Do you know with certainty what applications your users are running on the network? Just because your firewall is only allowing, say, ports 80, 443, and 53 doesn’t guarantee that only web browsing, secure web browsing, and DNS query traffic is passing thru your firewall!
Did you know that:
- Instead of establishing new server port numbers, legitimate applications are now designed to run over standard, commonly allowed ports. For example, Dropbox uses ports 443 and/or 80 to allow users to upload and download files to their cloud-based storage service. Do you know with certainty that your employees aren’t uploading sensitive corporate data to Dropbox?
- Many applications are designed to dynamically probe your firewall to find an open port. For example, each time Skype starts running it probes your firewall to see what ports are open and then communicates over this port. If you then close the first port Skype picks, Skype will then move on to the next open port. It is impossible for a traditional firewall to block Skype unless you close every port on your firewall!
- Malware often communicates over ports 80, 443, and 53. For example, Conficker relies on port 80. (Source)
Traditional stateful-inspection firewalls will permit all the aforementioned traffic, both legitimate and malicious, because stateful-inspection firewalls only make decisions based upon port numbers and session state - they are not capable of looking at the application layer data which is needed to identify the true application.
The bottom line is this:
Do you really know what applications are running on your network?
And if not, how can you be sure that malicious, tunneled communication isn’t occurring on allowed ports?
Many firewall vendors claim to identify networked applications, however their solutions include a ‘bolt-on’ approach that is not only complex to manage and dramatically reduces throughput, but they simply are not effective in correctly identifying the applications. Digital Scepter can demonstrate true application visibility and control using a Palo Alto Networks next generation firewall which correctly identifies the applications which are passing traffic, regardless of protocol, port, or evasive tactic. In addition, a Palo Alto Network firewall can even identify applications running inside encrypted SSL tunnels. And once you can identify the application, you have the power to either permit or deny this traffic or you could rate-limit it.
Correctly knowing all the applications would be the first step in creating a positive security model, where you permit only known, desired applications and deny everything else. Using a positive security model implemented on a Palo Alto Networks next generation firewall dramatically reduces risk because malware and other risk-inherent applications would not be permitted, even if they communicate over permitted ports. In addition, zero day malware would be blocked as well since it would not be identified as an allowed application.
Contact Digital Scepter today and let us help you identify and secure your networked applications with a Palo Alto Networks firewall!