Blog

Introduction
Employees are increasingly turning to web-based or web-enabled applications to help get their jobs done.
To combat the risks associated with these applications, one of the most significant evolutions in network security over the last few years has been the advent of application control.

This technology gives administrators visibility and control over each application that is allowed to communicate on the network.
This paper discusses the five key advantages of implementing application control; breaks down the misperception that application control can only be implemented with a Next-Generation Firewall (NGFW) to show that it can also be deployed as part of a Next-Generation Intrusion Prevention System (NGIPS); highlights why advanced threat detection must go hand-in-hand with application control; and provides additional points to consider when evaluating an application control solution.

The Need for Application Control
Historically, administrators were able to control applications by using their firewall’s five-tuple policy.
This five-tuple policy consists of the source and destination IP addresses, the source and destination ports, and protocol. Since each application had its own
port, this was a fine way to control which applications were and were not allowed on the network.
But applications and threats have changed dramatically and this static approach to application control is now inadequate. A “Global Survey on Social Media Risks” released by the Ponemon Institute in
September 2011 found that more than 50 percent of the 4,640 respondents in 12 countries report an increase in malware due to social media use in the workplace, yet only 29 percent report having the
necessary security controls in place to mitigate it.Today’s applications are increasingly web-based or web-enabled, and therefore utilize ‘the always open’ port 80 for HTTP traffic. Even those applications that do not use port 80 are increasingly able to access other open ports on firewalls through tunneling and port-hopping. These techniques evade the visibility and control that administrators have over which applications are communicating across the network, as illustrated in Figure 1.
Circumventing traditional defenses, these new applications introduce new threats to the network. Twitter is increasingly being used as a command and control (CnC) infrastructure for mobile botnets, using tweets
for commands.
And earlier this year, research conducted by computer scientists at University of California, Riverside found that almost half of all users had encountered a scam or malware (socware) on Facebook in a four month
period. The research also found that socware is particularly savvy—using social-engineering to trick users into performing certain actions, for example asking them to “like as a service” as a way to get
them to inadvertently raise the reputation of Facebook applications or posts.

The Five Key Benefits of Applicati on Control

Today, application control provides administrators with
five key benefits:
1. Gain visibility and control over applications, regardless of port or protocol used
2. Reduce Bring-Your-Own-Device (BYOD) risk through enforcement of mobile application policies
3. Limit the exposure created by social media applications
4. Reduce attack surface and inspection requirements
5. Reclaim bandwidth from streaming/sharing applications

1. Gain visibility and control over applications, regardless of port or protocol used
Applications today are “firewall aware.” Accustomed to being blocked by firewall administrators based on the traditional port they use, many applications can
change the port or protocol they use until they find a combination that is permitted through the firewall.
Application control uses regular expression technology and analyzes traffic at layer 7, to identify and control applications regardless of the port or protocol used.

2. Reduce BYOD risk through enforcement of mobile application policies
Many organizations today have accepted the fact that a variety of consumer mobile devices (laptops, tablets and smartphones) will access their networks. In a
BYOD world, administrators have no control over the applications these devices will use to communicate. If an administrator can’t control the endpoint, then they
must control what the endpoint can do at the network level. Application control can help administrators identify mobile versions of applications (i.e., Safari for
iOS or Opera for Android devices), and can limit their access to sensitive portions of the network.

3. Limit the exposure created by social media applications
Social media introduces new inbound and outbound security threats that must be addressed. Inbound threats center on the transmission of malicious links or files
through social media messages, posts and emails.
Outbound threats, primarily in the form of data leakage, arise when users communicate sensitive or inappropriate information through social media channels.
In both instances, application control can be used to control entire applications (Twitter, LinkedIn, Facebook), or even sub applications (Twitter Post, LinkedIn Email, Facebook Chat) per user or user group.
For example, administrators could allow anyone to read Facebook information, but prevent the finance group from posting, chatting, emailing or otherwise conducting outbound communications using that application.
For social media and other applications, simply blocking access to URLs falls short on two counts.
First, this heavy-handed approach can stymie business productivity as opposed to granular control over sub applications which enables business-relevant access by user or group; and second, as mobile device usage increases, connectivity will be facilitated less by URL navigating browsers and more by endpoint-based software clients. Even today’s laptops and desktops utilize many applications that are not browser-based.

4. Reduce attack surface and inspection requirements
By limiting the number and types of applications that are allowed to communicate on the network, administrators can reduce the number of vectors that attackers could use to access sensitive information.
This is a simple law of averages—reducing communication vectors reduces attack vectors. But going further, even if an initial attack were successful,
its effectiveness could be muted by limiting its exfiltration paths.
For example, a piece of malware that successfully infects an endpoint could have its CnC communications blocked if the application control policy blocked Secure Shell (SSH) or Internet Relay Chat (IRC) applications. This could be an excellent way to increase security in financial, secret, SCADA or otherwise highly secure environments.
Regarding inspection requirements, if an application is disallowed, then there is no reason to continue with deeper levels of inspection. This can actually increase
the performance of security devices and the network overall, as noted in the next benefit below.

5. Reclaim bandwidth from streaming/sharing applications
Many of the applications that administrators are interested in blocking are peer-to-peer (P2P) file sharing applications, such as BitTorrent or Gnutella, and video- or music-streaming applications, such
as Netflix or Pandora. By identifying and stopping the use of these low business-relevant applications, administrators can not only increase security,
but reclaim wasted bandwidth and even increase employee productivity.

Points to Consider When Evaluating Application Control Solutions

Integration with NGIPS
While application control is essential to improve visibility and control, enforce mobile security polices, neutralize social media threats, reduce the attack
surface and reclaim bandwidth, the fact is that many applications are essential to facilitate network communications. The applications that are allowed to
communicate must be deeply inspected for threats.
It is here that most NGFW technologies begin to show limitations. While they have endeavored to be ‘more than a legacy firewall’ by offering application control,
they have failed to integrate a true next-generation IPS. A Gartner paper points to this, stating: “Nextgeneration network IPS will be incorporated within  a next-generation firewall, but most next-generation firewall products currently include first-generation IPS capabilities.

Conclusion

Application control is an advanced technology for today’s network requirements and can help administrators strike a balance between encouraging
productivity and minimizing risks. Unfortunately, many have come to believe that the only way to employ this technology is through a new device or a firewall
replacement. With limited resources and increased pressure to reduce attack vectors, organizations need to take a fresh look at the solution landscape.
The Sourcefire NGIPS and NGFW solutions offer administrators the flexibility to choose where and how application control is deployed in the network, without compromising the level of threat prevention.