App-Id: Identifying any application on any port

Traffic classification is at the heart of any firewall, because your classifications form the basis of your security policies. Traditional firewalls classify traffic by port and protocol. At one point, this was a satisfactory mechanism for securing the perimeter. Not anymore.

If you still use a port-based firewall it is easy for applications to bypass it by:

  • Hopping ports
  • Using SSL and SSH
  • Sneaking across port 80
  • Using non-standard ports

Simply put, the traffic classification limitations of port-based firewalls make them unable to protect today's network. That's why we developed App-ID™, a patent-pending traffic classification system only available in Palo Alto Networks firewalls. App-ID™ instantly applies multiple classification mechanisms to your network traffic stream, as soon as the device sees it, to accurately identify applications.

 

file

Classify traffic based on applications, not ports.

Here's how App-ID identifies applications crossing your network:

  • Traffic is first classified based on the IP address and port.
  • Signatures are then applied to allowed traffic to identify the application based on unique application properties and related transaction characteristics.
  • If App-ID determines that encryption (SSL or SSH) is in use, and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow.
  • Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP).
  • For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.

As the applications are identified by App-ID's successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorized file transfer and data patterns, or shape using QoS.

Always on traffic classification - always the first action taken across all ports.

Classifying traffic with App-ID is the first action our firewalls take on traffic, so by default all App-IDs are always enabled. This means you don't need to enable a series of signatures to look for an application you think might be on your network, because App-ID never stops classifying all your traffic across every port - not just a subset of the traffic (e.g., HTTP).

All App-IDs constantly looks at all traffic such as:

  • Business applications
  • Consumer applications
  • Network protocols
  • Everything else

App-ID continually monitors the state of an application to see if it changes midstream, provides updated information to your administrator in ACC, and applies the appropriate policy and logs the information. Like all firewalls, Palo Alto Networks next-generation firewalls use positive control, default-deny all traffic, and then allow through only those applications that are within your policy. Everything else is blocked.

All classification mechanisms, all application versions, all OS's.

App-ID operates at the services layer, monitoring how an application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent will be about equal to the many BitTorrent OS and client signatures that have to be enabled to try and control this application in other offerings.

Systematic management of unknown traffic.

Every network has a small amount of unknown traffic. This traffic can be an internally developed application, a commercial application with no App-ID, or it can be a threat. App-ID categorizes all your unknown traffic, which allows you to analyze it and make an informed policy decision. If the traffic is an internal application, a custom App-ID can be created to identify it. If the traffic is a commercial application with no App-ID, a PCAP can be taken and submitted for App-ID development. Finally, App-ID's behavioral botnet report and logging tools can tell you if the traffic is a threat and take an appropriate action if it is.

Resources

Learn more about App-ID
See how App-ID provides visibility and control over work-related and non-work-related applications that can evade detection by masquerading as legitimate traffic, hopping ports or sneaking through the firewall using encryption.

Learn more about application visibility
Knowledge is power. Leveraging the rich context provided by our visualization, analysis, and reporting tools allows you to quickly learn more about activity on your network and make the appropriate policy decisions. Analyze incidents from a current or comparative perspective.