calls out a recent report: “Gartner estimates that by the end of 2014, about 60 percent of firewall-type purchases will be for these next-generation products.” Finally, Gartner analyst John Pescatore nicely summed things up when he said, “firewalls need to evolve.”

http://www.eweekeurope.co.uk/news/cios-frown-on-social-networking-at-work-2007 http://community.zdnet.co.uk/blog/0,1000000567,10014107o-114626b,00.htm https://www.mckinseyquarterly.com/home.aspx http://www.aiim.org/

In response to the eWeek article, this author raises the case that if there are business benefits to be derived in the use of social networking, then it should be allowed.

We could not agree more. Although we would add the caveat that they should be allowed provided that regulatory policies remain in tact and are adhered to. The position of summarily blocking a new or unknown application is unreasonable and in some cases, could be career limiting. Imagine that the CIO blocks the CEO’s favorite application.

Looking specifically at social networking users, most of them are in the 35 and under age group. The fastest growing group of users are those who are over 35. Currently, there are at least 30 social networking applications http://www.paloaltonetworks.com/applipedia/ available to end users with FaceBook as the most dominant. 315 MILLION users.

What does this mean? It means that theses users will be in the workforce for many years to come and they are accustomed to using these applications whenever they want. So it makes sense to figure out a social media strategy that benefits employees and the company itself. Two reports from AIIM  and McKinsey  both highlight the fact that social networking, and the other web 2.0/enterprise 2.0 applications are indeed resulting in measurable benefits. If they are spending too much time on these applications, then perhaps it is a personnel issue – not an application issue.

Now more than ever. It’s time to fix the firewall.

Should we really be surprised? No not really, given the findings form the latest Application Usage and Risk Report:

* An average of six P2P variants were found in 9 out of 10 organizations.
* In one extreme case, 17 P2P variants were found.
* The most common P2P applications found were BitTorrent and Gnutella – both at 68%
* Bandwidth consumed was a whopping 2.3 terabytes, or 5% of the total bandwidth viewed across the participating enterprises.

The most commonly detected P2P-based file sharing applications found across the 63 participating organizations.

The logical question is: why can’t enterprises stop P2P usage? There are several reason why.

The first reason is that employees are using what ever application they want. And in the case of P2P, the enterprise networks are typically far faster than home networks so why not take advantage of the connection speeds.

Dovetailing nicely into the high speed network access is the ability to get music, movies, software, and many things for free. Copy right laws are easily ignored when the latest movie, only seen in theatres, can be downloaded for free.

Possibly the most significant reason that IT cannot stop P2P is the plain fact that P2P applications use a variety of techniques to pass through the existing security infrastructures. Common techniques include port hopping and masquerading as HTTP. And as security administrators developed ad hoc techniques to detect these applications, P2P developers modified the application to use proprietary encryption as a means of bypassing the firewall, and signature based detection mechanisms. For example, uTorrent, the official BitTorrent client, uses proprietary encryption to evade detection.

Can Palo Alto Networks next-generation firewalls help?

We think we can. We can identify and control more than 40 P2P networks including BitTorrent, eMule, and LimeWire with more added as they are released to market. See the entire list here. Our customers are using our next generation firewall to reign in the use of these applications – blocking use for others while enabling controlled use for some (like engineers who need Linux distributions). Want to learn more? Check out the whitepaper on controlling P2P.

Now, assuming that the infrastructure is indeed up to date and that the IPv6 is enabled, then and only then will the rogue IPv6 become an issue. At this point, many of the security infrastructure vendors will fail to stop the use. Palo Alto Networks is different. Here is how we can help alleviate this issue before it becomes one.

* We can detect and block IPv6 with a set of signatures and decoders included in App-ID.
* If IPv6 is allowed, we can detect that traffic, and then apply appropriate security polices to the traffic (allow, deny, inspect for malware and threats).
* In the event that an intrepid employee is using IPv6 tunneled inside IPv4, we can detect and block that use as well.

Perhaps I have simplified it too much? Let us know if you agree.

