Для понимания моего опыта: первый свой Check Point 3.5 я установил и настроил в 1998 году. 22+ лет администрирую межсетевые экраны. Первые 9 лет отвечал за оборудование Cisco и Check Point в Интернет провайдере. В 2006 году читал курсы по межсетевым экранам в УЦ Информзащита. Сертифицированный инженер Cisco. Работал в IBM ISS, HP TippingPoint. И уже 6 лет занимаюсь Palo Alto Networks NGFW. По работе также разбираюсь в других вендорах. Делаю сравнения NGFW на заказ, поэтому "чувствую" разницу. ;-)
"Межсетевой экран нового поколения и управление трафиком по имени приложения - это маркетинг", такая замечательная тема обсуждалась недавно в одном из чатов. Любое мнение и любой взгляд на вещи имеет право на существование. Сторонники этого взгляда меня иногда упрекают, что я слишком увлечен идеей межсетевых экранов нового поколения, рассказываю про APP-ID и USER-ID, что я совершенно забылся, что L4 firewall существует до сих пор во многих компаниях и этим инструментом тоже можно пользоваться и управлять трафиком.
Чтобы не спорить, приведу список приложений, которые ходят по 443 и 80 порту. Глядя в этот список, я лично не знаю, как можно написать правила для этих приложений, имея в руках только один критерий: порт протокола TCP/IP. А вы знаете? Расскажите пожалуйста в комментариях.
Список приложений реальной компании, которые идут по 443 порту TCP.
Всего 173 разных приложения. Отсортировано по категории.
Application | Category | Sub Category | Technology | Bytes |
ms-update | business-systems | software-update | client-server | 15178826 |
java-update | business-systems | software-update | client-server | 69786 |
ms-product-activation | business-systems | software-update | client-server | 15814 |
ms-teams | business-systems | office-programs | client-server | 179890952 |
evernote-base | business-systems | office-programs | client-server | 29642 |
ms-spynet | business-systems | management | client-server | 1323558 |
github-base | business-systems | management | client-server | 474160 |
gist | business-systems | management | client-server | 54795 |
paloalto-shared-services | business-systems | management | client-server | 5964 |
adobe-creative-cloud-base | business-systems | general-business | client-server | 11182668 |
square | business-systems | general-business | client-server | 23594 |
metatrader | business-systems | general-business | client-server | 21518 |
soap | business-systems | general-business | client-server | 16454 |
appdynamics | business-systems | erp-crm | client-server | 641447 |
google-update | business-systems | software-update | browser-based | 454858 |
pubnub | business-systems | software-development | browser-based | 132118889 |
google-docs-base | business-systems | office-programs | browser-based | 606681227 |
ms-powerbi | business-systems | office-programs | browser-based | 137709225 |
ms-office365-base | business-systems | office-programs | browser-based | 67550144 |
google-docs-base | business-systems | office-programs | browser-based | 4024720 |
ms-delve | business-systems | office-programs | browser-based | 1270796 |
mailchimp | business-systems | marketing | browser-based | 23159201 |
oracle-eloqua | business-systems | marketing | browser-based | 128619 |
mailchimp | business-systems | marketing | browser-based | 10296 |
oracle-eloqua | business-systems | marketing | browser-based | 8806 |
trello-base | business-systems | management | browser-based | 659385982 |
new-relic | business-systems | management | browser-based | 32133686 |
datadog | business-systems | management | browser-based | 99077 |
new-relic | business-systems | management | browser-based | 62056 |
wrike | business-systems | management | browser-based | 44477 |
recurly | business-systems | management | browser-based | 30095 |
bitbucket-base | business-systems | management | browser-based | 10113 |
windows-azure-base | business-systems | general-business | browser-based | 528937530 |
paloalto-wildfire-cloud | business-systems | general-business | browser-based | 169078231 |
zendesk-base | business-systems | general-business | browser-based | 3736073 |
arcgis | business-systems | general-business | browser-based | 3375511 |
taobao | business-systems | general-business | browser-based | 2840714 |
recruitee | business-systems | general-business | browser-based | 2275184 |
