White PapersEmployees are using a range of new web-based applications to get their jobs done and you've got limited visibility, let alone control. But one thing is certain - many of these applications are evasive and firewall aware and hackers are using them to penetrate networks.:
How do you encourage productivity and minimise risks? Application control is key. Read this whitepaper to learn:
• Why application control is so critical to your network security
• How to satisfy employee needs while limiting exposure
• Must haves when evaluating application control solutions
The Five Key BeneFiTs oF ApplicATion conTrol And how To Achieve ThemWHITE PAPERInTRoducTIonEmployees are increasingly turning to web-based or web-enabled applications to help get their jobs done. To combat the risks associated with these applications, one of the most significant evolutions in network security over the last few years has been the advent of application control. This technology gives administrators visibility and control over each application that is allowed to communicate on the network. This paper discusses the five key advantages of implementing application control; breaks down the misperception that application control can only be implemented with a Next-Generation Firewall (NGFW) to show that it can also be deployed as part of a Next-Generation Intrusion Prevention System (NGIPS); highlights why advanced threat detection must go hand-in-hand with application control; and provides additional points to consider when evaluating an application control solution. More than 50 percent of the 4,640 respondents in 12 countries report an increase in malware due to social media use in the workplace, yet only 29 percent report having the necessary security controls in place to mitigate it. THE nEEd foR APPlIcATIon conTRolHistorically, administrators were able to control applications by using their firewall s five-tuple policy. This five-tuple policy consists of the source and destination IP addresses, the source and destination ports, and protocol. Since each application had its own port, this was a fine way to control which applications were and were not allowed on the network. But applications and threats have changed dramatically and this static approach to application control is now inadequate. A Global Survey on Social Media Risks released by the Ponemon Institute in September 2011 found that more than 50 percent of the 4,640 respondents in 12 countries report an increase in malware due to social media use in the workplace, yet only 29 percent report having the necessary security controls in place to mitigate it. Today s applications are increasingly web-based or web-enabled, and therefore utilize the always open port 80 for HTTP traffic. Even those applications that do not use port 80 are increasingly able to access other open ports on firewalls through tunneling and port-hopping. These techniques evade the visibility and control that administrators have over which applications are communicating across the network, as illustrated in Figure 1.Circumventing traditional defenses, these new applications introduce new threats to the network. Twitter is increasingly being used as a command and control (CnC) infrastructure for mobile botnets, using tweets for commands. And earlier this year, research conducted by computer scientists at University of California, Riverside found that almost half of all users had encountered a scam or malware (socware) on Facebook in a four month period. The research also found that socware is particularly savvy using social-engineering to trick users into performing certain actions, for example asking them to like as a service as a way to get them to inadvertently raise the reputation of Facebook applications or posts.Many applications can change the port or protocol they use until they find a combination that is permitted through the firewall.THE fIvE KEy BEnEfITs of APPlIcATIon conTRolToday, application control provides administrators with fve key benefits:1. Gain visibility and control over applications, regardless of port or protocol usedFigure 1. Many applications are web-enabled or travel through open ports.Untitled DocumentWHITE PAPER22. Reduce Bring-Your-Own-Device (BYOD) risk through enforcement of mobile application policies3. Limit the exposure created by social media applications4. Reduce attack surface and inspection requirements5. Reclaim bandwidth from streaming/sharing applications1. Gain visibility and control over applications, regardless of port or protocol usedApplications today are firewall aware. Accustomed to being blocked by firewall administrators based on the traditional port they use, many applications can change the port or protocol they use until they find a combination that is permitted through the firewall. Application control uses regular expression technology and analyzes traffic at layer 7, to identify and control applications regardless of the port or protocol used. 2. Reduce BYOD risk through enforcement of mobile application policiesMany organizations today have accepted the fact that a variety of consumer mobile devices (laptops, tablets and smartphones) will access their networks. In a BYOD world, administrators have no control over the applications these devices will use to communicate. If an administrator can t control the endpoint, then they must control what the endpoint can do at the network level. Application control can help administrators identify mobile versions of applications (i.e., Safari for iOS or Opera for Android devices), and can limit their access to sensitive portions of the network.3. Limit the exposure created by social media applicationsSocial media introduces new inbound and outbound security threats that must be addressed. Inbound threats center on the transmission of malicious links or files through social media messages, posts and emails. Outbound threats, primarily