Werner Schmidt
Enterprise Networking and Security Expert

Security - An Application View

Last month I was lamenting that there had to be a better way to take a look at a different security stack model and imagining a security stack with solutions that:
  • Allows a company to whitelist appropriate behavior and applications
  • Determines a threat by sandboxing attachments and checking what the behavior is
  • Determines a web application threat by observing the actions of attackers and assessing their skill and tenacity and counteracting accordingly
  • Use profiling techniques to log individual attackers and threats
  • Log events from above for legal or compliance concerns

I’ll be building upon this discussion next month as well. This month we’ll touch upon whitelisting appropriate behavior and applications. Whitelisting has been around for quite a while and keeps making a comeback. We’re all used to blacklisting, which is a process where we list those things (sites, applications, users, resources, etc.) we wish to blacklist or block. With blacklisting, that which is not blocked is allowed. Whitelisting is a process where allowed things are listed, that which is not on the allowed list just isn’t allowed. This can pertain to web sites, usernames, desktop applications, firewall ports, etc.

For now we’ll focus on the firewall. In the old days, ports used to represent applications. Port 25 (smtp) was Email, port 23 (telnet) was terminal access (mainframes or minicomputers), port 22 (ftp) was file transfer, etc. Port 80 was just for web browsing. Now however, 80% of all traffic is port 80 and a large percentage of it is encrypted. Web browsing is defined as just that, web browsing (think cnn.com, weather.com, wikipedia.com, etc.). It’s where you use a web browser to look at general text and some static pictures to get information. It might be a support site, might be a vendor site, etc. Classical browsing would not include web 2.0 applications. Web 2.0 applications are full fledged applications that happen to run over port 80 versus older ports or client/server applications. In the past we would run Quickbooks as a local application, now that can be run across the web or in a cloud. SalesForce is the classical example of a web 2.0 application. With web 2.0 applications, now you can transfer files, listen to audio, watch streaming video and use proxies or encryption to avoid detection. Now we need to focus more on the characteristics of what is occurring on port 80 and 443 (and the other ports still too!) to determine our security posture. These days, entertainment in various forms consumes massive amounts of corporate bandwidth. Web application characteristics include:
  • Is it capable of being evasive (port hopping, encryption, etc.)?
  • Is it using or able to use excessive bandwidth?
  • Is it prone to misuse?
  • Can it be used to transfer files?
  • Can it tunnel other applications?
  • Is it used by malware?
  • Does it have vulnerabilities?
  • Is it widely used?

We might also want to factor in potential risk by application as well.

Lets look at some examples of each (all lowercase for simplicity):
  • Evasive - azureus, bittorrent, gnutella, logmein, skype, youtube
  • Excessive bandwidth - bittorrent, emule, ftp, gnutella, google-docs-uploading, kazaa, xunlei, vimeo, youtube
  • Prone to misuse - ftp, guntella, hamachi, hopster, kazaa, smtp, skype, vnc, webdav
  • Transfers Files - bittorrent, ftp, gnutella, google-docs, hamachi, logmein, wevdav
  • Tunnels other apps - hopster, irc, kazaa, logmein, socks, vnc
  • Used by malware - bittorrent, hamachi, http-tunnel, skype, vnc, xunlei, youtube
  • Vulnerabilities - Many applications have known vulnerabilities. Short list: ftp, irc, logmein, nntp, vnc, youtube, webdav
  • Widely used - Many applications are used extensivley

Try applipedia (
http://ww2.paloaltonetworks.com/applipedia/) to explore applications. Following is a page of what that looks like. This is the same application that is used by Palo Alto Networks when setting application use policies:



So, where does this leave us? We should no longer think that opening up just port 80 and 443 from trust to untrust is adequate. Furtermore, adding URL filtering does very little in terms of application control. URL filtering cannot address any P2P (Peer to Peer) application threats because the other end(s) are unknown by their nature in that they are just end user desktops not known URLs in almost all cases.

