Application-Aware Security Devices – CompTIA Security+ SY0-401: 1.1

Today’s modern security devices not only must understand the network, but they must also be fluent in the language of our applications. In this video, you’ll learn about security devices that can protect your network by watching application flows.

<< Previous Video: Web Application FirewallsNext: Firewall Rules >>

Today’s modern security devices are looking at everything that goes by on the network, and they are examining it based on the applications that you might be using. This is talking about the OSI models application layer, and really examining every bit of data that goes through the network. No longer are we just interested in port numbers or protocols that might be going by. We’re really interested in the entire application.

These are called many different names, it might be an application layer gateway, a stateful multilayer inspection device, it might be something using deep packet inspection. But all of those really mean the same thing. We’re looking at every single bit and every single byte that’s going over the network. We’re examining it, we’re doing a protocol decode, we’re looking at what application that’s associated with. And in some cases we’re looking at the way the application is working as it communicates back and forth between devices,

As you can imagine, this is a very advanced piece of hardware and software because it’s looking at more data than we ever looked at on the network. Every packet has to be analyzed. It has to be categorized.

There is also a number of security decisions that have to be made. Is this a legitimate application? Is the application transferring a file? Does that file happen to have any malware inside of it? Is that application even allowed on this network? Those security decisions can only be made if you really are looking at every bit and every byte that goes by on the network.

The latest generation firewalls on our network are application aware. They can look at all the traffic going by and categorize those flows based on what the application happens to be. So the firewall knows if there is Microsoft SQL Server traffic. It knows if there’s Twitter traffic, if there’s YouTube, or there’s BitTorrent. It allows the security person to make the decisions on what applications are allowed and what applications should not pass through that firewall.

Intrusion prevention systems have also taken hold of this application layer view of the network because they can create much more detailed and accurate signatures. IPSs, of course, are trying to stop someone from the outside trying to take advantage of a vulnerability inside of a server or an application, so it’s useful for those particular devices to also be aware of what applications are being used to provide that level of access onto your network.

And of course the firewalls that are inside all of our hosts are Windows firewalls, for instance– are very aware of the applications their running on our computers. So it knows if you’re using a browser, it knows if you’re performing an FTP it knows if you’re using homegroup, or file and printer sharing, and you’re able to make security decisions based on what application is there, and if that application should allow access from somebody else that’s on the inside or outside of your network.