Balancing the Risks and Benefits of Evasive Applications

We often use the term evasive as a means of describing how an application can bypass a traditional stateful inspection firewall. “Applications use tactics such as port hopping, non-standard ports, SSL encryption and emulation to evade the firewall.” While wholly accurate, the term carries negative connotations, implying the application is behaving badly. In reality, the application developers are using these techniques primarily for purposes of improving user accessibility.

The use of these tactics is common, as shown in the Application Usage and Risk report where 57% of the applications we found can hop ports, use port 80, or port 443. While that statistic is interesting in and of itself, what is more interesting is the category and technology breakdown of these applications.

Figure 1: Applications that can evade security using port 80, port 443 or by hopping ports.

The high number of collaborative applications is populated by corporate and personal email, IM, social networking, blogging, internet conferencing, and VoIP. The interesting statistic is the range of underlying technologies used – the browser is the vehicle of choice but when compared to the those applications that use P2P and client/server, the breakdown is roughly equal. Corporate applications like SharePoint and WebEx both fall into the collaborative category and both use port 80 or port 443 respectively. So would you consider these applications evasive (in a bad way) or easily accessible? Most would call them the latter and given the popularity of both applications, would agree that these applications bring significant business benefits.

What are the risks? All applications carry risks. SharePoint and WebEx both use port 80 and port 443 respectively so they look like web traffic to most security solutions. SharePoint uses SQL, IIS, and .net and there are known risks associated with these components. WebEx has a desktop control feature that represents risks to financial services companies. So the trade-off is to allow these applications on the network but to take security best practices to apply policies that can mitigate the associated risks.

Another example is Skype, a VoIP application. Skype uses two techniques to simplify accessibility – it hops ports and it uses encryption. Admittedly the latter is also for privacy. Skype is widely used but not that widely deployed and supported by corporations. Yet it is a great tool, allowing the weary road warrior quick and cheap phone service from around the world. The risk of using Skype and other VoIP applications recently increased with the discovery of a Trojan that will listen to your phone calls. The article points out that risk this Trojan represents is slight and is expected to be used in a very targeted manner (against individuals or a small group). Here too, a risk vs benefit trade off needs to be made. Other examples of applications that fall into this risk vs reward discussion abound: Twitter, YouTube, Google Docs, Zoho, and the list goes on. New studies show the benefits of social networking yet one would have to be blind to miss the seemingly daily discussion of the risks these applications pose.

The statistics show that many applications can be considered evasive and yet many, while not supported by corporate IT, will bring significant business benefit. So the challenge we face is to help IT determine which applications are in use, who is using them, and then analyze the risks vs benefits, applying policy as appropriate.

Thanks for reading.