Beyond Ports and Protocols

Often we talk about how destination port is not an accurate classification for controlling network traffic. At this point, hopefully that is obvious. Everyone knows that just about anything can get out of an enterprise network via port 80 or 443. Lately I have had several discussions with customers curious about protocol validation and ensuring that only “valid” traffic is being allowed. Being “valid” has become a mostly useless concept. How do you control traffic on 80 and 443? You put in a proxy, right? Hmm. That is useful if you want to make sure non-HTTP applications do not take advantage of a firewall policy that allows 80 and 443 out of the network. However, it is clearly not that simple – and it is not just HTTP that is the issue.

There are dozens of applications out there that allow a user to tunnel just about any application over “valid” HTTP or SSL. The protocol validation available in many products does nothing for this. Lately I have been studying other tunneling applications – applications that correctly utilize a protocol and take advantage of the fact that most networks assume if the flow follows the standard for the protocol then it should be allowed. What are the most likely protocols to be allowed out of the network, even when HTTP may not be? DNS (continue reading...)