How Can You Classify ALL Apps, ALL the Time? (Hint: Custom App-IDs)

May 31, 2017
3 minutes

To safely enable applications and ensure top performance in your business, you must classify all traffic, across all ports, all the time. The flexible architecture of App-ID, a standard feature on our Next Generation Security Platform, allows you to easily create custom application signatures. These are useful to identify and control applications in the following circumstances:

  • Applications proprietary to your organization and custom-developed for you.
  • Topical or seasonal applications, such as applications that stream sporting events.
  • Commercial applications not currently classified by App-ID. Typically, these applications are not in widespread use or are specific to a geographical region.

Custom App-IDs can also be used in App-ID override rules (to override a device’s App-ID). An application override rule forcibly bypasses the App-ID process and sets a session to match a manually configured application name. For example, your corporate web server might be plainly identified as “web browsing,” and you might want to override with a specific name so it’s easily recognizable in the Application Command Center (ACC) and reports.

Custom App-ID Samples and Scenarios

The following custom App-IDs were created to identify applications with topical interest.

  • NCAA March Madness 2017: Custom signatures were provided to identify the landing page on PCs and mobile apps, and to identify live video stream for PCs and mobile devices.
  • Olympic Games 2016 in Rio de Janeiro: During the games, NBCUniversal streamed over 6,000 hours of live programming on its website and apps. A custom signature was created to identify streaming and on-demand video traffic from primary websites.

Activities like these can have a dramatic effect on network traffic, given employee interest and the sheer volume of video streamed over the corporate network. Such events are also frequently used by attackers to spread malware. By creating custom application signatures, organizations can whitelist ALL applications, including those not identified by default. This results in the safe enablement of applications and a reduced surface area for attacks. These and future custom App-IDs can be accessed on the Palo Alto Networks Live Community.

How to Create a Signature-Based Custom App-ID

You can create a signature-based custom App-ID by following these steps:

  1. Capture and review application packets. Capture application packets so you can find unique characteristics about the application on which to base your custom application signature. One way to do this is to run a protocol analyzer, such as Wireshark, on the client system to capture packets between the client and the server. Perform different actions in the application, such as uploading and downloading, so you can locate each type of session in the resulting packet captures (PCAPs). Because the firewall by default takes packet captures for all unknown traffic, if the firewall is between the client and the server, you can view the packet capture for unknown traffic directly from the traffic log.
  2. Identify traffic patterns and define match criteria. Use the PCAPs to find patterns or values in the packet contexts you can use to create signatures that uniquely match the application traffic. For example, look for string patterns in HTTP response or request headers, URI paths or hostnames.
  3. Add the custom application. You can add the custom application using the management interface. Validate that traffic matches the custom application as expected before finalizing the process.

Inbuilt and custom App-IDs can reduce the attack surface and build stronger defenses against successful cyber breaches for your organization. To learn more:

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.