apple-vpp | business-systems | general-business | browser-based | 136394 |
dynatrace-app-monitoring | business-systems | general-business | browser-based | 31102 |
windows-azure-base | business-systems | general-business | browser-based | 24050 |
taobao | business-systems | general-business | browser-based | 11265 |
bitrix24 | business-systems | erp-crm | browser-based | 2144933 |
salesforce-base | business-systems | erp-crm | browser-based | 44137 |
skype | collaboration | voip-video | peer-to-peer | 51908422 |
viber-base | collaboration | voip-video | client-server | 147812985 |
discord | collaboration | voip-video | client-server | 29336519 |
viber-downloading | collaboration | voip-video | client-server | 2931096 |
alipay | collaboration | social-business | client-server | 1092532 |
zoom-base | collaboration | internet-conferencing | client-server | 845247238 |
webex-base | collaboration | internet-conferencing | client-server | 113852433 |
webex-base | collaboration | internet-conferencing | client-server | 185029 |
whatsapp-base | collaboration | instant-messaging | client-server | 84367427 |
snapchat | collaboration | instant-messaging | client-server | 1350572 |
telegram | collaboration | instant-messaging | client-server | 20766 |
disqus | collaboration | web-posting | browser-based | 1211829 |
pastebin-base | collaboration | web-posting | browser-based | 35121 |
google-hangouts-base | collaboration | voip-video | browser-based | 1518895904 |
mail.ru-base | collaboration | social-networking | browser-based | 2325309717 |
facebook-base | collaboration | social-networking | browser-based | 895739760 |
mail.ru-base | collaboration | social-networking | browser-based | 209706858 |
vkontakte-base | collaboration | social-networking | browser-based | 131769144 |
twitter-base | collaboration | social-networking | browser-based | 107072500 |
pinterest-base | collaboration | social-networking | browser-based | 18129636 |
facebook-base | collaboration | social-networking | browser-based | 1151868 |
vkontakte-base | collaboration | social-networking | browser-based | 1126002 |
linkedin-base | collaboration | social-networking | browser-based | 517648 |
quora-base | collaboration | social-networking | browser-based | 429627 |
odnoklassniki-base | collaboration | social-networking | browser-based | 324121 |
google-plus-base | collaboration | social-networking | browser-based | 227731 |
odnoklassniki-base | collaboration | social-networking | browser-based | 144567 |
twitter-base | collaboration | social-networking | browser-based | 140914 |
reddit-base | collaboration | social-networking | browser-based | 113681 |
tumblr-base | collaboration | social-networking | browser-based | 78509 |
meetup-base | collaboration | social-networking | browser-based | 57025 |
foursquare | collaboration | social-networking | browser-based | 24716 |
linkedin-base | collaboration | social-networking | browser-based | 23049 |
pinterest-base | collaboration | social-networking | browser-based | 9858 |
sharepoint-online | collaboration | social-business | browser-based | 74999233 |
myownconference | collaboration | internet-conferencing | browser-based | 2415474509 |
google-meet | collaboration | internet-conferencing | browser-based | 2811776 |
whatsapp-web | collaboration | instant-messaging | browser-based | 452452447 |
facebook-chat | collaboration | instant-messaging | browser-based | 9572224 |
slack-base | collaboration | instant-messaging | browser-based | 1649864 |
whatsapp-web | collaboration | instant-messaging | browser-based | 281318 |
boldchat-logmein | collaboration | instant-messaging | browser-based | 158277 |
mail.ru-mail | collaboration | browser-based | 1334267485 | |
gmail-base | collaboration | browser-based | 277832908 | |
outlook-web-online | collaboration | browser-based | 169940528 | |
hotmail | collaboration | browser-based | 65997147 | |
mail.ru-mail | collaboration | browser-based | 46064290 | |
gmail-base | collaboration | browser-based | 1980879 | |
outlook-web | collaboration | browser-based | 8608 | |
firebase-cloud-messaging | general-internet | internet-utility | client-server | 205583856 |
windows-push-notifications | general-internet | internet-utility | client-server | 116116300 |
apple-maps | general-internet | internet-utility | client-server | 17704949 |