Recommendations:
  1. We should whitelist by actual applications
  2. We should whitelist by users and/or groups
  3. We should implement QoS to further protect and prioritize key corporate resources
  4. We should still look for threats on approved applications (we shouldn’t bother scanning disallowed applications)
  5. We still probably want to allow classical web browsing, but should apply URL filtering
  6. We should strongly consider decrypting traffic in certain cases and not decrypting in certain category destinations (e.g. banking, healthcare)

This is just the first touch on a lengthy subject. Future articles will explore deeper how to properly detect malware and protect against it. I’ll also be discussing other approaches to protecting public web servers from outside threats.

The Rule of All

There’s a lot of talk now about application firewalls and it’s all the rage. That’s great. There is a greater awareness now for the real risk of applications masquerading as web browsing. These applications can be evasive, consume enormous amounts of bandwidth and be used to steal information. That’s just a short list. Web based applications are used to bypass corporate policies by making them more accessible to users.

However, not all solutions are the same. I get approached quite often by yet another manufacturer claiming to have this functionality. They are not all the same, in fact I still only believe in one solution out there.
See a video of the reporting features that I made.

Lets take a simple look to help understand the dilemma. Lets start with WebEx. Is all WebEx traffic the same and can we classify the
application based upon the URL or domain alone? Definitely not, a user might be browsing to www.webex.com to learn about the product and is just using a browser to read information. Lets now assume a WebEx session has started, now is it bad? Well, it depends. There could be chat, that chat could include pasted private information, there might be screen sharing, there might even be remote control (keyboard and mouse). The problem with this scenario is to make proper decisions we need to be able to have greater granular visibility/control and deal with the mode shifting. Once there is a mode shift, it’s a different potential threat posture.

YouTube, another great example. Appropriate or not? Could be personal, could be business, might be videos, has many other threats too.

Facebook, the classic example. It could nowadays be a corporate Facebook page being accessed for work reasons, could be just a read only view of a site, someone might be posting information that is sensitive to the company or using work time for personal posts. Facebook chat has numerous risks and is extremely prevalent. Facebook apps include time consuming items such as Farmville and Mafia Wars. These are
not turn based games, people can have their virtual characters injured while they are at work and not attending to their game or not harvesting their crops. These games demand continuous attention. There are now countless games and applications available. Can you really just use URL categorization?

The problem is that a device cannot
bolt on application visibility. It’s slow, time consuming and must be enabled and active all the time and be the first consideration a firewall or security device makes, not a downstream decision. For performance reasons, there should be only one scan at the data.

So, here’s the rule of Alls which I heartily agree with Palo Alto Networks (PAN) on:
  • All App-IDs are always on: Every one of the App-IDs are always enabled. They are not optional, there is no need to enable a series of signatures to look for an application.
  • Always the first action taken: App-ID traffic classification is always the first action taken when traffic hits the Palo Alto Networks next-generation firewall. Like all firewalls, the PAN device uses a default deny all approach. Policies are enabled to begin allowing traffic, at which time, all App-IDs begin to classify traffic without any additional configuration efforts.
  • All of the traffic: App-ID is always classifying all of the traffic – not just a subset of the traffic (like HTTP for IPS signatures). All App-IDs are looking at all of the traffic passing through the device, business applications, consumer applications, network protocols, and everything in between. There is no need to configure App-ID to look at a specific subset of traffic. It automatically looks at all of it. It should be able to decrypt traffic if desired.
  • All ports: App-ID is always looking at every port. Again, there is no need to configure App-ID to look for an application on a non-standard port. It is automatic.
  • All versions, all OSes: App-ID operates at the services layer, monitoring how the application interacts between the client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent signatures that need to be enabled to try and control this application.
  • All classification techniques: Each App-ID is not just an IPS-like signature. Every App-ID will automatically use up to four different traffic classification mechanisms to determine the exact identity of the application. There is no need to apply specific settings for a specific application, App-ID systematically applies the appropriate mechanism.


Schedule a demo or possible on-site evaluation or application visibility report with us to see the difference that Palo Alto Networks makes.
Watch a brief video I made of a live Palo Alto Networks firewall and how to address the five Ws (Who, What, Where, When and Why).

