So I was recently talking to a prospect about all the advantages of Sourcefire’s new application control feature, highlighting the improved security through visibility, enforceable compliance with acceptable use policies, and being able to set policy to allow or disallow apps by user or user group. The dialogue that followed was:
Prospect: “How many applications do you recognize/support?”
Me: “A little over one thousand.”
Prospect: “Ugh, all of that sounds like a policy configuration nightmare!”
To be honest, that was the first time I had heard that response. Most people know that application control is a substantial step forward in the evolution of security technologies, and are excited about the ability to introduce the technology in their networks. However, I thought it was a good point to address, so here are my thoughts on the subject.
My first thought was that a policy based on applications is partially designed to, in fact, simplify our current access control model; which is to open or close ports based on the infamous “5-tuple” (source IP, dest IP, source port, dest port, protocol). Enterprise environments with hundreds or thousands of rules based on these metrics can be incredibly complex and even archaic. The language of the 5-tuple policy doesn’t match the real world. Just based on this 5-tuple, seeing at a glance what is and is not allowed through reporting is very difficult and increasingly inaccurate due to port hopping and tunneling.
I believe application control will greatly simplify this model, but the initial configuration still presents itself as a cumbersome task. How do you know what applications are being used on your network, so you can create policy around them?
In an effort to address this question, we expect many of our customers to initially deploy application control in a monitoring mode to augment their firewall (which, as it so happens, they can do through our Next-Generation IPS). In monitoring mode, we can begin to take an inventory of the applications that are being used and by whom, then start to build our policy once this information has been collected.
![]()
![]()
Prospect: “How many applications do you recognize/support?”
Me: “A little over one thousand.”
Prospect: “Ugh, all of that sounds like a policy configuration nightmare!”
To be honest, that was the first time I had heard that response. Most people know that application control is a substantial step forward in the evolution of security technologies, and are excited about the ability to introduce the technology in their networks. However, I thought it was a good point to address, so here are my thoughts on the subject.
My first thought was that a policy based on applications is partially designed to, in fact, simplify our current access control model; which is to open or close ports based on the infamous “5-tuple” (source IP, dest IP, source port, dest port, protocol). Enterprise environments with hundreds or thousands of rules based on these metrics can be incredibly complex and even archaic. The language of the 5-tuple policy doesn’t match the real world. Just based on this 5-tuple, seeing at a glance what is and is not allowed through reporting is very difficult and increasingly inaccurate due to port hopping and tunneling.
I believe application control will greatly simplify this model, but the initial configuration still presents itself as a cumbersome task. How do you know what applications are being used on your network, so you can create policy around them?
In an effort to address this question, we expect many of our customers to initially deploy application control in a monitoring mode to augment their firewall (which, as it so happens, they can do through our Next-Generation IPS). In monitoring mode, we can begin to take an inventory of the applications that are being used and by whom, then start to build our policy once this information has been collected.
However, a considerable number of customers are expected to be a little more aggressive and initially deploy the device with a blocking policy on. For these types of deployments, admins do their best to include as many apps as possible into their initial policies during setup.
![]()
Sourcefire aides this effort by categorizing apps into groups based on business relevance, risk ratings, and other metrics. Finally, the Sourcefire next-generation security platforms can be configured to either allow or disallow apps that are not specified in a policy. For anyone using custom applications, a simple rule editor is included that empowers anyone with basic understanding of regular expressions to write custom application filters.
Finally, more than “How many apps do you support?”, prospects should be asking, “How difficult is it to add or remove an app from a policy?” With Sourcefire’s enhanced user interface, users open a policy, select the applications tab, search for an app, add it to the rule, and save. In most instances adding or removing an app from a rule should take about 5 clicks or about 5 seconds.
In the end, yes, there will be a small amount of work to initially integrate application control and instrument its policies, but even this is a relatively menial task with tremendous upside for any IT security organization. Once up and running, the next generation policies, based on applications, will help minimize risk and increase visibility and should ultimately reduce the amount of time required to effectively manage an access control policy in the network.
Finally, more than “How many apps do you support?”, prospects should be asking, “How difficult is it to add or remove an app from a policy?” With Sourcefire’s enhanced user interface, users open a policy, select the applications tab, search for an app, add it to the rule, and save. In most instances adding or removing an app from a rule should take about 5 clicks or about 5 seconds.
In the end, yes, there will be a small amount of work to initially integrate application control and instrument its policies, but even this is a relatively menial task with tremendous upside for any IT security organization. Once up and running, the next generation policies, based on applications, will help minimize risk and increase visibility and should ultimately reduce the amount of time required to effectively manage an access control policy in the network.
©2011 blog.sourcefire.com. Content provided by Sourcefire, Inc., please do not reproduce without permission.![]()