ms-store | general-internet | internet-utility | client-server | 5773005 |
icloud-base | general-internet | internet-utility | client-server | 133246 |
apple-push-notifications | general-internet | internet-utility | client-server | 25908 |
rss | general-internet | internet-utility | client-server | 18701 |
yandex-disk | general-internet | file-sharing | client-server | 12179106383 |
whatsapp-file-transfer | general-internet | file-sharing | client-server | 2111020699 |
syncplicity-base | general-internet | file-sharing | client-server | 1717261628 |
dropbox-base | general-internet | file-sharing | client-server | 31050952 |
syncplicity-base | general-internet | file-sharing | client-server | 18435998 |
dropbox-base | general-internet | file-sharing | client-server | 2713020 |
jumpshare-base | general-internet | file-sharing | client-server | 1691140 |
ms-onedrive-base | general-internet | file-sharing | client-server | 1291962 |
syncplicity-uploading | general-internet | file-sharing | client-server | 150800 |
sourceforge-base | general-internet | file-sharing | client-server | 64523 |
google-base | general-internet | internet-utility | browser-based | 13154647578 |
web-browsing | general-internet | internet-utility | browser-based | 1711577674 |
yandex-maps | general-internet | internet-utility | browser-based | 1386447360 |
google-play | general-internet | internet-utility | browser-based | 352330892 |
google-analytics | general-internet | internet-utility | browser-based | 321610138 |
google-maps | general-internet | internet-utility | browser-based | 21722945 |
yahoo-web-analytics | general-internet | internet-utility | browser-based | 18132317 |
google-base | general-internet | internet-utility | browser-based | 18038698 |
bing-maps | general-internet | internet-utility | browser-based | 2107633 |
google-app-engine | general-internet | internet-utility | browser-based | 1222032 |
yandex-maps | general-internet | internet-utility | browser-based | 1191654 |
google-analytics | general-internet | internet-utility | browser-based | 817525 |
websocket | general-internet | internet-utility | browser-based | 736767 |
pushbullet | general-internet | internet-utility | browser-based | 165458 |
web-browsing | general-internet | internet-utility | browser-based | 52523 |
google-play | general-internet | internet-utility | browser-based | 43366 |
yahoo-web-analytics | general-internet | internet-utility | browser-based | 40463 |
acme-protocol | general-internet | internet-utility | browser-based | 35296 |
google-cache | general-internet | internet-utility | browser-based | 33703 |
speedtest | general-internet | internet-utility | browser-based | 24987 |
wetransfer-downloading | general-internet | file-sharing | browser-based | 340164024 |
wetransfer-base | general-internet | file-sharing | browser-based | 172208779 |
google-drive-web | general-internet | file-sharing | browser-based | 127409055 |
adobe-cloud | general-internet | file-sharing | browser-based | 10578110 |
google-drive-web | general-internet | file-sharing | browser-based | 2172083 |
firefox-send | general-internet | file-sharing | browser-based | 1046245 |
google-cloud-storage-download | general-internet | file-sharing | browser-based | 24098 |
google-cloud-storage-base | general-internet | file-sharing | browser-based | 19038 |
boxnet-base | general-internet | file-sharing | browser-based | 18874 |
wetransfer-base | general-internet | file-sharing | browser-based | 12097 |
instagram-base | media | photo-video | client-server | 552858617 |
rtcp | media | photo-video | client-server | 350228025 |
cloudinary-base | media | photo-video | client-server | 88773251 |
xbox-live | media | gaming | client-server | 10891014 |
origin | media | gaming | client-server | 6972513 |
steam | media | gaming | client-server | 2770429 |
itunes-base | media | audio-streaming | client-server | 3020896 |
soundcloud-base | media | audio-streaming | client-server | 1232273 |
youtube-base | media | photo-video | browser-based | 36672755685 |
facebook-video | media | photo-video | browser-based | 513998340 |
youtube-uploading | media | photo-video | browser-based | 470462307 |
vimeo-base | media | photo-video | browser-based | 14566308 |
http-video | media | photo-video | browser-based | 8174640 |
youtube-base | media | photo-video | browser-based | 2433691 |
