Re-perimeterization, Part 2

Application visibility and control enables IT to say "yes" to the business

In Part 1 of this article we examined how enterprises could gain application visibility and control to accommodate programs hosted outside the enterprise, and where they might implement that.

By deconstructing traffic (detecting and decrypting, decoding and de-tunneling), organizations can deduce what applications are on their networks. That requires being able to see all traffic because applications don't correspond to ports anymore, and to exert control these functions must be done in line. The best place to do this is at the firewall -- it sees all traffic, demarcates the trust boundary and can enforce policy. But the traditional enterprise firewall needs a serious overhaul to perform these functions.

On to Part 2. If organizations (and security vendors) can regain application visibility and control the right way, enterprises will realize additional benefits: fine-grained application control, user-based policies and reporting and better content scanning. All of this adds up to the ability to have a far more meaningful conversation with the business – focused on enabling applications, users and appropriate content, rather than just saying, "no".

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In Part 1 of this article we examined how enterprises could gain application visibility and control to accommodate programs hosted outside the enterprise, and where they might implement that.

By deconstructing traffic (detecting and decrypting, decoding and de-tunneling), organizations can deduce what applications are on their networks. That requires being able to see all traffic because applications don't correspond to ports anymore, and to exert control these functions must be done in line. The best place to do this is at the firewall -- it sees all traffic, demarcates the trust boundary and can enforce policy. But the traditional enterprise firewall needs a serious overhaul to perform these functions.

On to Part 2. If organizations (and security vendors) can regain application visibility and control the right way, enterprises will realize additional benefits: fine-grained application control, user-based policies and reporting and better content scanning. All of this adds up to the ability to have a far more meaningful conversation with the business – focused on enabling applications, users and appropriate content, rather than just saying, "no".

Applications aren't threats. As described in Part 1, controlling applications is simple:

* Block undesirable applications.

* Safely enable good applications (ensure that they are free of threats).

* By policy – not by looking at applications as "threats".

* Ensure less important applications don't hurt more important ones.

The above presumes that the network professional knows what each application is, understands its relevance to the business and how it behaves. This knowledge is critical – each application or class of application has to be examined for benefit/risk. If the application provides high value and little risk, the answer is easy. If the application provides high value and high risk, the answer is harder, and IT must mitigate the risks associated with enabling the application.

The business can articulate the value side of the equation. Network and security professionals must come to the table knowing the risks the application carries:

* Can it carry malware?

* Does it chew up bandwidth?

* Does it tunnel other applications?

* Are there vulnerabilities associated with it?

The main point is that applications aren't threats and therefore need policy control, not the "find it and kill it" mentality reserved for malicious content.

Beyond that, there is application prioritization. Enterprises should, as part of application control, ensure that necessary applications aren't slowed or squeezed out by acceptable applications. In other words, a degree of application shaping is an appropriate addition to application control.

Bring users into view

In most enterprises, when talk turns to application use/abuse, the next question anybody asks is: Who is responsible? Responding with an IP address in today's dynamic environments is useless. If you can see the specific application, you should be able to see the user of that application.