Washington DC Trip

In the previous newsletter I briefly mentioned the trip to Washington DC, so I wanted to expand a bit more on it. We had never been there before as a family or individuals. It just seemed appropriate and timely with the kids growing up, enlistment of our youngest in the Marines and other reasons. I also share a love of history with our youngest son.

It was a stellar trip. For those who have never been, I highly recommend it. It felt like a pilgrimage, almost Biblical like going back for a census. It’s something one needs to do at least once. It was not restful and we definitely didn’t have enough time, but we did okay. It was overwhelming, we had 8 days (6 effective), it wasn’t enough.

We stayed near Dulles airport, about 45 minutes away from DC. The hotel was great, being further away allowed us to save money and get separate rooms from the two boys, that at least meant relief and rest at night for Debbie and I.

We went with a rental car and drove into DC most of the time. Lots of horror stories online about parking, but if you arrive early it’s generally quite fine. However, we got lost SO many times, signage is a mess and was quite stressful. Eventually it became a source of humor as the oldest son kept sending text messages out every time we got lost. I would instead make sure to have a GPS in the rental, that's a must, handheld only if you have a good navigator and battery life. Did I mention how slow people drive out there? I mean 45 MPH posted and enforced on some freeways! I can go faster on some city streets. The HOV (car pool) lanes are interesting being in the middle and separated from the other lanes and using gates to alter the flow in only one direction at a time. Slowing WAY down for the E-ZPass toll sensor is mandatory and I learned the hard way that it really has to be that slow, I rang that bell and got a bill. I would have preferred to learn the metro (subway) earlier, we walked WAY too much early on. I would also do a tram tour thing with on/off rights, NPS (National Park Service) offers one. Metro has all day passes, I have to imagine multi-day passes. I can see why DC folks think nothing about proposing a national 55 MPH speed limit, that’s faster than they drive. Almost every single road was under construction, stimulus money is flowing all over the place around there.

Things are really close together and yet, a whole lot of walking. I should have planned even more for proximity and I did plan, but not enough. The closeness around the National Mall lulls you into not worrying about it and then you walk too much as you criss-cross and visit every single item you see.

We had contacted our congressman in advance (use web site) and asked for all the items of interest. Many things you ask tickets for don't even apply in reality, seems like an exercise to make you think you’re getting something from them just be asking. Almost everything is free too. However, we did capital tour via them, met in his office and met a staffer, that was cool and boring, but a right of passage kind of thing. The advance notice is required if you want to see the White House, we could not on only 2 months notice. However, I can’t express the feeling of actually being in the House of Representatives galley as legislation is being discussed and then voted on. It’s small and yet you feel history being present as the last minute flurry occurs and people arrive for the vote.

We did walk near the White House, I’d like to park on the lawn, right by the "holiday" tree! We also saw the herb garden from a distance and were real close to where Marine One always lands on the lawn.

Things that were really special for us:
- Segway tour (Debbie loved it too, 2.5 hours, great way to get a quick feel for where things are, we did this first, I really would have liked to have used them the entire time!). We used Capital Segway for the tour. By the way, my favorite picture of the whole trip involves the Segway tour. Our guide took a family picture of the four of us on the Segways, three of us are pointed towards our tour guide and one was not due to trying to stay in one spot. It’s a treasured picture of the event. Yes, I’m aware the owner of Segway died (9/27/10), I still love the product and hope for continued success for them.
- Holocaust Museum (go early and get an assigned time and return, 2-3 hours), puts a real downer on the rest of the day, but something that really affected us and is important to experience. I especially like the exhibit “State of Deception: The Power of Nazi Propaganda”. Walking through a train box car was eerie. After the tour you realize how silent and cold the whole time in the museum was. Of course artifacts like shoes also bring it home. You come out of there numb, but it has to be experienced.
- National Museum of the Marine Corps by Quantico, Virginia (3-4 hours) - In our opinion better than many of the Smithsonian museums. Just go, don’t even think about it, it is that special.
- Library of Congress (take a docent tour). Just architecturally beautiful and impressive. Constructed under budget and on time.
- National Archives to see the documents that founded this great country.
- U.S. Marine Corps War Memorial (Iwo Jima). It’s located near the Arlington National Cemetery. It’s larger than it appears in pictures and stunningly beautiful, it just takes your breath away. Make sure to see it when the light hits it just right.

