Application ID

Traffic is commonly classified as a particular application or service using layer 4 port and protocol information. The Internet Assigned Numbers Authority (IANA) maintains a list of known service names, port numbers and protocols that are generally useful. Assuming applications and services adhere to the IANA convention and are trustworthy, use of this mapping would be sufficient when securing a network. In reality, applications and services can communicate using most any port, and when they have malicious intent, or are compromised to become malicious in intent, the use of layer 4 mappings for securing a network is insufficient.

Every application or service has a signature. When that signature is evaluated, the application or service can be classified more precisely. This classification is referred to as Application ID. When Application IDs are known, they can be used in a more advanced security posture to permit or block traffic, and to provide protections against malicious intent. Basic protection uses layer 4 information. More advanced protection uses Application ID information.

Multicloud Defense Application ID uses a set of capabilities for detecting and protecting applications and services:

  • IPS/IDS Profile for enabling the Application ID detection engine.

  • Application Info in Traffic Summary -> Logs for viewing the detected Application IDs for each session.

  • Service Object for specifying the Application IDs to be used to match traffic.

  • Policy Ruleset Rule for specifying the IDS/IPS Profile and the Service Object to enable detection and protection.

Note

Application ID requires an IDS/IPS Profile to enable the Application ID detection engine. The Profile should be configured on all Policy Ruleset Rules where Application ID detection and protection is desired. It is a best practice to use IDS/IPS as part of an advanced security posture regardless of whether Application ID is used. It is recommended that an IDS/IPS Profile be configured for all Policy Ruleset Rules.

Application ID information can only be detected if the traffic is unencrypted and in clear form when using a Forwarding Service Object, or if encrypted traffic is decrypted when using a Decryption Profile in a Forward Proxy Service Object.