SECURITY & REAL-TIME APPLICATION INSIGHT

SECURITY & REAL-TIME APPLICATION

INSIGHT

•

Knowing what’s on your Network

Benefits of Application Recognition

•

Deeper Insight and Content Decoding

•

Security Customer Use Case

NETWORK SECURITY CHALLENGES

Sophisticated Cyber Threats

• Layer 4 rules and port based security are not enough

• Point-based security products are not enough

Application and Content Overload

• Ever-changing applications need continuous up-to-date Layer 7 awareness

Encryption

THE PERVASIVENESS OF MALICIOUS TRAFFIC

UNSEEN BACKDOORS

“To defend their network, organizations must be aware of

what’s on it: devices, operating systems, services,

applications, users, and more.”

“Many users download mobile apps regularly without any

thought to security”.

HOW APPLICATION AWARENESS HELPS SECURITY

Security Defense – Proactive in Real-time

• Embed real-time application awareness into security infrastructure

• Improve visibility of network-based risks such as viruses and malware.

• Deep analysis of protocol metadata to show application behavior

• Fast processing speeds to handle live traffic volumes

Forensics – Deeper Analysis Off-line

• Gather deeper information on captured traffic

REALLY GET TO KNOW WHAT’S ON YOUR NETWORK

PACE is software that provides full protocol and application visibility Layer 3 to 7 and identifies applications used as well as attributes such as video or voice for deeper insight.

PRE-PROCESSING

GAIN DEEPER APPLICATION INSIGHT

• Application performance e.g. latency and jitter for VoLTE and video • Performance troubleshooting e.g. application download time

• Identifiers e.g. email sender/receiver addresses

• Files e.g. used codec from Video on Demand application • Usage e.g. HTTP URL or client software used

CLASSIFICATION METADATA EXTRACTION

by app by user by protocol Traffic volume

FACEBOOK METADATA EXAMPLE

Search results page - user, ID - search text - result list (text, path) IPD_EVENT_FACEBOOK_SE ARCH

Typed dynamic search results - user, ID

- search text

- result list (uid, text, type, category, path)

IPD_EVENT_FACEBOOK_SEARCH Wall story

- user, ID, wall path, story owner, story owner link, story message, target fbit IPD_EVENT_FACEBOOK_WALL_STOR Y Visit - user, ID - other user, ID IPD_EVENT_FACEBOOK_PROFILE_ VISIT Login - ID - user IPD_EVENT_FACEBOOK_L OGIN Logout - ID - user IPD_EVENT_FACEBOOK_LOG OUT

viewing list of messages - user, ID

- thread list (thread ID, subject, snippet, original author, time last updated rendered, recent authors list) IPD_EVENT_FACEBOOK_INBOX

viewing inbox/send message without/with photo/video/link attachment - user, ID

- thread ID - original author - recipients list, - subject

- message list (author, rendered time, message text, rendered attachment)

IPD_EVENT_FACEBOOK_MESSAGE_THREAD

New/reply simple text message to one/multiple ent/list of friends without/with link attachment - thread ID

- user, ID

- recipient/recipient list/empty in case of reply - subject

- Message (author, rendered time, message text)

-rendered attachment

IPD_EVENT_FACEBOOK_SEND_MESSAGE

New/reply simple message with photo/video attachment - user, ID

- comment - composer_id - profile_id

- photo/video items [{filename, data}] IPD_EVENT_FACEBOOK_SEND_MESSAGE Searching

Profile Login / Logout

Reading Private Message

Sending Private Message

FACEBOOK METADATA EXAMPLE (CONTINUED)

IPD_EVENT_FACEBOOK_FRIEND_LIST

Posting a text message/link - user, ID

- message text - _/attachment url

-target user (in case of friend‘s wall) IPD_EVENT_FACEBOOK_POST

Sending/receiving an instant message - user ID - from - to - message, message ID - time - client_time IPD_EVENT_FACEBOOK_MESSAGE_CHAT Friends

Posting on user‘s/friend‘s wall

Instant Messages USER Removing friend - user, ID - other user, ID IPD_EVENT_FACEBOOK_REMOVE_FRIEND

Accepting a friendship request - user, ID

- other user, ID

IPD_EVENT_FACEBOOK_ACCEPT_FRIEND SHIP

Rejecting a friendship request - user, ID - other user, ID IPD_EVENT_FACEBOOK_REJECT_FRIEND SHIP Posting a photo/video - user, ID - comment, composer ID - profile ID

- photo/video items (filename, data) IPD_EVENT_PHOTO_VIDEO_UPLOAD

Commenting a post

- user, target profile ID, target fbID, assoc obj ID - comment text

IPD_EVENT_FACEBOOK_COMMENT_ADD Commenting on a post

Deleting a comment

- user, target profile ID, target fbID, assoc obj ID IPD_EVENT_FACEBOOK_COMMENT_DELETE

ALWAYS APPLICATION & USER BEHAVIOUR AWARE

Examples of protocols and applications

Examples of metadata

Enterprise Citrix, WebEx, Blackberry, SAP, Lync, Exchange, Diameter, Lotus Notes, IPsec, OpenVPN, etc..

