Applications are foundational to the internet and form the basic building blocks of any organization’s IT stack. Having complete and detailed visibility into the applications in your network is an important step in formulating an overall security posture for your organization. Visibility enables organizations to understand the types and traffic patterns of applications, determine the business relevance of applications, assess the risk profile of applications, and then apply appropriate security controls to allow/deny application access, based on the business needs and overall security strategy.
Application IDs are a critical capability of the VMware Firewall (both distributed and gateway). Port-based or Layer 4-based rules have several shortcomings: lack of visibility into the application protocol at Layer 7, and no support for dynamic protocols are a couple of key shortcomings. Support for Application IDs allow the firewall to move beyond application classification based on port/protocol and classify traffic based on a variety of other criteria and sophisticated techniques. This advanced classification and accurate identification of applications form the basis for security policies and protection against advanced threats in the firewall.
Crafting the right security policies can sometimes be difficult without an easy reference to all supported applications on the product. This is especially true since our classification techniques react to the ever-changing application landscape, and the list of supported applications changes in tandem. This list can run into the thousands.
Today we’re announcing the availability of the App Dictionary portal. App Dictionary is a web-based portal where users can browse the list of supported applications in an interactive manner. Application IDs are available by the firewall release and are assigned to predefined categories such as peer-to-peer, gaming, audio/video, streaming, etc. Several of these categories are known vectors for advanced threats. Furthermore, meaningful tags are applied to every Application ID. This makes it easy to search for a specific application depending on the intended use case. Detailed information on each application ID including related protocols and affected device operating systems, helps make an informed decision. The results can also be exported to a file for easier consumption and distribution.
App Dictionary portal landing page
Imagine you are the network security admin at a large enterprise. Your SOC (Security Operations Center) just called to let you know of some suspicious activity on a particular server hosting a critical enterprise application that uses the postgres database. Initial triage has revealed a large volume of SSH traffic into the server. You break out in a cold sweat since your VMware Distributed Firewall policy surely wouldn’t allow it, even if the bad guys have hijacked port 5432 (well-known port for postgres) for SSH, and are planning to install a backdoor on the server. A quick check reveals the problem – the previous admin set up the policy using L4 rules. Time to spring into action. You jump into VMware’s App Dictionary portal and quickly check if ‘postgres’ is supported.
Searching for a specific application
Great news! It is supported by the VMware firewall. You create and apply a new rule on the VMware Distributed Firewall using context policies (more info here) to only allow traffic that matches the ‘postgres’ application. Within seconds, SSH traffic has ground to a halt, and the backdoor shuts on the bad guy. Order has been restored, the SOC is happy and can proceed with further investigation and potential remediation actions on the server.
This was just one example to highlight the value of quick and efficient access to our rich set of application IDs. We’re excited to bring you this portal, and we’re confident that this will accelerate your understanding and consumption of our security solutions. We have several enhancements planned, so stay tuned and don’t forget to check back in periodically. Good luck on your VMware security journey, and drop us a note if you have any questions/comments.
