Internet availability 3min de Leitura - 21 de June de 2017

Service filtering vs. application control, understand the key differences

Tela de computador da Apple sobre uma mesa, um vira tempo ao lado e vários outros utensilios

This post is also available in: Português English Español

The ways in which network services are defined and provided have changed over the years, and this has automatically required the re-adaptation of security solutions so that they continue to provide desirable levels of control over user access.

Many services are based on a transport protocol (usually TCP or UDP) and an associated communication port. This port is standardized for some services, known as well-known ports, and for others, this is part of a solution manufacturer’s agreement.

Therefore, if the SSH service uses port 22/TCP, to perform a filter on this type of traffic, that port may be related. The same for many others, such as FTP, DNS, HTTP, SMTP, POP3, IMAP, NTP, etc. The challenge is that these ports in some cases can be changed without consequences for the operation of the service.

For example, changing the default port of SSH service to 2222/TCP is not making use of service unfeasible, only people who need to use it must be warned that the port for connection is 2222/TCP. For other services, such as SMTP and DNS, exchanging the communication port will limit the operation, given that, the Internet conventionally uses these ports for e-mail exchange and name translation.

Filtering traffic based on port and protocol is therefore not a mechanism that guarantees the security and control of the environment. Many applications have come up based on the HTTP protocol; just filtering the port, or even the connected address, does not mean success in the control.

Because of this, it is natural that the current solutions offer beyond the traditional control through ports and services controls based on the traffic behavior, regardless of port and protocol, thus identifying the applications that are in fact being used.

Filtering by service

Used especially by stateless and stateful firewallsolutions, this technology continues to incorporate the current solutions, as they are essential, since communication between networks occurs through ports and protocols.

In addition, port and protocol filtering offers much better performance than application filtering because it needs to scrutinize a much smaller amount of data (protocol header only), unlike analyzing the entire network packet, as in the case of based control.

In a security policy, for example, it is natural to use per-service filtering for those ports that are considered unnecessary for use by the organization, reducing application control coverage, delivering greater performance for the environment without compromising security.

The filtering by service, in some technologies, goes beyond the knowledge of port and protocol, taking into account communication standards for service definition, independent of the connection port (if not the default). This feature reflects the evolution of filtering by service; however, it requires more analysis and consumption of solution resources.

Filtering by application

The premise of filtering by application or  application controlis to abstract ports and protocols, thus focusing on traffic, identifying which is the application being used in the connection, based on a list of signatures or behaviors: BitTorrent, Dropbox, WhatsApp, DNS, etc.

It is important to point out that the application filter can also do traffic analysis on the per-service filteringperspective. However, its goal is to go beyond and offer the administrator a possibility of filter based on what is used by users, abstracting technical details of that service operation.

Application-based filtering should be treated as a complement to service/port filteringand protocols. That is why it does not make sense to use it on doors known not to be part of the company’s policy.

The visibility that application control brings is also interesting for other insights within the organization, such as knowing the usage profile of users, sectors, thus being able to properly dimension the use of internet resources, as well as the degree of threat in the environment. This is because, depending on the types of applications used in the corporate environment, the company’s exposure to virtual threats can be higher.

When seeking a security solution and even deploying, do not treat themes exclusively, but rather in a complementary way. So the results will be maximized for the environment, with greater performance and accuracy in the controls. Moreover, remember: in case of any doubts related to the subject of information security, seek help from a specialist!

Continue sua leitura

[latest_post type=’boxes’ number_of_posts=’3′ number_of_colums=’3′ order_by=’date’ order=’ASC’ category=’reconhecimento-problema’ text_length=’100′ title_tag=’h4′ display_category=’0′ display_time=’0′ display_comments=’0′ display_like=’0′ display_share=’0′]

This post is also available in: Português English Español