Four Reasons to Use App-ID on Your Next-Generation Firewall

Stephanie Johnson


Category: Firewall

Application traffic was once easier to manage. Ports and protocols directly correlated to given applications. Blocking a port meant blocking an application.

Fast forward to the present – applications have changed. They are increasingly difficult to accurately identify and rarely play by the “rules.” No longer do ports equal applications, nor IP addresses equal users, nor packets equal content.

What is an organization to do to effectively secure its network and prevent increasingly evasive threats?

Safely Enable Applications With App-ID

IT must exert granular control and provide in-depth visibility and protection at the level of individual applications. App-ID application identification technology, a native feature on Palo Alto Networks next-generation firewalls, enables organizations to shift to an application-focused approach, rather than port- and protocol-based policy. An application-based approach helps accurately identify all applications traversing the network to defend against successful cyberattacks.

App-ID applies multiple classification mechanisms to the network traffic stream – application signatures, application protocol decoding, decryption (when needed), and heuristics – to accurately identify applications. And it does so regardless of port, protocol, encryption (SSH or SSL) or evasive tactics. Because App-ID is always on, it continuously monitors application functions in use to see if changes take place (for instance, going from standard screen-sharing during a videoconference to giving someone remote desktop control). The information about each application and associated risks (e.g., known vulnerabilities, malware transmission and potential misuse) provides critical knowledge to build and enforce intelligent application access controls and policy.

Here are four key reasons to implement App-ID on your Palo Alto Networks Next-Generation Firewall:

1. Gain Unprecedented Application Visibility. App-ID enables visibility into the applications on the network. This visibility provides understanding of which applications are being used, how much and for what purpose(s).

By using App-ID in the Application Command Center, as well as other reports and logs, you can identify specific activity patterns and behaviors. For example, you can identify the top applications in use by your organization or the top threats introduced into your network by certain applications. The visibility and usage reports are easy to understand, and you can share application knowledge you gain with business leaders to build awareness and enforce security policy rules to enable, inspect and shape desired applications and block unwanted applications.

2. Reduce the Attack Surface Area. App-ID enables organizations to exert granular control over applications and their functions, allowing sanctioned applications and known traffic while blocking or tightly controlling the rest. For example, you can allow only sanctioned Office 365 accounts, or allow Slack for instant messaging, but block file transfer capabilities. Allowed traffic is scanned for threats and sensitive data. Explicitly allowing only the applications required to drive your business, and denying all others, reduces the surface area for attacks across the organization.

3. Secure SaaS Traffic and Protect Sensitive Data. Given the productivity benefits, the adoption of SaaS (software as a service) applications continues to rapidly accelerate. Many businesses now have SaaS application security initiatives. However, the widespread acceptance of SaaS is challenging for IT teams because the sensitive data hosted is managed by the SaaS provider.

Our next-generation firewall uses the classification capabilities of App-ID to provide SaaS application usage reports with detailed statistics on SaaS applications accessed, the users who accessed them, and related threat information. This includes data such as the top ten threats introduced by SaaS applications, malicious files transferred to or from SaaS applications, and users connecting to certain SaaS applications, plus any activity that was blocked. In an instance where an organization has standardized on Box.com, for example, this information can be configured into a single policy to (1) allow access for authenticated users and (2) apply decryption to encrypted SSL traffic to determine user and file activity (e.g., uploading, downloading or both). It also determines if known or unknown threats or malware are being transmitted, and blocks them.

4. Secure Your Data Center. App-ID provides application awareness that can form the basis for data center policy decisions, so that only the right people have access to the appropriate applications. Using the exact identity of applications (e.g., Oracle, SAP, MS SQL) as the basis for DC security policy gives IT greater control over traffic. For example, you can control applications like FTP (File Transfer Protocol) that can be used to transfer sensitive data, and the ability to run applications like DNS (Domain Name System) and Microsoft RPC (Remote Procedure Call). App-ID’s positive control model enables your organization to define a list of applications allowed in the DC, and deny all else. Applications not explicitly allowed are blocked and logged for further investigation and forensics. Moreover, if an attacker does manage to penetrate the DC network, App-ID, in combination with User-ID user identification technology, can prevent lateral movement capabilities and data exfiltration by limiting application usage based on user groups.

App-ID enforces a positive security model designed to allow the applications that enable the business, and controls them to improve security posture. To learn more about the benefits of using App-ID on your Palo Alto Networks Next-Generation Firewall:


Register for Ignite ’17 Security Conference
Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42