in the form of data leakage, arise when users communicate sensitive or inappropriate information through social media channels. In both instances, application control can be used to control entire applications (Twitter, LinkedIn, Facebook), or even sub applications (Twitter Post, LinkedIn Email, Facebook Chat) per user or user group. For example, administrators could allow anyone to read Facebook information, but prevent the finance group from posting, chatting, emailing or otherwise conducting outbound communications using that application.For social media and other applications, simply blocking access to URLs falls short on two counts. First, this heavy-handed approach can stymie business productivity as opposed to granular control over sub-applications which enables business-relevant access by user or group; and second, as mobile device usage increases, connectivity will be facilitated less by URL-navigating browsers and more by endpoint-based software clients. Even today s laptops and desktops utilize many applications that are not browser-based. 4. Reduce attack surface and inspection requirementsBy limiting the number and types of applications that are allowed to communicate on the network, administrators can reduce the number of vectors that attackers could use to access sensitive information. This is a simple law of averages reducing communication vectors reduces attack vectors. But going further, even if an initial attack were successful, its effectiveness could be muted by limiting its exfiltration paths. For example, a piece of malware that successfully infects an endpoint could have its CnC communications blocked if the application control policy blocked Secure Shell (SSH) or Internet Relay Chat (IRC) applications. This could be an excellent way to increase security in financial, secret, SCADA or otherwise highly secure environments. Regarding inspection requirements, if an application is disallowed, then there is no reason to continue with deeper levels of inspection. This can actually increase the performance of security devices and the network overall, as noted in the next benefit below.5. Reclaim bandwidth from streaming/sharing applicationsMany of the applications that administrators are interested in blocking are peer-to-peer (P2P) file sharing applications, such as BitTorrent or Gnutella, and video- or music-streaming applications, such as Netflix or Pandora. By identifying and stopping the use of these low business-relevant applications, administrators can not only increase security, but reclaim wasted bandwidth and even increase employee productivity. PoInTs To consIdER WHEn EvAluATIng APPlIcATIon conTRol soluTIons Integration with NGIPS While application control is essential to improve visibility and control, enforce mobile security polices, neutralize social media threats, reduce the attack surface and reclaim bandwidth, the fact is that many applications are essential to facilitate network communications. The applications that are allowed to communicate must be deeply inspected for threats.It is here that most NGFW technologies begin to show limitations. While they have endeavored to be more than a legacy firewall by offering application control, they have failed to integrate a true next-generation IPS. A Gartner paper points to this, stating: Next-generation network IPS will be incorporated within Untitled DocumentWHITE PAPER3a next-generation firewall, but most next-generation frewall products currently include first-generation IPS capabilities. 1 Whether deploying application control as part of the Sourcefire NGIPS or as part of the Sourcefire NGFW, advanced threat protection is included. Furthermore, Sourcefire FireSIGHT increases accuracy and automation by using contextual awareness to understand the composition of the network. This agile engine automatically tunes itself to protect new assets as they enter the network, reducing the administrative burden and staying ahead of network changes and malicious hackers. Flexibility to Deploy Application Control as a NGFW or NGIPS Because applications were (and to some extent, still are) controlled through firewall policies, many administrators assume that application control is best deployed using a firewall. In fact, many vendors are now marketing Next-Generation Firewalls (NGFW) in such a way that the category (NGFW) and the feature (application control) have become interchangeable and synonymous. However, the prospect of ripping and replacing existing firewalls to gain access to this critical security control requires careful consideration, especially since alternative deployment options do exist. The applications that are allowed to communicate must be deeply inspected for threats. It is here that most NGFW technologies begin to show limitations. While they have endeavored to be more than a legacy firewall by offering application control, NGFWs have failed to integrate a true next-generation IPS. For small or medium-size businesses with a small number of firewalls, or for those who have reached the end of their firewall lifecycle, the addition of application control creates a perfect opportunity to upgrade to NGFW technology. However, for the vast majority of the market, which includes larger enterprises and those who have not reached the end of their firewall lifecycle, ripping and replacing the existing firewall infrastructure is infeasible. Faced with this scenario, larger enterprises or those not wishing to replace their firewall have typically deployed a NGFW behind their legacy firewall as a firewall complement. But considering that application control is essentially a layer 7 inspection function, it is logical to conclude that the appropriate place to deploy application control is within the NGIDS or NGIPS infrastructure. Indeed, the most essential definition of an IPS is a device placed behind a firewall that inspects traffic at layer 7. While the