App-ID and the Rule of All

The Fundamental Differences Between App-ID and Other Traffic Classification Mechanisms

Today, every stateful inspection-based firewall vendor is calling themselves a next-generation firewall that can identify and
control applications. A remarkable feat, given that they are all still using port and protocol as the primary traffic classification
mechanism and that all application identification is being done by a bolt-on IPS engine.

In some respects, the added discussion is beneficial because it means that the traditional vendors recognize that their
existing, port-based products are relatively ineffective at classifying the traffic on corporate networks. However, the increased
TM
noise means it is even more important to clarify the fundamental differences between App-ID , the traffic classification
technology used in Palo Alto Networks next-generation firewalls, and the classification mechanisms used in other offerings
The fundamental differences between App-ID and other, traditional security solutions can be summarized by the Rule of All.

All App-IDs are always on: Every one

of the App-IDs are always enabled. K NOW N PROTOCOL DECODER

They are not optional, there is no need

Check
Policy
to enable a series of signatures to look Decryption Check
Decode
(SSL or SSH) Signatures
for an application. Start

Policy Check

Policy Check
Always the first action taken: App-ID Check Check Application IDEN T IFIED TR A FFIC (NO DECODING)

traffic classification is always the first IP/Port Signatures

action taken when traffic hits the Palo UNK NOW N PROTOCOL DECODER

Alto Networks next-generation firewall.

Check
Policy
Like all firewalls, our device is default Apply Heuristics
deny all traffic. Policies are enabled to
begin allowing traffic, at which time, all
App-IDs begin to classify traffic without REPORT & ENFORCE POLICY

any additional configuration efforts.

Figure 1: How App-ID Identifies Applications.
All of the traffic: App-ID is always
classifying all of the traffic - not just a subset of the traffic (like HTTP for IPS). All App-IDs are looking at all of the traffic
passing through the device, business applications, consumer applications, network protocols, and everything in between.
There is no need to configure App-ID to look at a specific subset of traffic. It automatically looks at all of it.

All ports: App-ID is always looking at every port. Again, there is no need to configure App-ID to look for an application
on a non-standard port. It is automatic.

All versions, all OSes: App-ID operates at the services layer, monitoring how the application interacts between the
client and the server. This means that App-ID is indifferent to new features, and it is client or server operating system
agnostic. The result is that a single App-ID for BitTorrent is going to be roughly equal to the many BitTorrent OS and
client signatures that need to be enabled to try and control this application in other offerings.

All classification techniques: Each App-ID is not just an IPS-like signature. Every App-ID will automatically use up to
four different traffic classification mechanisms to determine the exact identity of the application. There is no need to
apply specific settings for a specific application, App-ID systematically applies the appropriate mechanism, resulting in
consistent and accurate application identification.

Palo Alto Networks users will initially see the result of App-ID and the Rule of All in ACC where, with a single firewall rule of
any-any-allow, the details on applications, users, threats can be viewed quickly and easily with a few clicks of a mouse. The
Rule of All is then extended into the policy editor where, with equal ease, an administrator can establish positive control
model policies to enable the use of applications. Finally, logging, reporting and analysis takes full advantage of the Rule of
All, allowing an administrator to investigate security incidents, perform traffic and threat analysis and generate reports based
on the exact application identity. So what is the best way to clarify the discussion around what the other vendors are saying?
Ask them these questions:

Are all of the application identification techniques enabled by default?

Is the application identification technique looking at all traffic or a subset thereof?
Are the application identification techniques automatically applied across all ports, or is that a configuration setting?
How many steps will it take to enable all the application identification techniques for all traffic for all ports?
What tools are included in the list price to provide visibility into the application use, the users and the associated
threats?
Is application control an integral part of the firewall policy, or is it a separate tab/setting/configuration tool or
management UI?
Is the rated datasheet performance based on port-based classification or application-based classification?

Copyright 2013, Palo Alto Networks, Inc. All rights reserved.