Today networks and the amount of data transfer done, are large and growing larger in size. As the companies grow larger, the number of users in the network also increase. The users are the primary cause of growth in the traffic. Let’s understand their behaviour and why there is an exponential growth in the data transfer on the WAN. Let’s understand why 80/20 rule is no more valid:
- Users will access resources on the LAN and WAN. These days, everyone is moving the applications on the cloud. It makes sense why traffic is growing on the WAN.
- These users are not only accessing the applications on the cloud but also applications which they should avoid, like proxy applications, P2P applications (torrents). Primarily, this is the reason how a virus/malware comes inside the network.
Now, if we include above all we
understand that we need to identify the application traffic being used by User
and drop it if objectionable.
Applications have grown too
mature and difficult to catch with traditional firewalls. The traditional
firewalls are capable of only identifying the ports, or the only rule matching criteria
is "The port numbers".A real next generation firewall should be
application intelligent and must identify the user who is initiating the traffic.
“The applications have grown too
mature” What does that mean exactly??
Let’s take an example here of an
application called ultrasurf. It’s really best example because of its random
behaviour. It’s like chameleon which gets connected to the servers anyhow.
Another good example is skype. To simplify things, consider port 80 traffic. It
not only includes simple web traffic but now it also includes video streaming,
proxy application traffic, instant messengers, downloads, CRM……many many more.
I think the solution is obvious
-- go for a combined security solution!!! But which one very mind twisting
question.
Recently, there is hype in the
security market about PaloAlto networks. The APP ID technology is currently
marketed as unique as they have this feature right inside the firewall module. I searched on the youtube for any related videos on how to
configure this videos. It seriously concerned the first few steps of the
getting up the appliance. The new generation appliances should be easily
configured and should be plug_and_play but instead it seems to be very lengthy
process
Creating a
firewall rule..oh! god it was very very lengthy process. Not a simple
thing to configure. It again needs a professional for just configuring the
firewall rules. Again not a simple plug and play device.
Now I got
more interested in capabilities. As a
security professional, I wanted to test this appliance out and about its
capabilities. I took 4 appliances in the test bed to compare capabilities.
These appliances have capabilities to identify different applications and block
them.
I also wanted to choose command
applications which are being used in the current network. The applications have
been choose to understand the maturity level of the application Vs. maturity
/capability level of the product to identify and block it. These applications
are specially choose from networks with students, HR team, construction
companies, complex networks, and low bandwidth networks. So we have prepared a
list of common and deadly 35. These applications are used for data leakage and
risk for the organisations has increased.
Below are the deadly 35:
Application
|
Facebook likes
|
source
|
Ultrasurf - Proxy
|
4016
likes
|
|
Freegate - Proxy
|
N.A.
|
|
Hotspotshield - Proxy
|
N.A.
|
|
MSN - IM
|
1,731,299 likes
|
msn.com
|
Yahoo - IM
|
40,00,000 users
|
|
Gtalk - IM
|
6541 likes
|
|
TOR - Proxy
|
N.A.
|
|
Skype - VoIP
|
1,09,00,000
|
|
Facebook Chat - IM
|
10,450 likes
|
|
AIM Messenger - IM
|
1,20,000
|
|
QQ Messenger - IM
|
6275 Likes
|
|
BitComet P2P Traffic - P2P
|
181 like
|
|
Bittorrent_uTorrent_Thunder - P2P
|
7239 likes
|
|
Securitykiss - Proxy
|
N.A.
|
|
FTP Upload/Download
|
N.A.
|
|
Team Viewer
|
610
|
|
iTunes
|
Too Many
|
|
Facebook Application
|
Too Many
|
|
Webmail-gmail-chat
|
Too Many
|
|
google+
|
Too Many
|
|
webmail- yahoo-chat
|
Too Many
|
|
teamviewer file transfer
|
N.A.
|
|
cyber ghost
|
N.A.
|
|
asproxy (on web)
|
N.A.
|
|
qq file transfer
|
6277 likes
|
|
shareaza
|
N.A.
|
|
emule
|
1,41,256
|
|
dc++
|
N.A.
|
|
qq live (WEB)
|
Too Many
|
|
ustream
|
290,000/month
|
|
jumblo
|
N.A.
|
|
psiphone
|
622
|
|
simurgh proxy
|
N.A.
|
Free File sharing
|
Wi-Free
|
Few
|
|
Digsby
|
80000/month
|
Two of
these applications caught my eye because of
their extra ordinary behaviour:
- Psiphon
- Wi-free
These will
be the next generation applications used for surfing. Very difficult to stop
them. They use protocols like SSH, DNS to send the traffic through the network.
And its very difficult to detect and drop such traffic. If you DROP dns traffic
your internet traffic will not work. The Public WI-FI can be easily penetrated
using these applications.
Very good
applications developed by beautiful minds to share the data to the outside
world but now they are being used in a very different environments like schools
and colleges. So the customer requirement was very obvious.
