Werner Schmidt
Enterprise Networking and Security Expert

The Rule of All

There’s a lot of talk now about application firewalls and it’s all the rage. That’s great. There is a greater awareness now for the real risk of applications masquerading as web browsing. These applications can be evasive, consume enormous amounts of bandwidth and be used to steal information. That’s just a short list. Web based applications are used to bypass corporate policies by making them more accessible to users.

However, not all solutions are the same. I get approached quite often by yet another manufacturer claiming to have this functionality. They are not all the same, in fact I still only believe in one solution out there.
See a video of the reporting features that I made.

Lets take a simple look to help understand the dilemma. Lets start with WebEx. Is all WebEx traffic the same and can we classify the
application based upon the URL or domain alone? Definitely not, a user might be browsing to www.webex.com to learn about the product and is just using a browser to read information. Lets now assume a WebEx session has started, now is it bad? Well, it depends. There could be chat, that chat could include pasted private information, there might be screen sharing, there might even be remote control (keyboard and mouse). The problem with this scenario is to make proper decisions we need to be able to have greater granular visibility/control and deal with the mode shifting. Once there is a mode shift, it’s a different potential threat posture.

YouTube, another great example. Appropriate or not? Could be personal, could be business, might be videos, has many other threats too.

Facebook, the classic example. It could nowadays be a corporate Facebook page being accessed for work reasons, could be just a read only view of a site, someone might be posting information that is sensitive to the company or using work time for personal posts. Facebook chat has numerous risks and is extremely prevalent. Facebook apps include time consuming items such as Farmville and Mafia Wars. These are
not turn based games, people can have their virtual characters injured while they are at work and not attending to their game or not harvesting their crops. These games demand continuous attention. There are now countless games and applications available. Can you really just use URL categorization?

The problem is that a device cannot
bolt on application visibility. It’s slow, time consuming and must be enabled and active all the time and be the first consideration a firewall or security device makes, not a downstream decision. For performance reasons, there should be only one scan at the data.

So, here’s the rule of Alls which I heartily agree with Palo Alto Networks (PAN) on:
  • All App-IDs are always on: Every one of the App-IDs are always enabled. They are not optional, there is no need to enable a series of signatures to look for an application.
  • Always the first action taken: App-ID traffic classification is always the first action taken when traffic hits the Palo Alto Networks next-generation firewall. Like all firewalls, the PAN device uses a default deny all approach. Policies are enabled to begin allowing traffic, at which time, all App-IDs begin to classify traffic without any additional configuration efforts.
  • All of the traffic: App-ID is always classifying all of the traffic – not just a subset of the traffic (like HTTP for IPS signatures). All App-IDs are looking at all of the traffic passing through the device, business applications, consumer applications, network protocols, and everything in between. There is no need to configure App-ID to look at a specific subset of traffic. It automatically looks at all of it. It should be able to decrypt traffic if desired.
  • All ports: App-ID is always looking at every port. Again, there is no need to configure App-ID to look for an application on a non-standard port. It is automatic.
  • All versions, all OSes: App-ID operates at the services layer, monitoring how the application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent signatures that need to be enabled to try and control this application.
  • All classification techniques: Each App-ID is not just an IPS-like signature. Every App-ID will automatically use up to four different traffic classification mechanisms to determine the exact identity of the application. There is no need to apply specific settings for a specific application, App-ID systematically applies the appropriate mechanism.


Schedule a demo or possible on-site evaluation or application visibility report with us to see the difference that Palo Alto Networks makes.
Watch a brief video I made of a live Palo Alto Networks firewall and how to address the five Ws (Who, What, Where, When and Why).