Tuesday, April 13, 2021

NGFW application control in real life

Hello,

I would like to know how "Application Control" is used on a NGFW in real life, as per my understanding the application database can never be complete and up-to-date.

While I am only familiar with Barracuda firewalls (which get their application database from German company ipoque in the form of an OEM DPI engine), I guess the principle is roughly the same for all NGFWs.

There are at least the following scenarios:

a) I want to block/thwart an application

It possibly doesn´t matter if not all traffic flows of a specific application are detected correctly, as it might be enough to achieve the goal that the application doesn´t work anymore

b) I need to block everything except some "very specific simple" application

E.g. a server should be blocked from Internet access except contact to some vendor license server -> the license server is documented, I can create a specific custom application. Depending on how I created this custom application, I might need t adjust it in case the license server changes

c) I need to block everything except some "complex" application

E.g. certain users should not have full Internet access but since some cloud resources are mandatory for daily business, they need to be reachable for them without issues. Let´s just assume we´re talking about Microsoft Teams, but actually it could be anything.

For Teams to work, there are quite some dependencies, most likely some Office365 "application" and so on. How do I know?

According to Palo Alto´s Applipedia the requirement is "ms-office365", so if I need to permit Teams, I´d have to permit "ms-office365" and whatever Teams functionality I need (since it lists several ms-teams related applications). Not sure if this works as easy and flawless as I´d imagine?

In Barracuda, in the case of Teams one dependeny is "Web Browsing", which is all http/https access that isn´t detected as a more specific application. In fact this isn´t true, as if you´d just try it and permit detected applications such as "Microsoft Offiec365 Base" etc. until Teams works, you´re probably fine.

But my question is, what happens if Microsoft decides to change Teams in a way that the firewall doesn´t detect it good enough anymore? I guess it will take days, weeks or even longer until a NGFW gets its application pattern updated.

I used Teams only as an example, there are lots of very dynamic and complex applications with many dependencies.

So all this shiny "Application Control" is not really suitable for a scenario c) like I described? (I still see the advantage of better visibility, possibility of a), b) and some other benefits).

Any thoughts? How do you use this funtionality?



No comments:

Post a Comment