Test BED:
The test
bed was very simple.
- A computer with all these applications will be connected to the LAN and the WAN will be connected to the Internet.
- These applications were to be run one by one so that capability and maturity of the product in blocking the application can be evaluated
- No extra firewall rules should be required.
But the results are totally
different and I think Cyberoam has fared very well or best to say it has it has
proved to be best. The results may vary but we have tried to use the
latest Version. It seems that the products took too much time in
blocking the applications when a new version of the applications is
released. These
products were not proactive. These applications have topped our list and
some products are not even aware of these deadly applications.
Below are the results:
Application Name
|
Application
Version
|
Fortigate (FW-v4.0,build0521,120313 (MR3 Patch 6))
|
Sonicwall (FW- SonicOS Enhanced 5.8.0.2-37o)
|
Palo-Alto
(FW-4.0.8)
|
Cyberoam
(FW-124)
|
Latest
Release: 3.00168
|
Latest
Release: 298-1339
|
Latest
Release: 3.0.53
|
|||
Ultrasurf - Proxy
|
11.04
|
Working
|
Not Working
|
Not Working
|
Working
|
Freegate - Proxy
|
7.27
|
Working
|
Not Working
|
Not Working
|
Working (ultrasurf & Freegate Both should apply)
|
Hotspotshield - Proxy
|
2.52
|
Working
|
Not Working
|
Not Working
|
Working
|
MSN - IM
|
0.98.4
|
Working
|
Working
|
Working
|
Working
|
Yahoo - IM
|
11.05
|
Working
|
Working
|
Working
|
Working
|
Gtalk - IM
|
1.0.0.104
|
Not Working
|
Working
|
Working
|
Working
|
TOR - Proxy
|
0.2.2.35-8.0
|
Working
|
Working
|
Working
|
Working
|
Skype - VoIP
|
5.8
|
Not Working
|
Working
|
Working
|
Working
|
Facebook Chat - IM
|
Not Working (taking time to bypass)
|
Not available
|
Not Working
|
Working
|
|
AIM Messenger - IM
|
1.0.1.2
|
Working
|
Working
|
Not Working
|
Working
|
QQ Messenger - IM
|
1.2
|
Working
|
Working
|
Working
|
Working
|
BitComet P2P Traffic - P2P
|
1.31
|
Working
|
Not Working
|
Working
|
Working
|
Bittorrent_uTorrent_Thunder - P2P
|
B(7.6-26764) & U(3.1.2-26773)
|
Working
|
Not Working
|
Working
|
Working
|
Securitykiss - Proxy
|
2.2
|
Not available
|
Not available
|
Working
|
Working
|
FTP Upload/Download
|
Working
|
Working
|
Working
|
Working
|
|
Team Viewer
|
7.0.12799
|
Working
|
Working
|
Working
|
Working
|
iTunes
|
10_05_2005
|
Working
|
Not available
|
Working
|
Working
|
Facebook Application
|
Working
|
Not available
|
Working
|
Working
|
|
Webmail-gmail-chat
|
Working
|
Not available
|
Not Working
|
Working
|
|
google+
|
Working
|
Working
|
Working
|
Working
|
|
webmail- yahoo-chat
|
Not Working
|
Not available
|
Working
|
Working
|
|
teamviewer file transfer
|
Not available
|
Not available
|
Not available
|
Working
|
|
cyber ghost
|
4.7.18.1187
|
working
|
Not available
|
Working
|
Working
|
asproixy (on web)
|
Not Working
|
Not Working
|
Working
|
Working
|
|
qq file transfer
|
1.2
|
Working
|
Not Working
|
Not Working
|
Working
|
shareaza
|
V8
|
Not Working
|
Working
|
Not available
|
Working
|
emule
|
0.50a
|
Not Working
|
Working
|
Working
|
Working
|
dc++
|
0.791
|
Not Working (connected but unable to download)
|
Not Working
|
Not Working (connected but unable to download)
|
Working
|
qq live (WEB)
|
Working
|
Not Working
|
Working
|
Working (whole category should block)
|
|
ustream
|
Working
|
Working
|
Working
|
Working (whole category should block)
|
|
jumblo
|
4.09 Build 660
|
Not available
|
Not available
|
Not available
|
Working
|
psiphone
|
Not available
|
Not available
|
Not Working (SSH +)
|
Working
|
|
simurgh proxy
|
1.20 beta
|
Working
|
Not available
|
Not available
|
Working
|
Wi-Free
|
Not available
|
Not available
|
Not available
|
Working
|
|
Digsby
|
91
|
Working
|
Working
|
Not available
|
Working
|
Just to
quantify them in beautiful graphs
Further more, the Cyberoam was quite easy in configuring. It seems to be true application intelligent firewall which blocks most dangerous applications. This product is quite promising and its track in the Magic Quadrant has shown considerable growth.
