Blocking is Only One Aspect of Control

Matt Keil


Category: Uncategorized

One of my colleagues recently observed that 2010 is the year when every firewall vendor jumps on the “application control” bandwagon and says they do what Palo Alto Networks does. Specifically identify and control applications. Firewall vendors are taking the path of least resistance to address the application control requirement by adding application signatures to their IPS.

This is a very limited approach because an IPS is designed to find and stop threats – so there really is only one control option: block it because it is a threat. There are many aspects to control and blocking is only one of them. For example, what about the executives who are using Twitter to generate company buzz? Or the CFO is using Gmail while in the office? Blocking those applications as threats may be a CEM (career ending move).

To highlight this point, let’s look at three of the applications recently added to Applipedia: Google Buzz, Modbus and Millennium ILS.

The first one is Google Buzz, an application that “extends” Gmail into the fringes of social networking by allowing users to share links, photos, videos, status messages and comments organized in “conversations” with their friends and visible in the user’s inbox. Currently in a very public beta, Google Buzz represents significant risks to businesses because of the lack of controls and the ease with which data is share—purposely or accidentally. Google Buzz is an application that the security team would be wise to watch very closely due to the elevated risks it poses.

On the other end of the spectrum is Modbus, an open source protocol that is use by many manufacturers to manage programmable logic controllers (PLCs). Modbus, like many applications has a wide range of functions, some of which may be beneficial and others that may not be, so enabling or disabling only Modbus (and all of its functions), may be somewhat limiting. To provide greater flexibility in policy setting, the 14 Modbus functions are identified so customers can set policies on Modbus (all) or on specific functions, for specific users, IP addresses, security zones and more. Visit the Applipedia to learn more about the Modbus functions.

The next application example is Millennium Integrated Library System (ILS) – a complete set of management tools that helps libraries efficiently acquire, manage and track their assets. Like Modbus, Millennium ILS is a business application and neither of them would be confused with a social networking application, nor to they represent the same levels of business or security risks.

So why bother identifying all of these applications? The answer is simple: Knowledge is Power. Visibility into the all of the applications on the network at the firewall means IT can:

  • Respond to incidents more quickly: Visibility into these applications, who is using them, where the traffic is going and any threat related activity means that if a security incident occurs, the security team can use the information to more quickly narrow down the source of the incident and respond appropriately.
  • Implement usage policies: Knowledge of the application means that as needed, policies can be put in place to allow the application to be used by certain groups, within specific security zones or at certain times.
  • Become business relevant: Knowing how the applications are being used means that the security team can de-bunk the Dr. No label by having more relevant conversations with the business groups about how to use these applications to benefit the bottom line, yet do so in a secure manner.

There are many different aspects to control and blocking is only one of them. Control is more about enabling the use of specific applications for specific users (are they allowed to use that application?) even if they fall outside of the work related definition; seeing where the traffic is going (should SQL traffic be going to that zone or subnet) and; protecting the traffic against threats or unauthorized file/data transfers. Using this definition, control encompasses the entire population of applications on enterprise networks including the business applications.

When evaluating the next firewall purchase, be sure to match the many different aspects of the word “control” to the specific needs of your company.

Thanks for reading.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS