Protect Port 80 compromises with a Firewall | Ask The Experts
Controlling Port Evasive applications like Bit-torrent, Skype, IM, P2P…
How can I protect my network from port evasive applications like Bit-Torrent?
Many applications are now designed to be port evasive, Bit torrent and Skype in particular. These new style applications cannot be secured by traditional firewalls as they are designed to probe any open port and go over it should the default / known port be blocked
The Issue
Port + Protocol = Application.
The above is no longer the case. Today’s applications do not follow yesterday’s rules. Applications are no longer identified by port or protocol. Today’s applications are designed to work over any port. So if you have Port 80 or Port 443 open, applications such as Skype, MSN, Bit-torrent will use these open ports to application connectivity. Firewalls are rendered useless as you can only secure network from application that still uses port and protocol. IPS devices try to make up for it short comings, but these are usually hit and miss. To be honest, everyone knows it difficult to control port hopping applications.
With the new style applications that are now emerging and running over port 80, such as Web 2.0 apps like MSN Web messenger, Google Earth, YouTube, Facebook, Google Docs, traditional firewalls are unable to control the network against these new wave of applications without denying port 80, better known as the internet / web browsing which is of course impractical
Most organisations now require additional devices such as Deep Packet Inspection devices and Web Filtering devices, which is known to work on a hit & miss architect, adds latency and performance issues to the network but also means additional cost for hardware, support, maintenance, administration and engineering skill set for each additional device required.
The Solution
Veridical pride itself with best of the breed technologies. Our portfolio consists of a one box solution that recognises application based on their behaviour, signature and heuristics and not port and protocol as application no longer behave this way. Being able to recognise applications in this way puts you in control. If you can see it and understands how it works, you can control it the way you would like to control it. That is the Veridical way. Our portfolio includes a 2nd generation firewall.
The 2nd generation firewall can identify applications irrespective of their port / protocol. It does this in a number clever ways, most noticeably by heuristics and network behaviour of these applications. The 2nd generation firewall does not stop there.
The 2nd generation firewall can also identify application features and create security policies against them in the same way it does for applications.
This means a security policy can be created to allow Skype but to deny file transfers within Skype. It can also go further by allowing policies to allow Skype and Skype File Transfers but deny certain file types i.e. .exe, PDF etc from being transferred.
It can also go even further by allowing Skype and Skype File Transfers but deny certain files, such as Word Documents that contain a certain string e.g. ‘Company Confidential’ from being transferred but allow other Word documents to pass.
The 2nd generation firewalls is the only real practical and cost-effective solution. The 2nd generation firewall can identify applications irrespective of port and protocol. With a true layer 7 approach, security policies can be setup against these applications. The 2nd generation firewall can also be easily integrated with Windows Active Directory or Radius server to facilitate user identification by correlating IP address to users.
This device truly puts you in control of your network.
