The Different Data Sources for Application Connectivity Discovery

Prof Wool: Managing Business Application Connectivity | The Different Data Sources for Application Connectivity Discovery Subscribe

Managing Business Application Connectivity: Lesson 6

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello I'm professor world today we'll be discussing the different data sources for application connectivity discovery so in a previous lesson we talked about a situation where we're trying to discover business applications in the data center and we're trying to do that from network traffic that we are recording so our goal is to arrive at a high level description of the application using its name and the flows that it relies on and to do that we suggested attaching a sniffer to the network recording all the traffic within the data center like this and then having software analyze this captured data to produce the higher level description of the applications that we're looking for and one of the powerful mechanisms to achieve this is to use the packet inspection so the software would look inside the recorded packets and search for interesting pieces of information so for instance if you have an HTTP connection it's possible to see inside the packets the HTTP commands and the names of the scripts that are being called and the arguments being passed to them and this information can be mined to identify for instance that the application is called payroll we can deduce that because the string payroll appears here in a few places and we can deduce that this these connections down here that are using SQL are connected to the flows of HTTP above because we can see the same argument appear here and here so having access to this information and using the packet inspection provides us with levels of information that let us get this higher level of abstraction we're looking for now this approach has two challenges that we should bear in mind the obvious one is volume recording all the traffic in the data center is a tremendous amount of packets that need to be stored need to be processed it could be expensive it could be prohibitive the second thing is this data potentially is becoming less and less useful because of the use of encryption to use dpi the software has to be able to look into the packets and understand what's there and recognize the various strings in the packets if instead of HTTP the application we're using HTTP all these payloads would have been encrypted and the DPI software would have nothing to look at and will be unable to deduce anything from the encrypted data we're seeing encryption deployed also in database protocols and email and many other places so encryption is on the rise and it's hiding these interesting pieces of information from the DPI software given this there is an interesting alternative to consider and that is net flow so net flow is actually a standardized protocol that produces information about traffic without emitting the whole traffic it aggregates traffic and provides statistics and metadata so in this example these three packets over here have the same source and destination may be switched and the same protocol so they're all in the same TCP connection net flow would emit a single record for all of them together saying there is a connection from this IP to that IP using HTTP and it would suggest a counter counting how many packets were included in the flow and maybe some time stamps etc and will not emit the payloads just the header information from the packets so net flow is a much more condensed data source it aggregates many packets into one record and it doesn't include all the payloads it just includes the meta information so it's much shorter and so using that flow reduces the problem of volume the other thing that net flow has which is in our advantages that many pieces of network gear are able to emit net flow through a simple configuration change it's part of routers and switches that you might have deployed in your network anyway so you don't need to deploy another piece of equipment to gather this information now the information that net develop provides is a lot less than what you get from a packet capture but if the packet capture is encrypted then you're not really losing any information through the use of net flow and you are gaining the other benefits of reduced volume and using existing gear so it's a very interesting alternative to consider if you have it available to you something to bear in mind thank you for your attention

Videos

Prof Wool: Managing Business Application Connectivity | The Different Data Sources for Application Connectivity Discovery Subscribe

Related videos

The Benefits of Mapping Firewall Rules to Business...

Lesson 7: How to Prepare for Network Segmentation by...

Tips for Secure Decommissioning of Business Applications

How to Automatically Identify Business Application...