Other things we did:
- Arlington National Cemetery (would take even more time and walk it after a tour, then it would be more special). It feels strange taking the trolley around and doing the official parts of the tour, except the great experience of seeing the changing of the guard at the Tomb of the Unknowns. Can you imagine doing this watch during a hurricane or other severe storms? Yet they do and it’s one of the highest honors. I have been to two other National Cemeteries in California. There are eight in California. See the whole list.
- Capitol tour (do via Congressman’s office and avoid some lines and see the HR galley which you can't otherwise, 2+ hours)
- Bureau of Engraving and Printing (near Holocaust Museum, arrive one hour before BEP opens and get assigned a time to return later). Not quite as exciting as it sounds. My favorite statistic, about 7% of the printed product is rejected for quality concerns. That’s a fascinating yield statistic compared to almost all other industries. Most of the printing is to replace worn out money.
- Various Smithsonian museums, only a handful. They are nice, but I'm not a big fan, we have so much special stuff here too. There are 19 of them. Read the story about Smithson and the founding of the museums. Yes, we did see numerous Norman Rockwell paintings on loan from George Lucas and Steven Spielberg, those were utterly amazing. We also saw Fonzie’s jacket (from Happy Days), Kermit the Frog, Archie Bunker’s chair and Dorothy’s Ruby Red slippers.
- Smithsonian Air & Space Udvar-Hazy Center (not the one at the National Mall), this adjunct one has a space shuttle, an SR71, the Concorde, the Enola Gay and the "larger" stuff. The one at the National Mall has the Wright Brothers one, I like the big stuff. All the Smithsonian Museums are free, but at this one you have to pay parking.
- White House gift shop
- Mount Vernon (was too hot to enjoy, otherwise I would have spent hours. There are special tours at various times of year, I think it too would be really special then. We didn't wait the one hour plus in the heat for the mansion tour). I bought a $7 book, was a good read and had color pictures to look at. Thank goodness for the Mount Vernon Ladies’ Association in 1853 for getting this wonderful property and the phenomenal restoration.
- Washington Monument
- Lincoln Memorial We sat there on the ledge to watch the 4th of July fireworks, that was special! Yep, we were right there in an ideal spot from the daytime until the evening, wow, what an experience. Getting out was a totally different experience, but I’m so glad we endured and did it.
- Thomas Jefferson Memorial, lots of stimulus money being spent there to shore of the sinking foundations.
- Spymuseum - Somewhat gimmicky, could have been better.
- National World War II Memorial (new) Lots of water, it represents the Atlantic and Pacific engagements.
- Korean War Memorial It’s eerie to see the statues captured in their walk, certainly a forgotten war. Except for a TV show, would most people ever even remember it?
- Vietnam War Memorial The Three Serviceman statue was in the process of restoration, the stare of them towards the wall is eerie. We did get an etching for a friend.

As a note, the World War I memorial was not in good shape. There is one 109 year old survivor Frank Buckles. This is now being restored with stimulus money.

Things we missed:
- FDR Memorial (too bad, is really worth seeing apparently)
- Inside the Supreme Court
- Near Mount Vernon, Washington distillery
- The various memorials at night
- Newseum
- Pentagon tour
- Pentagon 9/11 memorial
- FBI tour (not sure if available)
- Firearms museum
- Various Smithsonians
- Kennedy Center
- Ford Theatre (Lincoln and also across the street where he died)
- Alexandria boat tour
- Williamsburg tour
- New memorials are coming: Martin Luther King Jr., underground Veteran's museum

Things that were challenging:
- Finding our way
- Making sure the toll pass device we rented with the car is read at the gates, SLOW WAY DOWN at the crossings...
- Finding a place to eat that was reasonably priced
- I would advise using a phone with GPS and "About" or similar app for walking, finding food, etc. My older generation didn't have GPS and compass

So, what’s the bottom line for this trip? The kids thought it was the best vacation ever, now that’s worth doing.