3 Problems with Using Port Numbers to Identify Applications
Is it possible to identify the applications on your network? Yes! But, using port numbers is not the best way to do it. At least, not anymore with so many different applications using port 80 and 443. Using a Security Fabric and its context-aware data processing engine is a better alternative as it includes real application intelligence with hundreds of application signatures built-in.
The problems with using port numbers to identify applications are discussed in more detail in How Context-Aware Data Makes Security Threat Detection Better. In short, when you associate port numbers with applications, you risk sending the wrong traffic to your tools, or worse, not sending any traffic at all. Security threat detection is more difficult when you and your monitoring network cannot properly identify applications – making it easier to miss an indicator of attack or indicator of compromise.
Here are three problems you may experience if you are using port numbers to identify and/or filter traffic on your network before delivering it to your security and monitoring tools.
PROBLEM 1: AN UNCOMMON PORT NUMBER IS USED
It is possible to change the port number for an application. For instance, port 80 is a common port used by web servers. But, a web server administrator can change it. Most applications are setup by the host administrator using port numbers that follow accepted principles – but using these port numbers for specific applications is not set in stone. The most commonly used example is assigning port 8080 for a web server. To get traffic to this web server, you would need to append the port number to the end of the domain name like http://websitename.com:8080. Note that using port 8080 is not reserved for secondary web servers. It could be used for just about any application.
PROBLEM 2: PORT NUMBERS ARE SHARED
Many web-based applications and email services share port numbers. For instance, Gmail, Yahoo! Mail, AOL Mail, and Office 365 all use the same POP, IMAP, and SMTP port numbers. If you are using port numbers to identify applications, you would not be able to differentiate among these email providers. It is the same story for web-based applications, too. Many of them use port 80 for clear-text traffic and 443 for encrypted traffic. If you are using port numbers to identify applications, you would not be able to differentiate among common applications such as Concur and Workday or Box and Dropbox.
PROBLEM 3: SIMILAR FUNCTIONALITY BY OTHER APPLICATIONS
The corporate firewall may be setup to deny port 20 and 21 (to deny FTP traffic) so that you can limit the files moved from within your network to another location. But, many of today’s cloud-based services perform similar functionality over a port your firewall does allow. With port 80 and 443 traffic allowed, insiders can use web-based applications that perform similar functions. Dropbox, Box, and Hightail are a few of the services that use ports 80 and 443 and allow users to transfer files like using FTP.
While using port numbers can be helpful to identify applications, you can now see why this approach has problems. What you need is real application intelligence, which goes beyond port numbers. Real application intelligence is built-in to the context-aware data processing engine of the Ixia Security Fabric to accurately and quickly match packets with known application signatures. And for applications it does not recognize, Security Fabric uses contextual clues within each packet and runs it through a patented process to build dynamic signatures automatically.