Back in the day, the big network security vendors were extremely focused on blocking traffic based on port numbers when a new emerging set of protocols came to the fore. These protocols used a complicated set of misdirection and evasion techniques that kept security experts hopping. Every day, there was a new protocol or variant that broke all the previous rules and assumptions about how to detect them.
It was tough to get ahead of this dynamic. Maintaining the edge in application identification was challenging given all the other things to contend with beyond this narrow discipline.
Of course, as any good engineer will tell you, with unlimited time and resources, a perfect solution can be found for any problem. Sadly, these conditions are rarely evident in the appropriate measures given the pressures of an installed base clamoring for a fix to some change or wrinkle.
Making matters worse was the threat of dreaded false positives that might cause perfectly good traffic to be blocked in an effort to manage the threatening traffic. Traffic often demanded some kind of configuration that allowed the user to decide whether to implement “more aggressive” techniques. The user would make the ultimate decision based on their taste for potentially breaking things they wanted to work. Not every customer and prospect saw this complexity as a good thing as they would have preferred that their network security vendor figure it out for them.
Eventually, the battle became too much for most security vendors and they often turned to out-sourcing this important activity.
More network security vendors are making this choice today than ever before. With each aspect of security becoming so specialized, it is the prudent thing to do. Outsourcing allows vendors to focus on the core problems they are trying to solve and implement application identification as a drop-in from a company that does that for a living. Depending on how you count, this saves minimally 30 man years of effort and maximally double that.
Hiring the experts has its advantages beyond just cutting time to market and saving money. Developing detection algorithms is tricky business and not for the faint of heart. The advent of anonymizers has made application identification particularly difficult. Since monitoring these protocols is important to most security platforms, it is important to make sure any contemplated solution has demonstrated competence in this area. While some of these are locally popular, it is possible that an application identification vendor may not support all those needed, but they should certainly have cracked some of the more popularly used ones.
As for additional application coverage, ensure that commonly used enterprise frameworks are supported and demonstrable. Many of these services and applications use encryption making their identification challenging. A classification engine worthy of selection can provide the level of detail required. While encryption is certainly a challenge in these cases, it is not a show-stopper to good detection techniques. Some data may remain obscured, but the generic identification should be solid.
Application Identification is foundational to many security applications and products in today’s networks. Building this functionality natively pulls much needed focus from core activities. Creating and maintaining sustainable detection techniques is something better left to the experts. In closing, savings of 30 or more man-years and approximately two million dollars provide additional incentive for this approach should further justification be needed.
Topics: Expert Insights