App-Id: Identifying any application on any port
Traffic classification is at the heart of any firewall, because your classifications form the basis of your security policies. Traditional firewalls classify traffic by port and protocol. At one point, this was a satisfactory mechanism for securing the perimeter. Not anymore.
If you still use a port-based firewall it is easy for applications to bypass it by:
- Hopping ports
- Using SSL and SSH
- Sneaking across port 80
- Using non-standard ports
Simply put, the traffic classification limitations of port-based firewalls make them unable to protect today’s network. That’s why we developed App-ID™, a patent-pending traffic classification system only available in Palo Alto Networks firewalls. App-ID™ instantly applies multiple classification mechanisms to your network traffic stream, as soon as the device sees it, to accurately identify applications.
Learn more about the Application Visibility Feature.
Classify traffic based on applications, not ports
Here’s how App-ID identifies applications crossing your network:
- Traffic is first classified based on the IP address and port.
- Signatures are then applied to allowed traffic to identify the application based on unique application properties and related transaction characteristics.
- If App-ID determines that encryption (SSL or SSH) is in use, and a decryption policy is in place, the application is decrypted and application signatures are applied again on the decrypted flow.
- Decoders for known protocols are then used to apply additional context-based signatures to detect other applications that may be tunneling inside of the protocol (e.g., Yahoo! Instant Messenger used across HTTP).
- For applications that are particularly evasive and cannot be identified through advanced signature and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the application.
As the applications are identified by App-ID’s successive mechanisms, the policy check determines how to treat the applications and associated functions: block them, or allow them and scan for threats, inspect for unauthorised file transfer and data patterns, or shape using QoS.
Always on traffic classification – always the first action taken across all ports.
Classifying traffic with App-ID is the first action our firewalls take on traffic, so by default all App-IDs are always enabled. This means you don’t need to enable a series of signatures to look for an application you think might be on your network, because App-ID never stops classifying all your traffic across every port – not just a subset of the traffic (e.g., HTTP).
All App-IDs constantly looks at all traffic such as:
- Business applications
- Consumer applications
- Network protocols
- Everything else
App-ID continually monitors the state of an application to see if it changes midstream, provides updated information to your administrator in ACC, and applies the appropriate policy and logs the information. Like all firewalls, Palo Alto Networks next-generation firewalls use positive control, default-deny all traffic, and then allow through only those applications that are within your policy. Everything else is blocked.
All classification mechanisms, all application versions, all OS’s
App-ID operates at the services layer, monitoring how an application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent will be about equal to the many BitTorrent OS and client signatures that have to be enabled to try and control this application in other offerings.
Systematic management of unknown traffic
Every network has a small amount of unknown traffic. This traffic can be an internally developed application, a commercial application with no App-ID, or it can be a threat. App-ID categorises all your unknown traffic, which allows you to analyse it and make an informed policy decision. If the traffic is an internal application, a custom App-ID can be created to identify it. If the traffic is a commercial application with no App-ID, a PCAP can be taken and submitted for App-ID development. Finally, App-ID’s behavioral botnet report and logging tools can tell you if the traffic is a threat and take an appropriate action if it is.
Palo Alto Networks Firewall Overview
- 8-Page PDF: Palo Alto Firewall Oveview
Palo Alto Networks Panorama
- 5-Page PDF: Panorama Specsheet
Palo Alto Networks VM-Series Datasheet
- 3-Page PDF: VM-Series Datasheet
Palo Alto Networks Wildfire
- 6-Page PDF: Palo Alto Networks Wildfire