Application Recognition via Deep Packet Inspection
Content-Based Application Recognition (CBAR) is a new LANGuardian feature that takes traffic-based application recognition to a new level. With support for hundreds of the most common applications and protocols, and a unique deep packet inspection algorithm, CBAR delivers greater accuracy and fewer false positives than other approaches to application recognition.
Application recognition is the art and science of identifying the applications that are in use on a network and understanding the impact of each application in terms of bandwidth usage, user behavior, security, and compliance.
CBAR enables LANGuardian to generate consolidated reports that show bandwidth and usage patterns from an application perspective. These reports are more concise and less fragmented than reports that list each protocol and port separately.
Application recognition has become vitally important for several reasons:
- The growth in cloud computing and proliferation of OTT content has led to a huge increase in the number of applications that communicate over Layer 7 (HTTP). Effective monitoring of network activity requires looking deeper into Layer 7 traffic so that individual applications can be identified. The level of detail provided by NetFlow – source address, destination address, and port number – is no longer enough.
- System administrators and network engineers are increasingly turning to random, non-standard, and dynamic ports to counteract threats that assume applications and protocols use standard port assignments. Monitoring tools that rely solely on port numbers typically report traffic on non-standard ports as “unknown.”
- Many applications use more than one port. For example, web applications use port 80 for non-encrypted HTTP traffic and port 443 for encrypted HTTPS traffic.
- Application developers do not always adhere to standard port assignments, and in some cases deliberately evade conventional security by using techniques such as port-hopping, SSL encryption, and tunneling within commonly authorized protocols. Cyber attackers attempting to infiltrate networks often use similar techniques.
LANGuardian content-based application recognition (CBAR) is an all-new approach to application recognition that combines a unique DPI algorithm with detailed understanding of the underlying protocols. Unlike other traffic monitoring technologies such as NetFlow, which analyzes packet headers only, LANGuardian CBAR analyzes entire traffic packets and inspects their content.
By inspecting the packet content in addition to the header, LANGuardian CBAR can see past the port and address information to identify the application that generated the packet. This enables LANGuardian CBAR to provide reports that present information from an application perspective – regardless of the ports involved. These reports are more concise and accurate than reports based on parameters such as source address, destination address, port, or protocol. As with all LANGuardian reports, you can drill down from high-level consolidated data to extremely detailed information.
Note: these are mockups based on images extracted from an email. The differences can be made more obvious with better images and more editing.
LANGuardian CBAR delivers unprecedented accuracy of recognition, with close to zero false positives for supported protocols. It is adaptive and tunes itself to match the port configurations on your network so that recognition performance improves over time.
The new application recognition engine integrates seamlessly with the LANGuardian architecture. All information is gathered from traffic data flowing through the core switch, stored in the LANGuardian database, and accessed via standard and custom reports. There are no clients or agents to install on your network devices, and there is no impact on network performance or throughput.
- Vendor-agnostic solution – works with any switch that supports port mirroring.
- Uses deep-packet inspection to analyze packet content as well packet headers – the foundation for more detailed and accurate reporting than NetFlow-based monitoring tools can provide.
- Eliminates reliance on source address, destination address, and port number to identify the application associated with network traffic.
- Enables network engineers and system administrators to identify applications that use random port numbers or that use standard port numbers for non-standard purposes.
- Generates consolidated reports that show network activity on a per-application or per-protocol basis, with drilldown to more detailed information.
LANGuardian CBAR recognizes over 1,300 applications and protocols. A summary is shown below.
Layer 7 applications
- Google Drive
- Office 365
- SharePoint Online
- Lookout Portable Security
- Microsoft SMS/SCCM
- NFS MAPSVR
- Maze War game
- Micorosft SQL Server
- RFC 1006 ISO Transport Services
- SQL-Retriever ODBC
- Oracle Rdb
- Remote Desktop Protocol
- Remote Windows Sockets
- Siemens SRS
Find out more
If you have any questions about how LANGuardian can meet your requirements, please contact us. If you would like to see LANGuardian in action, please try our online demo system or download a free 30-day trial to try it on your own network with your own data.
Talk to us now
Talk to NetFort today. Contact us at firstname.lastname@example.org or call us at +1 (262) 374 3311 or +353 (91) 520 501 in EMEA.