• Traffic volume: per user, per protocol, per application, etc.

• QoS KPIs: Jitter, Throughput, Latency,

Roundtrip time, Packet loss rate (per direction), Packet direction, etc.

• User ID: MSIDN, Diameter/ RADIUS login, Mail

address, Callee, Caller, Sender, Receiver, etc. • User info: Callstate, Used

operating system, Tethering status, Clicked URL, etc. • Client/Server indication per

subscriber VoIP / Messaging Skype, Oscar (ICQ/AIM), SIP,

RTP, RTSP, Skinny, QQ, WebEx, WhatsApp, WeChat, LINE, etc.

Social Networking Facebook, Twitter, MySpace, LinkedIn, Sina Weibo,

Instgram, Tumblr, RenRen, etc. P2P / Filesharing BitTorrent, eDonkey,

Rapidshare, Uploaded.to, 4shared, Xunlei, etc.

Streaming YouTube, Netflix, Deezer, MyVideo, Vimeo, PPStream, QQLive, Youku, iTunes Radio, etc.

• Optimized for high-performance live network traffic processing.

• Performance tests based on real world traffic show very good performance values.

• CPU usage increases in direct

proportion with the number of activated applications.

• Lowest memory usage compared to competition.

• No memory allocating during run time to save processing power.

THE ENCRYPTION CHALLENGE

Currently one out of every four protocols or applications are encrypted

In addition, protocols such as eDonkey, Freenet and other P2P apps can adapt to circumvent firewalls and detection

Variety of techniques – pattern matching & behavioral & heuristic

analyses and finite state machine to reliably detect protocols and apps

Simple pattern matching

WA FFAO

Flow tracking mandatory

Pattern matching over multiple packets

HTTP USERAGENT FACEBOOK

Behavioral analysis - pattern matching over multiple packets

SHOR T LONG SHOR T SHOR T SHOR T

PACE APPLICATION RECOGNITION IS ALWAYS

CURRENT

WHY INTEGRATE OEM SOFTWARE FROM IPOQUE?

ipoque estimates:

• A team of 40 engineers in-house

• 8 to 24 months to develop the software

• $2 million to $3 million dollars for initial

development and then annually for R&D.

• Minimal incremental staff requirements

• Integration in 1-2 quarters

• Licensing fees are a small fraction of

necessary R&D and include signature plug-ins and maintenance.

Development of an IP classification engine is difficult and costly.

Licensing from ipoque is simple and cost-effective:

LANCOPE STEALTHWATCH

The Customer

• StealthWatch is a leading network behavioral analysis solution for network visibility and security intelligence across physical and virtual

environments.

The Challenge

• Challenged to provide effective behavior-based network protection security for distributed enterprises.

The Solution

• Selected ipoque’s PACE for its Layer 7 application awareness and

visibility into traffic flows for improved network security intelligence.

The Result

• Lancope StealthWatch can detect more sophisticated attacks as anomalies in the network and applications are more easily identified.

CASE STUDY – LANCOPE

BUSINESS CASE BENEFITS

Fast time to market for Lancope Continuous updates from ipoque

ensure that the latest applications can be detected.

Anomalies in the network and

applications are more easily detected. By basing development on standard servers, annual opportunity to improve performance by up to 30%.

PACE BENEFITS IN BRIEF

•

Ipoque’s PACE is key for application detection & metadata

extraction which is crucial for next generation network security

solutions

•

PACE detects around 95% of all IP traffic in a reliable manner which

ensures high network visibility

•

PACE needs only 1 to 3 IP packets for a classification for the most

common protocols and applications which is crucial for online

processing

•

PACE comes with a ready-to-use interface where a security vendor

can easily define their own protocols and applications

•

The update of the signatures will be done during runtime – no reboot

IN SUMMARY: HOW APPLICATION RECOGNITION

HELPS

Defend and Gain Deeper Insight

•

Accelerate time to detection as seeing more of the traffic

•

Continuously monitor and scan network traffic and applications

•

Aggregate unique context awareness that is not possible with just

point security devices.

•

High performance to solve increasing data and capacity

requirements

•

Search more levels of data, every element of every packet, to identify

threats