To learn more about the applications, protocols and services we detect and control, check out the applipedia.

Thanks for reading.

• LinkedIn is twice as popular as FaceBook for business networking, and 68% think that professional networking on the web is vital to career progression.
• 27% of people aged 18-30 consider Twitter is an important rapid-feedback tool for business. Only 7% of those over 45 agree.

—————–

July 14 update – Two more proof points on why companies need to positively enable applications. Both articles talk about how new employees are pressing employers for more lenient web surfing policies. The balance of course is allowing not only web use, but the use of non-web based applications, in a secure manner.

From the AP article:

It’s no different than spending too much time around the water cooler or making too many personal phone calls. Do you take those away? No,” says Gary Rudman, president of GTR Consulting, a market research firm that tracks the habits of young people. “These two worlds will continue to collide until There’s a mutual understanding that performance, not Internet usage, is what really matters.”

So, Wellman and others argue, why not embrace that working style when possible, rather than fight it?

From the Techdirt article:

It’s not hard to figure out why, really. First, allowing for a good balance between the two allows workers to take short mental breaks which allows them to be more fully focused on work when needed. On top of that, they don’t have to worry about personal things while at work, but can take care of issues quickly and easily. Finally, and most importantly, many start using social networking and other online tools to help them work. After all, despite what naysayers say, these tools can be very useful in many different jobs.

—————–

More interesting is the fact that while most companies have security and approval policies for the use of corporate tools such as email and press releases, very few have the same for the use of these applications.
“…we found that whereas nearly all businesses have policies on the use and content of emails, only 30% set similar policies for blogs, wikis and forums.” [see full report here– registration required].

This policy discrepancy strengthens the case for what we call positive application enablement. A process by which the security team, in conjunction with the business units perform the following:
• Identify the application and what it is being used for.
• Determine who is using it.
• Decide whether or not to allow it – if so, under what conditions and parameters.
• Scan the allowed content.
• Log and report on the activity.

As we have said before, the days of blocking applications that might not be “approved” are gone. These applications are here to stay. The applications themselves are not risks, but make no mistake, they can introduce risks and as such, need to be secured right along side Oracle, SAP, SharePoint and other business applications.

Thanks for reading.

I like dogs. Preferably big, active, smart dogs. So it stands to reason that I would like the American Staffordshire Terrier, a recognized member of the Terrier Group according to the American Kennel Club (AKC). Never heard of this breed? Maybe you’ve heard of a Pit Bull – a breed that can strike fear into many people because of the highly visible nature of their attacks. Ask any dog trainer or avid dog lover and they will tell you that there are no bad dogs – merely bad dog owners. Bad dog owners who mistreat the dogs, train them to fit, follow improper breeding practices and so on. Sure, this is open to debate and this is not the forum for such a debate.

Let’s look at a couple of examples of how applications are like dogs.

P2P: The underlying technology was developed back in the early days of networking as a means of moving large files by harnessing unused computing resources. The premise still works today in commercially available applications like BitTorrent, Gnutella and many others. Everyone know that the rap against P2P that they are used to illegally share files. Worse yet, many of the largest data breaches were the result of improperly configured P2P applications. Yet properly configured and used by say, IT, P2P is a very powerful tool. See the relationship here? Employee records do not naturally migrate to a P2P network. MarineOne blueprints are not stored on a P2P network. Users are the ones who are sharing the files. Users are the ones who failed to properly configure the application.

TOR (The Onion Router): Developed by the US military to encrypt spy and covert operation communications and is now in the public domain. Not only is the message encrypted, it uses other TOR nodes to send the data, finally being assembled by the intended recipient. The advantage here is that no one node has all the data so intercepting it is of little use. In an oppressive regime, TOR is an invaluable tool and it is recommended by several human rights organizations as a tool to communication with the outside world. In the hands of an employee or student, TOR is a black hole that acts as an avenue for threats (inbound) and data leakage (outbound). Again, the application is not acting on its own. It is acting on the commands of the user.

