Palo Alto EDU-110: App-ID

Objectives:

Define application identification

Describe four major technologies to help identify applications

Configure application filters and application groups

Detect unidentifeid applications that traverse the firewall

Configure scheduling to Application ID

What is an application?

An application is a specific program or feature whose commuinications can be labeled, monitored and controlled

Applications will include business tools and services, which may need to be permitted. Blocked applications might include personal services

Applications can be delivered to the client via a web browser, a client to server model, or a peer to peer design.

What is App-ID?

App-ID is a technology that uses multiple identification mechanisms to determine the exact identify of applications that flow through the firewall

App-ID is a relied upon technology, since accurate traffic classification should be a primary function of any firewall.

The security rules within a Palo Alto firewall can specify whether to block or allow applications.

This is more advanced in comparison to a traditional firewall, which may block by port or protocol.

A traditional firewall can easily be bypassed with todays technologies and methods. Such as using SSL and SSH traffic encryption, sneaking other protocols and applications across port 80 or using non standard port numbers.

With the use application filter security policy rules, and enforcing applications to use only their default ports. The Palo Alto can enforce only DNS traffic to go across DNS known ports, rather than say bit torrent or a command and control server.

App-ID and UDP

A Palo Alto firewall that examines UDP packets can only identify a single packet in order to identify the application.

In most case, the first packet transmitted has all the information needed for a Palo Alto firewall to identify the applications.

UDP-Lite is very similar to to UDP, but can servce applications in error prone network enviroments that prefer to havbe damaged payloads delivered rather than discarded

App-ID and TCP

When it comes to TCP, the Palo Alto often needs to examine multiple packet transfers to identify the application. The first packet sent is a TCP SYN packet, and whilst containing the source and destination address and ports, it contains no application data.

The next two packets that follow on, SYN-ACK, and ACK, do not contain any application data ethier. It is all part of the three way handshake TCP uses to establish a data connection.

The application data likely follows on after the ACK, for example in a HTTP GET request or the reply from the server.

The firewall may have to wait a few more packets to be able to sufficently identify an application, or detect the data as encrypted.

If the data is encrypted, the network administrator may need to use a decryption policy to decrypt the HTTPs session and identify the application.

Identifying Applications

The Palo Alto APP-ID technology uses four internal component technologies to help identify technologies.

These are:

Application Signatures

A database of signatures of applications updated when the firewall grabs its content updates

Unknown Protocol Decoder

A heuristics engines that examines the patterns of communication. It attempts to identify the application based on it’s network behaviour. This type of detection is used for applications that encrypt from end to end ssuch as Skype or BitTorrent

Known Protocol Decoder

A set of application decoders that understand the syntax and terminlogy of common applications

Protocol Decryption

SSL and SSH decryption capabilities

Application ID Operation

Network traffic is initially classified based on the it’s IP address and port.

The firewall then consults the security policy to determine whether to allow or block the traffic based on the IP address and port. During this initial check, the application is set to any.

If traffic is allowed, a session is created and App-ID begins looking for an application signature. The firewall uses it’s known and unknown protocol decoders to attempt to identify the application.

If the App-ID engine determines that SSL or SSH encryption is in use, and a decryption policy has been configured, the traffic flow could be decrypted and the unknown and known protocol decoders can be put to work on the decrypted traffic.

If the application signature at this point still can’t be identified, the application will be unknown-tcp or unknown-udp based on the transport protocol.

Once the application has been identified, the firewall checks the security policy rule to determine whether to block, allow, or allow and scan for threats on the traffic.

Application Shifts

Network traffic can change from one application to another during a session

When a web browsing session starts, it may be identified as web-browsing, then to SSL.

Once application I.D. gets a further idea on the patterns and volumes of data being transmitted, it may then further clasify the application to such as facebook-base or facebook-chat

Dependant Applications

Some applications can depend on other applications during network shift during the lifetime of a session.

It is important that if these applications are to be permitted, that they are included in your security policy rules

In an example, in Rule 1 web-browsing may be permitted.

If the application type changes to Microsoft Office on demand, a rule will need to be created that permits Office365 on demand.

If this is not included, the user may have a negative web application expeirence.

Implict Applications

For many of the dependant applications, the app-id database implictly allows the required parent application without the need of the network administrator to add the parent application to the security policy.G

Going back to the Facebook rule, adding the facebook-base application would implictly turn on the require web-browsing rule to the security policy.

App-ID defines implict dependants because the addition, of say the web-browsing rule, could allow more traffic through the firewall than intended.

Implict permissions are only processed if a explict security policy rule for the parent application has not been added.

The implict support applies to custom applications too, based on HTTP, SSL, MS-RPC or RTSP.

Application Filters

An application filter groups applications based on attributes that the administrator selects from the App-ID database.

The attributes that can be selected are Category, Subcategory, Technology, Risk, and Characteristic.

Application filters can be useful when access to applications needs to be defined by say risk, or technology rather than matching specific applications.

New applications are classified by Palo Alto, and added to the App-ID database with values for Category, Subcategory, Technology, Risk, and Characteristic.

New applications that are added will automatically match with the application filter defined.

Application Groups

An application group is a static, created by the administrator, defined set of applications. Groups allows the logical grouping of applications that can be used in Security, QoS, and PBF rules.

A group can be used when the network administrator wishes to treat a set of applications in a similar way in a policy.

Groups ultimately simply the administration of a rule base.

When planning application groups, network administrators should consider how they want the groups to be enforced for access, and create seperate groups accordingly for seperate actions.

Nesting Application Groups and Filters

An application group can be manually configured to contain, applications, and application filters plus other application groups

Application Block Page

For applications that are web based and blocked, the Palo Alto can displayaa response page in the users browser.

The default response page includes the prohibited application name, and the users name if the user id feature has been enabled.

If the user id feature has not been enabled, an IP address is displayed instead.

Application block response pages need to be enabled via an interface management profile.

A custom HTML page can be crafted and uploaded.

Unknown Network Traffic

If APP-ID cannot identify an application, it will display in the Monitor -> Logs -> Traffic section as unknown-tcp or unknown-udp.

The only exception to this rule is HTTP, which if unidentified will be displayed as web-browsing

Identifying Unknown Application Traffic

Create rules to allow or block applications known to be flowing through the firewall

Create a temporary rule to detect new unidentified applications flowing through the firewall

Controling Unknown Applications

Create a custom application with a custom signature

Use network packet capture to identify unique bit a patterns in the application

Create a custom application signature to match that bit pattern

Use the custom application in a Security, QoS or PBF policy rule

Configure an application override policy

An application override policy rule can be used to identify custom application traffic based on it’s source zone and IP address, it’s destination zone and IP address, and it’s port and protocol.

This prevents the firewall using App-ID to process the Layer 3 data.

Application override also disables the security profiles

Block unknown-tcp or unknown-udp traffic

The unknown-tcp or unknown-udp traffic seen inside an organisation is normally benign. It could be a custom developed back up script or maintenance task

Unknown-tcp or unknown-udp that appears in sessions going out or coming in to the network should be suspect.

The traffic should be attempted to be verified using the traffic log and packet captures

Updating APP-ID

App ID’s can be scheduled to:

  • Download Only
  • Download and Install

Alternativelly, they can manually downloaded and installed at any time to suit the administrator.

Updates to the App ID database are released nearly every week

Leave a Reply

Your email address will not be published. Required fields are marked *