Ports Are Meaningless
I read an interesting survey today commissioned by FaceTime Communications. This is their fourth such annual report and while the overall findings were unsurprising, it highlights a growing problem - how to control application use as traffic converges on ports 80 and 443. The survey found that employee use of collaborative Internet applications is on the rise and that employees use such applications for personal benefit on company time - no surprise there. This has in turn led to security, bandwidth utilization, compliance and data leakage issues. Some of the more interesting findings are below:
- 97% of employees utilize 'Internet Applications', defined as IM, P2P, streaming media, collaboration (web conferencing, blogging and social media), VoIP, anonymizers, web mail, etc.
- 86% use IM
- 54% use file sharing
- 69% use VoIP
- 15% use anonymizers
These statistics are important as they emphasize the increased use of applications that are often not sanctioned or monitored by internal IT, yet can significantly impact the corporate LAN. The larger the attack surface, the more vulnerable a platform becomes. Installing additional applications to a desktop system increases the likelihood that one such application will be vulnerable and open to attack, especially when these applications are not regularly patched. Moreover, such apps can represent costly bandwidth utilization and potential data leakage risk.
Why is it that the use of non-sanctioned applications is on the rise? Have internal security teams given up the fight and handed over desktop control to end users? No. The reality is that end users no longer need admin rights to utilize alternate applications. Why? Many are now web based. You don't need to install a desktop application on your machine, you only need to point your web browser to a Rich Internet Application and any of the aforementioned application categories are readily available online.
What the report did not cover, is what form this traffic takes, how it can be identified and how it can be controlled. A decade ago, network firewalls ruled the security landscape. Preventing access to a particular application/protocol was as simple as blocking a known port. Don't want employees to send files? No problem, block outbound port 21. Telnet? That's port 23. Today however, ports are meaningless. Traffic is converging on ports 80 and 443 for a simple reason - they're always accessible, on any network.
Applications are becoming 'network aware'. They may have a preference for their communication protocol but they will find a way out and their fallback plan is always the web. Take a look at applications such as Skype, Tor or virtually any modern P2P application. If you bock all other means of egress, you will find traffic being tunneled through port 80. When this occurs, ports become meaningless and sysadmins suddenly have their hands full. Today, security solutions designed to hand control back to administrators must understand the language spoken by applications in order to pick it out within the sea of legitimate web traffic. Moreover, vendors must constantly monitor and update their signatures as the traffic patterns are continually changing in order to bypass known controls. Just as we've accepted the arms race between virus writers and AV vendors, we now have an arms race between those seeking to make applications accessible to all and the enterprises seeking to control them.