imgur-base | media | photo-video | browser-based | 1470841 |
vimeo-base | media | photo-video | browser-based | 70472 |
khan-academy | media | photo-video | browser-based | 17653 |
ooyala | media | photo-video | browser-based | 12971 |
poker-stars | media | gaming | browser-based | 148522 |
http-audio | media | audio-streaming | browser-based | 371290 |
cotp | networking | infrastructure | network-protocol | 5894 |
t.120 | networking | infrastructure | network-protocol | 1533 |
stun | networking | infrastructure | network-protocol | 1160 |
anydesk | networking | remote-access | client-server | 105785591 |
teamviewer-base | networking | remote-access | client-server | 45385 |
ms-rdp | networking | remote-access | client-server | 8192 |
snmp-base | networking | infrastructure | client-server | 1494 |
tor | networking | encrypted-tunnel | client-server | 606950853 |
panos-global-protect | networking | encrypted-tunnel | client-server | 402808794 |
teamviewer-web | networking | remote-access | browser-based | 58077 |
http-proxy | networking | proxy | browser-based | 10572 |
quic | networking | infrastructure | browser-based | 35715114 |
ssl | networking | encrypted-tunnel | browser-based | 422215882315 |
Представьте, что будет, если бизнес попросит вас что-то запретить, поскольку это не нужно для бизнеса, допустим приложение tor. Или, наоборот, разрешить teamviewer только администраторам. А как вы это сделаете без анализа трафика?
Список приложений реальной компании, которые идут по 80 порту TCP.
Всего 58 разных приложений.
Application | App Category | App Sub Category | App Technology | Bytes |
google-update | business-systems | software-update | browser-based | 39775304 |
google-calendar-base | business-systems | office-programs | browser-based | 5543 |
hubspot | business-systems | marketing | browser-based | 6657 |
windows-azure-base | business-systems | general-business | browser-based | 35307 |
bitrix24 | business-systems | erp-crm | browser-based | 102916201 |
salesforce-base | business-systems | erp-crm | browser-based | 3231 |
adobe-update | business-systems | software-update | client-server | 782760792 |
ms-update | business-systems | software-update | client-server | 37306979 |
ms-sms | business-systems | management | client-server | 440450451 |
eset-remote-admin | business-systems | management | client-server | 49650280 |
github-base | business-systems | management | client-server | 15115 |
soap | business-systems | general-business | client-server | 86570957 |
ldap | business-systems | auth-service | client-server | 1826 |
mail.ru-base | collaboration | social-networking | browser-based | 1337406 |
twitter-base | collaboration | social-networking | browser-based | 324831 |
vkontakte-base | collaboration | social-networking | browser-based | 60566 |
odnoklassniki-base | collaboration | social-networking | browser-based | 57030 |
facebook-base | collaboration | social-networking | browser-based | 14346 |
linkedin-base | collaboration | social-networking | browser-based | 1318 |
sharepoint-base | collaboration | social-business | browser-based | 8536214 |
confluence-base | collaboration | social-business | browser-based | 17603 |
telegram | collaboration | instant-messaging | client-server | 37686 |
web-browsing | general-internet | internet-utility | browser-based | 97595584642 |
web-crawler | general-internet | internet-utility | browser-based | 21175241 |
google-base | general-internet | internet-utility | browser-based | 20595418 |
yandex-maps | general-internet | internet-utility | browser-based | 9699762 |
google-maps | general-internet | internet-utility | browser-based | 4570121 |
google-analytics | general-internet | internet-utility | browser-based | 3025564 |
flash | general-internet | internet-utility | browser-based | 2619471 |
websocket | general-internet | internet-utility | browser-based | 740807 |
bing-maps | general-internet | internet-utility | browser-based | 518081 |
silverlight | general-internet | internet-utility | browser-based | 241640 |
google-translate-base | general-internet | internet-utility | browser-based | 4350 |
google-cloud-storage-download | general-internet | file-sharing | browser-based | 96246048 |
google-cloud-storage-base | general-internet | file-sharing | browser-based | 448350 |
