Capture the "DNA" of traffic-Analysis of the Next Generation firewall and application Recognition Technology

Levenitz, the founder of calculus, once had a famous philosophical saying: "There are no two identical leaves in the world." taking humans as an example, although scientific research has long proved that among the more than 7 billion people in the world, even twins cannot be identical, but two people with the same birth, name, appearance, or even sound are everywhere. In the era of cloud computing and big data, massive volumes of information are encapsulated into packets that are transferred over the network at high speed. The port jump and Multiplexing technologies are widely used, as if they were packed in the same envelope, by viewing only the delivery information on the envelope, you cannot accurately understand who sent the letter, where it was sent, and the content of the letter. For today's data networks, a large number of threats exist.

The network traffic cannot be understood by the "quintuple"

With the development of gene technology, we can use DNA to identify individual identities. For ever-changing network packets, we also need to find unique and constant characteristics in the traffic, this is the application Recognition Technology proposed by the industry.

As a new generation of "Shen" on network boundaries, the next generation Firewall is a device that fully utilizes application recognition technology to build a security system based on the application layer. In the next-generation firewall concept defined by Gartner, access control capabilities that recognize applications and execute ports and protocols independent of the application layer are the most basic requirements for a next-generation firewall. However, the industry's considerations for application recognition capabilities have always lacked sound standards, and users have entered many misunderstandings.

Misunderstanding 1: Application recognition only recognizes applications

Speaking of today's network security, we cannot avoid three core elements: People, applications, and content. Security Management is to manage individual users, the premise of management is to understand the traffic type, and the core goal of control is to filter the traffic content. Therefore, the true application recognition technology is not only traditional application identification, but also the identification of traffic senders and the filtering of data content. Some experts may even treat people (users), applications, content is defined as the new "Triple" of today's network security ".

The new "Triple" of Network Security"

The sender of the traffic identification requires that the traffic be tagged with the user. In the past, the main means was to identify the user based on the ID, and force the user to log on to the network before access to authentication. Although the user ID and password information have been synchronized and linked with a third-party authentication server, greatly reducing the management cost, the process of logon authentication significantly reduces the user experience, which has been plagued by users who are eager for security and the pursuit of efficiency.

According to the implementation experience from the frontline, 60% deployed the network with the user authentication policy. In the past six months, the original settings were canceled due to experience and efficiency, change to the traditional IP address-Based Access Control. We can see that if the security and efficiency problems are not balanced, the fine-grained access control based on users and roles widely advocated by the industry is difficult to implement in practical work. Unlike traditional user authentication, user identification is capable of automatically identifying user information in traffic, users can be transparently authenticated Based on ARP information and application login information in the data packet. When no user does not perform logon authentication, the traffic can be accurately mapped to the user.

Compared with user identification, it is more difficult to implement the technology to identify traffic content. Because many applications have their specific coding rules, in addition, a considerable number of applications use encryption to transmit information. Therefore, traffic content recognition must be based on an in-depth understanding of the application, we also have full control over the encoding and encryption methods of some special protocols.

Misunderstanding 2: Application recognition only matches numbers

Application recognition technology is not a patent proposed by the next generation firewall. It was defined by the industry in the past few years. Many vendors are also increasing their R & D investment in this field, in addition, its products already have certain application recognition capabilities. However, if the application recognition capability must be superior or inferior, several important standards should be concerned.

First, we must pay attention to the breadth and depth of application recognition. The so-called breadth refers to the number of applications that support recognition, which is also an important number for all previous vendors. In addition, whether the sub-functions of platform-based software are precisely identified, it is the embodiment of depth. Currently, no application recognition capability evaluation standard is available in the industry, and the digital measurement standards for feature libraries vary from vendor to vendor. For example, some vendors collect statistics based on the number of application software, some vendors are billed based on each function of the software. Although numbers are the most intuitive quantitative standards, comparing numbers alone may mislead users due to differences in standards.

Second, the response speed of application recognition. In the explosive growth of applications, if new applications and new versions cannot respond and update in a timely manner, the application is out of control. Some experts pointed out that in addition to the high technical threshold, application recognition technology is more difficult to maintain a code Production System with fast and continuous updating capability under the existing technical conditions, this requires long-term investment and accumulation.

Third, the "geographic" factor of application recognition. Due to differences in language and habits, application software is closely related to the region. For example, users in Chinese countries access Chinese Web pages much more than English web pages. The most popular instant messaging software in mainland China is QQ, american users are more accustomed to using MSN. Therefore, the application recognition technology must fully master the user's usage habits. Otherwise, even devices with powerful functions will become "unacceptable ".

Fourth, the adequacy of application recognition technology. The application recognition technology has evolved over several generations. The earliest devices are IP-based and port-based recognition applications. With the emergence of port multiplexing and hop change technology, subsequently, a stream feature-based detection technology (DFI) was developed to identify application traffic based on features such as the packet length and connection time of data streams, but the recognition rate was low, the third-generation technology uses the Deep Packet detection (DPI) technology to perform packet splitting checks on data traffic. The recognition rate is greatly improved, but the execution efficiency is low. Currently, an excellent application recognition engine requires precise identification and high performance. This is the cornerstone of an application-layer device to maximize its performance.

Network Application Layer expert-wangkang Technology

As a well-known manufacturer of application layer security, management and optimization in China, wangkang technology regards people, applications and content as the technical philosophy of product planning and has been focusing on the Research of Network Application Layer Technology for nine years.

Wangkang's next-generation firewall provides advanced application recognition capabilities. powered by wangkang's largest application recognition database in China, the world's largest Chinese Web Classification Database, and over 30 user identification and authentication technologies, it can fully implement transparent user authentication, extensive application control, and data leakage protection, achieving a perfect balance between security and efficiency.

Behind the leading number is the deep insights and long-term accumulation of wangkang Technology in application recognition technology, especially the proprietary XAI Technology of wangkang ), it integrates the advantages of various application recognition technologies to ensure fast and accurate identification of massive applications. Relying on leading technologies and professional application analysis laboratories, the application feature library of wangkang maintains an extremely high update rate and supports about 100 new applications each month.

Advanced Application Recognition Technology

For the next generation firewall, once it has the ability to recognize people, applications, and content, it means that the access control capability has been expanded from the original quintuple to the eight-yuan group, controls the access and forwarding of a data packet, and filters data based on the user, Source IP, destination IP, source port, destination port, protocol (port), application type, and data content. At the same time, the defense against increasingly common application-layer threats also needs to be based on application recognition. If the application is not identified, the defense against application-layer threats cannot be discussed. Of course, the next generation firewall must have the active defense capability for unknown threats. In fact, it uses the idea of big data to analyze and mine network information. In the stage of data collection and behavior control, the application recognition technology is also needed as the support.

From this we can see that the application recognition technology is the core element of next-generation Firewall Products and is completely determined by the current security requirements. It is a next-generation firewall with excellent application recognition capabilities, A more secure network boundary will be constructed for the user from the new height.