Ok, P2P and TOR may be extreme cases (and easy pickings). Let’s see how social networking applications like FaceBook and MySpace hold up to the analogy. Both applications are designed to keep friends, colleagues and family updated on what’s happening. An admirable goal to be sure. Yet social networking has been invaded by malware writers who prey on users who do not think before they click. Case in point, a friend received a FaceBook update from someone they thought was a friend – the update had a URL in it. So you guessed it, they clicked it. Bad user! The PC is infected with malware.

I challenge you to take any application and put it to this test. My guess is that more often than not, you will come to the same conclusion. There are several points to my ramblings.

Applications are not threats. The threats are from what the users do with them and the content that is transferred. If enterprises treat applications as threats, several things may occur:
1) The CEO may be the one using the application which may result in a quick termination.
2) The application in use may be benefiting the bottom line, so why stop it.
3) Today’s employees expect to be able to use many of these types of applications, so blocking them may reduce the ability to attract new employees. (No bad dogs, remember).

IT must become business enablers. The application landscape is moving more rapidly than ever before and it is an understandable challenge for IT to keep up. But somehow they need to determine what applications are on their network and then analyze the risk and weigh it with the business benefit. If the trade-offs are positive, then the use should be documented as part of the appropriate application usage policy. (IT needs to train the users dog owners).

Educate users on the appropriate application usage policy. When we ask companies (IT guys) what their appropriate application usage policy is, they tend to laugh, or ask “what policy” or worse yet, say we do not have one. Many of our customers are using our solution to achieve the two previous points and in so do, make their application usage policy a living, breathing document that is reviewed on a regular basis, as users try new applications. Just like dogs will continually learn what the master allows and press for more, so to will users.

Thanks for putting up with me.

The YouTube statistic combined with a recent Nielsen report confirms that users, at home or at work, are using the Internet to entertain themselves. The Nielsen report shows that the hours of Internet video watched, at home and at work, is up 53.2% to just about 3 hours per month.

The one thing that neither of these statistics looked at specifically was the use of video/photo applications within the enterprise. During our own analysis summarized in the Application Usage and Risk Report, guess which application consumed the highest amount of bandwidth? You guessed it. YouTube gobbled up nearly gig of bandwidth.

Delving more deeply into the video application findings within the report shows the following:
* A sizable 4.4 terabytes of bandwidth was consumed by video applications alone, nearly double the amount observed in the previous report (2.3 terabytes).
* There were 44 different photo/video applications found – up from 30 detected in the previous report.
* The underlying technology used is primarily browser-based (24) with p2p and client/server powering 10 applications each.

To a certain extent, these enterprise specific statistics support the findings mentioned earlier in this post – video use and the corresponding bandwidth consumption is up.

Before the naysayers jump on me and say employees should be allowed to do what they want, let’s be perfectly clear here – no one is saying we should block these applications. The decision on what to do with these applications is left entirely to the corporations. In nearly every case, our customers felt their bandwidth was being consumed by non-business applications but were unsure which ones. Now they know which are the heaviest consumers – both in terms of applications and users. Some customers are hardnosed about it, blocking the use, others are merely collecting data while others are re-writing their policies, allowing the use but scanning for threats. In one case, the applications were blocked and user backlash was such that management bought a bigger pipe, allowing use but adding control elements around it.

The bottom line is that now the customers know that a big chunk of that sucking sound is video oriented.

Thx for reading.

Why? It’s all about numbers. There are millions of users worldwide who want access to their content. And as we discuss in this ThreatPost article, users will proactively circumvent controls. A 45 second search on the web provides a wealth of information on how to circumvent security controls and blocking mechanisms. Some examples:
* There are at least 7700 public proxies that users can access merely by visiting proxy.org.
* Users can build their own private proxy.
* Visit circumventor.net to find a list of circumvention tools.
* There are new encrypted tunneling applications like Gbridge popping up on a regular basis.
I could go on. And while I am sure that Hulu has a very smart and dedicated team of IT professionals, can they win against millions? My view is that they will not because of the sheer numbers. But I do wish them luck. But let’s look on the bright side, they have a good product and people want it.