webdav | general-internet | file-sharing | browser-based | 10636 |
rss | general-internet | internet-utility | client-server | 1408540 |
google-earth | general-internet | internet-utility | client-server | 72542 |
owncloud-base | general-internet | file-sharing | client-server | 28030450 |
bittorrent | general-internet | file-sharing | peer-to-peer | 255311 |
http-video | media | photo-video | browser-based | 1802022379 |
youtube-base | media | photo-video | browser-based | 168954 |
imgur-base | media | photo-video | browser-based | 9384 |
http-audio | media | audio-streaming | browser-based | 164406630 |
steam | media | gaming | client-server | 1206799 |
origin | media | gaming | client-server | 40212 |
xbox-live | media | gaming | client-server | 29807 |
shoutcast | media | audio-streaming | client-server | 8838223 |
http-proxy | networking | proxy | browser-based | 346789 |
ssl | networking | encrypted-tunnel | browser-based | 13076750 |
anydesk | networking | remote-access | client-server | 130897265 |
ms-rdp | networking | remote-access | client-server | 21360 |
teamviewer-base | networking | remote-access | client-server | 4220 |
ocsp | networking | infrastructure | client-server | 31566328 |
socks | networking | proxy | network-protocol | 4335 |
cotp | networking | infrastructure | network-protocol | 5540 |
t.120 | networking | infrastructure | network-protocol | 3418 |
stun | networking | infrastructure | network-protocol | 2418 |
Как запретить bittorent портовым firewall?
Если у вас есть задача что-то из динамических приложений запретить или разрешить, то нужен критерий «приложение» в политике безопасности, потому что в поле «порт» написано «any».
Мне больше нечего сказать.
Сколько разных приложений видит NGFW по 80 и 443 порту. Практический эксперимент:
Можно купить L4 firewall и написать правило, разрешающее порт tcp/80, можно не покупать и не писать - влияние на безопасность будет одинаковое... только второе бесплатно. На роутерах есть такие же списки доступа.
Приложения давно изменились: они специально заточены, чтобы обходить межсетевые экраны L4 и работают над обходом L7.
Вы пробовали когда-нибудь заблокировать skype, telegram, tor, teamviewer?
Вы пробовали отловить админа, который вместо web приложения повесил на 80 порт сервис RDP, для работы из дома удаленно?
Приложения давно изменились: они специально заточены, чтобы обходить межсетевые экраны L4 и работают над обходом L7.
Вы пробовали когда-нибудь заблокировать skype, telegram, tor, teamviewer?
Вы пробовали отловить админа, который вместо web приложения повесил на 80 порт сервис RDP, для работы из дома удаленно?
Как только у вас будет такая задача - вы поймете зачем вам NGFW.
PS:
Для разнообразия список приложений реальной компании, которые идут по 3389 порту
15 разных приложений рвалось на порт 3389.
Application | App Category | App Sub Category | App Technology | Bytes |
ms-rdp | networking | remote-access | client-server | 222 010 161 069 |
cotp | networking | infrastructure | network-protocol | 6 344 743 |
web-browsing | general-internet | internet-utility | browser-based | 5 993 |
ssl | networking | encrypted-tunnel | browser-based | 5 553 |
socks | networking | proxy | network-protocol | 867 |
sip | collaboration | voip-video | peer-to-peer | 503 |
dicom | business-systems | general-business | client-server | 491 |
ms-ds-smb-base | business-systems | storage-backup | client-server | 448 |
mssql-db-base | business-systems | database | client-server | 332 |
corba | business-systems | general-business | client-server | 328 |
rpc | networking | infrastructure | network-protocol | 324 |
afp | business-systems | storage-backup | client-server | 298 |
ms-sms | business-systems | management | client-server | 296 |
rmi-iiop | business-systems | general-business | client-server | 287 |
Специально привел порт 3389, чтобы показать что там не только Microsoft RDP.
Вы видите, что часть приложений передало мало байт. Это трафик сетевых сканеров. То есть в компании открыт порт 3389 наружу, а сканер пытается тыкать в него пакетами разных приложений и это видит APP-ID.
По порту 3389 стандартно работает 8 различных приложений.
И список примеров можно продолжать бесконечно…
Подробнее в чем преимущества L7 firewall и вообще NGFW описано в этой статье
Повышайте свой профессионализм в Академии Palo Alto Networks: panacademia.ru