Sourcefire NGIPS has had the capacity to identify applications for many years, the ability to form policies and control those applications is a recent development. Now that the option exists, rather than deploy an additional device behind the firewall, deploying application control through their Sourcefire NGIPS is a faster, less costly and easier to manage alternative. Of course, for any organization wishing to replace their legacy firewall with an NGFW, Sourcefire now also offers a NGFW that includes application control, NGIPS and firewall functionality. SSL-Encrypted TrafficAn increasing number of applications today leverage Secure Sockets Layer (SSL) encryption for privacy. Overall, this is a good security practice; although it poses some unique challenges for security technologies. In fact, no security device in the world can accurately inspect encrypted traffic. SSL decryption is required, and can take place on the inspection device itself or through a separate appliance before the inspection device. While there are some advantages to on box decryption, the downside to this option is a severe performance impact; independent testing of on box decryption performance in competing devices has shown 99.5% performance degradation2. Additionally, key management quickly becomes burdensome across multiple on box decryption devices. For these reasons, a separate SSL decryption appliance can cost-effectively and efficiently decrypt traffic at wire speed, before passing that traffic to the NGIPS or NGFW device for inspection. In this scenario, key management is simplified, decryption policy can be configured and inspection device performance is not impacted. URL Filtering While URL filtering alone is not a substitute for application control, it can provide an important additional layer of security, reduce legal exposure and improve business productivity. Because so many applications are web-based, it makes sense to integrate URL filtering seamlessly alongside application control. Policy Enforcement Options Application control and URL policy enforcement must be flexible and granular to be relevant. Sourcefire allows applications to be controlled not only by sub-application, but also by zone, network, VLAN, user or user group. Enforcement of policies by user or user group occurs through the interaction with Active Directory and is important not only for ease of policy configuration, but to ensure that policy is enforced with a particular user regardless of that user s physical network location. source: 1 defining next-generation network Intrusion Prevention, John Pescatore, greg young, gartner, october 7, 2011source: 2 http://www.networkworld.com/reviews/2011/082211-palo-alto-performance-test-249383.html?page=2Untitled Document9.12 | REV1 2012 Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Agile Security and the Agile Security logo, ClamAV, FireAMP, FirePOWER, FireSIGHT and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.Classification of Applications With over 1,200 applications and sub-applications available for policy-setting, it is important to be able to classify applications in different ways to narrow searching and simplify policy management. Sourcefire classifies applications by:Category (P2P, instant messaging, browser, social networking, etc.) Type (application protocol, web application, client application) Business Relevance (very high, high, medium, low, very low)Risk (very high, high, medium, low, very low)More information on how Sourcefire classifies applications can be found at the Sourcefire App Center (www.sourcefre.com/app-center).For the vast majority of the market, which includes larger enterprises and those who have not reached the end of their firewall lifecycle, ripping and replacing the existing firewall infrastructure is infeasible. Ease of UseApplication control policies will consider many applications and will initially change frequently per application, if not per user or user group. It is important to consider how easily administrators will be able to create and change policies. Sourcefire s new management interface is intuitive, easy to use and provides all relevant policy information (including application control, URL and IPS policies) from a single management pane, as illustrated in Figure 2 below. conclusIonApplication control is an advanced technology for today s network requirements and can help administrators strike a balance between encouraging productivity and minimizing risks. Unfortunately, many have come to believe that the only way to employ this technology is through a new device or a firewall replacement. With limited resources and increased pressure to reduce attack vectors, organizations need to take a fresh look at the solution landscape. The Sourcefire NGIPS and NGFW solutions offer administrators the flexibility to choose where and how application control is deployed in the network, without compromising the level of threat prevention.ABouT souRcEfIRE Sourcefire, Inc. (Nasdaq:FIRE), a world leader in intelligent cybersecurity solutions, is transforming the way global large- to mid-size organizations and government agencies manage and minimize network security risks. With solutions from a next-generation network security platform to advanced malware protection, Sourcefire provides customers with Agile Security that is as dynamic as the real world it protects and the attackers against which it defends. Trusted for more than 10 years, Sourcefire has been consistently recognized for its innovation and industry leadership with numerous patents, world-class research, and award-winning technology. Today, the name Sourcefire has grown synonymous with innovation, security intelligence and agile end-to-end security protection. For more information about Sourcefire, please visit www.sourcefre.com.Figure 2. Configuration of Application Control, URL and IPS policies occurs from a single view.
