October 18, 2012

Network Application Fingerprinting

Over the years, networking vendors have needed to modernize and differentiate themselves in a lively world of stiff competition.  In the early 2000’s, a major theme was the broad recognition that network security was – and still is – a key component of a well-rounded networking portfolio.  We saw this with the Enterasys acquisition of Network Security Wizards in order to gain the benefits of the Dragon Intrusion Detection and Prevention System, and several other high profile acquisitions of IDS/IPS vendors made similar news.  Since that time, the networking market has changed.  This is not to say that networking vendors have forgotten about security – rather that the emphasis is perhaps on other technologies.  For example, after IDS/IPS acquisitions were winding down, then came the SIEM vendors and their corresponding acquisitions.  ArcSight, Netwitness, and Q1 Labs were all acquired in multi-million dollar deals.  But why?  The capabilities that intrusion detection systems can give network and security administrators are quite important given the sophisticated take that these products have on parsing network traffic, but these capabilities are only one piece of a larger security puzzle.  The ability to cross reference event data from an IDS with other sources of information turns out to be quite important.  This is especially true when an oft-heard complaint from network administrators on large networks is simply “we can’t find the system regardless of what the IDS says”.  Even if attack detection were perfect (it’s not) this would not mean much if a targeted system remains behind an impenetrable wall of poor asset management.

This brings me to the topic of this blog post – network application fingerprinting.  Beyond the raw need to know what systems are connected to a network (an increasingly challenging task particularly with all of the BYOD activity these days), there is also the need to know how the local network is actually being leveraged by users.  This means knowing what applications are in use at any given time by which users and in what proportions.  Without an applications-centric view of network traffic, everything from network profiling to policy enforcement is done through poor approximations with mundane port and protocol matches in the vain hope that the IANA application-to-port mappings are actually valid.   There are many cases where these mappings are completely meaningless – sophisticated p2p protocols, deliberate usage of applications over non-standard port values, and various tunneling modes come to mind.  Some software is designed to make one application look like another such as the Tor “obfsproxy” tool (see: https://www.torproject.org/projects/obfsproxy.html.en) which can make Tor traffic look like HTTP (or any other protocol for which there is a transport written).

Many vendors in the networking space have recognized the value of being able to give customers the ability to see how their networks are actually be used, and this requires application fingerprinting through deep packet inspection and other techniques.  In the security world, we’re used to applying complex logic to network traffic in order to see when systems are being attacked, and in this case we apply similar  logic to see what applications are communicating across the wire.  Just as there are two major strategies for detecting malicious behavior – signature vs. behavioral – similar strategies apply to application fingerprinting.  Ignoring false positives for a moment, some applications lend themselves quite easily to signature-based fingerprinting techniques (web browsers, server advertised banners, and the like), whereas other applications require statistics-based heuristics for reliable fingerprinting (Skype and encrypted Bittorrent being two prime examples).  Stay tuned for additional blog posts on application fingerprinting and how Enterasys can help.

About The Contributor:
Mike RashArchitect Engineer, Dragon

Michael serves as Security Solutions Architect for Extreme Networks. Michael Rash holds a Master's Degree in applied mathematics with a concentration in computer security from the University of Maryland, and is author of the book "Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort" published by No Starch Press.

See My Other Posts