Blog :: Network Operations :: Security Operations

What Deep Application Awareness means to Business

Deep Application Awareness is the ability to accurately identify different applications within a business.  What makes it difficult is that each application could be sharing the same ports.  A company that understands how bandwidth is being consumed, by who and how it is prioritized can optimized organizational performance.

The ideal security appliance uses Deep Packet Inspection (DPI) to watch a series of packets from a host.  It studies the behavior of the traffic patterns and then correctly identifies the app.  For example, TCP port 80 is used by many different applications because it is easy to get through a firewall.  When the NetFlow reporting tool reports on TCP port 80 traffic, does it label it as HTTP?   In truth, it could be Skype, Webex, Citrix, Youtube, Facebook, Salesforce, Linkedin, etc.  These are all considered applications today and they could be running over the same port. A tool that labels all TCP port 80 traffic as HTTP can be a bit misleading.  Network traffic monitoring solutions have had to evolve because correctly identifying applications makes trouble shooting easier and allows administrators to prioritize business applications.

Not only should the firewall appliance correctly identify end user applications, it should also provide a few performance metrics.  For example, for VoIP it should deliver details on Jitter and packet loss .  For remote or internal employees suffering from poor voice connections, this metric allows administrators to determine which end of the call is experiencing the most issues and at which minute during the entire length of the call.  This is important as it allows network analysts to observe the impact increased traffic can have on voice quality at different points on the network.

application names in NetFlow

Notice also in the above that the IPFIX export provides details on caller ID.  Imagine the user calling up and saying “I had a lousy call this morning. Here is the number I dialed…..”  The NetFlow and IPFIX reporting interface allows administrators the ability to filter and drill down in historical information to quickly find the traffic related to a support call.

Application-aware NetFlow and IPFIX is a market predicted to grow in the security appliance market because more and more applications are hiding behind port 80. Even when the traffic is related to HTML, many customers want a tool that distinguishes between simple google searching and web site browsing from sites such as Facebook and Linkedin.  To some, these web sites are considered applications and the ideal security appliance should be able to  deliver the goods.