Thanks for reading.

“In approximately four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software. Rather than for internal usage, most of these connections were provisioned to third parties in order to remotely administer systems. As discussed extensively in this and previous reports, the ultimate attacker is not typically the third party (although that certainly happens). More often, an external entity compromises the partner and then uses trusted connections to access the victim. From the victim’s perspective the attacker appears to be an authorized third party, making this scenario particularly problematic. This is especially so when trusted access is coupled with default credentials.”

Why is it interesting to me? Because our own Application Usage and Risk Report (April 2009) indicates that these types of applications are being used not only by IT – but also by sophisticated employees who want to access their home machine – or someone else’s – while they are at work. Overall we found that 95% of the companies who participated in the analysis had remote control applications present. Not surprising really. What is surprising is [1] the breadth of application variants (24 different remote access control applications) and [2] the high rate of SSH usage (89% out of 63).

No doubt there are IT personnel in this group, but we know from looking at the user names and talking with customers that SSH usage is expanding to non-IT users. These intrepid users are accessing their home machines to do whatever they want. Little do they know that they are exposing themselves and the company they work for to numerous business and security risks. A visit to wikipedia provides background on SSH, free dameons and clients for anyone to use. And today’s end users ARE smart enough (or bold enough?) to use these tools.

But as the Verizon Data Breach Report points out, remote access applications carry risk – which is confirmed by the Internet Storm Center article about SSH. This article reminds IT folks to tighten their controls around SSH – particularly the passwords – which are easy to crack if less than 8 characters. So the 89% of the companies we found using SSH had better make sure that their SSH is locked down.

So back to the question in the title: are remote desktop access/control applications valuable? Without question – yes — assuming proper controls and security are implemented and is being followed. But given the two data points above, it looks like we need to do some work.

Thx for reading.

Which applications do you think are currently running in your organization’s IT environment? Attendees were able to select all that applied and the results of a total of 181 votes showed the following:
P2P 43.6% (79)
Google apps 73.5% (133)
Anonymizers/proxies 33.7% (61)
Unauthorized IM 56.4% (102)
Encrypted tunneling apps (e.g. TOR)Â 43.6% (79)

In this case, the poll is a valuable tool to keep audience members engaged but often times they do not show all the data or tell the entire story.

Here’s why I say this. Our recently published Application Usage and Risk Report analyzed application traffic on more than 60 customer networks and the findings show very different numbers.
P2P 92%
Google apps 81%
Anonymizers/proxies 81%
Unauthorized IM 97% (to be fair, we did not ask if the use of IM is approved or not).
Encrypted tunneling apps (e.g. TOR) 11%

Real data always tells a more complete story. And what this report tells us is that enterprises collectively spend more than $6 billion annually on firewall, IPS, proxy and URL filtering products – yet the data shows that these products are unable to control the application traffic traversing the network. Here’s some of the key findings to support that conclusion.

* Applications are designed for accessibility. More than half of the nearly 500 unique applications found are “firewall friendly” in that they can hop from port to port, use port 80 or port 443 as a means of simplifying end-user access.
* Users are actively circumventing security controls. Employees are going to the extreme measure of using external proxies (typically not endorsed by corporate IT), remote desktop access and encrypted tunnel applications to do what they want on the network.
* File sharing usage is rampant. Despite the known risks, employee use of P2P is rampant and browser-based file sharing has effectively doubled in use over the last 12 months.

What else did we find? We found more than 111 collaborative applications – social networking, email, webmail, IM, blogging – you name it we found it. Many of these applications are beneficial. David Smith, from Gartner comments in this SC Magazine article that “some applications enable users to more easily do their job”. Absolutely true. No question about it. But when employees use them without IT oversight and the associated security, then the company is exposed to unnecessary business and security risks. Bill Brenner from CSO Magazine summarizes some of the risks in his article about the 4 Reasons Botnets are Hard to Fight.

You get the picture. I encourage you to read the executive summary, download the report or listen to a 10 minute overview here.

Check it out. Post a comment. The data does not lie.