Security Experts:

Applications Are Evolving, So Too Must Application Control

Employees are increasingly turning to web-based or web-enabled applications to help get their jobs done. To combat the risks associated with these applications, one of the most significant evolutions in network security over the last few years has been the advent of application control. This technology gives administrators visibility and control over each application that is allowed to communicate on the network.

Historically, administrators controlled applications through the firewall, setting policies based on the source and destination IP addresses, ports and protocol. Since each application had its own port, this was a fine way to control which applications were and were not allowed on the network.

Controlling Web Applications for UsersBut applications and threats have changed dramatically and this static approach to application control is now inadequate. A “Global Survey on Social Media Risks” released by the Ponemon Institute in September 2011 found that more than 50 percent of the 4,640 respondents in 12 countries report an increase in malware due to social media use in the workplace, yet only 29 percent report having the necessary security controls in place to mitigate it.

Applications are no longer identified solely by IP address, port or protocol. Many of today’s applications, such as video streaming, peer-to-peer (P2P) file sharing or instant messaging (IM), are designed to work over multiple ports which increases chances they won’t be blocked by firewalls. Configuring defenses to traditional ports is no longer an effective means of managing application usage.

Related White Paper: The Five Key Benefits of Application Control & How to Achieve Them

With this new reality, the time has come to evolve your application control strategy. In so doing you’ll be able to achieve a host of benefits including:

Gain visibility, protection and control of applications, regardless of port or protocol. Today’s applications are evasive and ‘firewall aware.’ Being able to analyze and control applications regardless of their trickery is critical.

Reduce Bring-Your-Own-Device (BYOD) risk through enforcement of mobile applications. Controlling the applications used on devices owned by employees or partners may not be possible. However, you can control which applications can access your corporate network and which corporate resources are available to the BYOD user.

Limit the exposure created by social media applications. Social media introduces new inbound and outbound security threats. In both instances policies that block or constrain social media, for example ‘view but do not execute files or send information,’ can help prevent malicious executable files from entering and compromising the IT environment, and keep sensitive information from exiting.

Reduce attack surface and inspection requirements. By limiting the number and types of applications that are allowed to communicate on the network, administrators can reduce the number of vectors that attackers could use to access sensitive information and can block advanced malware attempting to communicate covertly.

Reclaim bandwidth from streaming/sharing applications. Identifying and stopping the use of low business-relevant applications, such as P2P file sharing and music and video streaming, can help administrators not only increase security, but also reclaim wasted bandwidth and even increase employee productivity.

To keep pace with today’s changing environment, application control solutions are evolving to give organizations greater visibility, protection, control and choice of deployment. When evaluating solutions, consider asking IT security vendors the following questions:

1. What are my deployment options? Application control has come primarily with Next-Generation Firewalls (NGFWs), Next-Generation Intrusion Prevention Systems (NGIPSs) or other Web security gateway. Particularly for large enterprises with many firewalls and those who have not reached the end of their firewall lifecycle, ripping and replacing the existing firewall infrastructure is infeasible. Considering that application control is essentially an inspection function, in these cases deploying application control as part of the NGIPS infrastructure can be more efficient and cost-effective.

2. Can the solution inspect applications? Picking up on the last point, many applications are essential to facilitate network communications and, therefore, must be deeply inspected for threats. Integration with advanced intrusion prevention capabilities is increasingly important.

3. How does the solution handle encrypted applications? An increasing number of applications leverage Secure Sockets Layer (SSL) encryption for privacy. Overall, this is a good security practice; although it poses some unique challenges for security technologies. The ability to decrypt, inspect and re-encrypt traffic is essential to gain visibility and control over applications.

4. Does the solution support URL filtering? While URL filtering alone is not a substitute for application control, it can provide an important additional layer of security, reduce legal exposure and improve business productivity. Because so many applications are web-based, look for solutions that integrate URL filtering seamlessly alongside application control.

5. How granularly can I control policies? Application control and URL policy enforcement must be flexible and granular to be relevant. Heavy-handed approaches that simply block access can stymie business productivity. Granular control can enable business-relevant access by department, group, user, network location, etc.

6. How easy is the solution to manage? With thousands of applications and potentially hundreds of control policies that will initially change frequently per application, if not per user or user group, administrators must be able to quickly search applications and create and change policies easily.

Applications are key targeted points of entry for hackers. Evading traditional defenses, attackers are taking advantage of the sheer volume of applications, the BYOD trend, social media, and other opportunities to glean information and penetrate networks. Improving network security through better application control is critical. With limited resources and increased pressure to reduce attack vectors, the time has come to take a fresh look at the application control solution landscape.

Related White Paper: The Five Key Benefits of Application Control & How to Achieve Them

Subscribe to the SecurityWeek Email Briefing
view counter
Marc Solomon, Cisco's VP of Security Marketing, has over 15 years of experience defining and managing software and software-as-a-service platforms for IT Operations and Security. He was previously responsible for the product strategy, roadmap, and leadership of Fiberlink’s MaaS360 on-demand IT Operations software and managed security services. Prior to Fiberlink, Marc was Director of Product Management at McAfee, responsible for leading a $650M product portfolio. Before McAfee, Marc held various senior roles at Everdream (acquired by Dell), Deloitte Consulting and HP. Marc has a Bachelor's degree from the University of Maryland, and an MBA from Stanford University.