As the first anniversary of its open source application-layer traffic-detection tool approaches, Cisco says the...
new twist on Sourcefire's hallmark Snort technology can help enterprises better understand and control application network traffic.
OpenAppID, which debuted at RSA Conference 2014, is a free plug-in for the Snort open source intrusion detection system, offering a traffic-detection engine for application-layer data. By installing OpenAppID and utilizing its detection language, enterprises can use Snort to discover, audit, control or block application usage.
Jason Brvenik, principal engineer with Cisco's security business group and a former longtime vice president with Sourcefire (acquired by Cisco in 2013), said the San Jose, Calif.-based networking giant has been pleased by OpenAppID's growth, noting that it has it been downloaded more than 16,000 times in the past 12 months.
"We have an active community of about 3,000 people, and those are the people who are actively looking for updates or features or advice," Brvenik said. "One of the challenges of open source technology is that you get quick, direct feedback from the community if something goes wrong, but fortunately we're not getting inundated with things going wrong."
To the contrary, OpenAppID feeds off of the interest of its user community, as Cisco has based many enhancements and new features on community feedback. Cisco supports OpenAppID users with regular updates on its Snort blog, and the OpenAppID developers are active on the SourceForge OpenAppID mailing list.
While Brvenik admitted OpenAppID requires more work than many Snort users may be used to -- the installation process alone requires installing LuaJIT, then the latest version of Snort, and then the application-detector package -- he said the installation goes fairly quickly, and the extra effort needed to learn about OpenAppID customization and usage is worthwhile.
OpenAppID detectors more than double
As is true with most successful open source security tools, anyone can contribute, and one of the key areas where the community has contributed to OpenAppID is by increasing the number of application detectors.
Like signature files, detector files describe the fingerprint of application data from certain applications or application functions. When Snort detects application traffic that matches a detector, it can apply a variety of different control functions, from alerting and logging to even blocking certain traffic.
Brvenik said that in large part to community contributions, the ecosystem of OpenAppID detectors has swelled from 1,000 a year ago to more than 2,600 today.
"That's better than I would have expected just a year out," Brvenik said. "As it becomes part of [what people expect out of] mainline Snort, we'll see even more attention being paid to new detectors."
Enabling better application visibility
As Cisco touted during the OpenAppID launch last year, it's the first time an enterprise has been able to put application monitoring or control functionality in place without purchasing an application firewall or next-generation firewall (NGFW).
Brvenik said after 12 months of community use, Cisco has seen some usage of OpenAppID for application firewall functions like inline blocking of select application traffic, but for the most part, enterprises are using it to survey application-layer traffic as part of a broader effort to make informed decisions about how to treat various types of application activity.
"In the visibility realm, with threats and attacks, we know with some certainty what's a threat and what can be stopped," Brvenik said. "With applications and users, it's often a very gray area in terms of whether an activity should be allowed, or even if it's disallowed by policy, whether it's something the organization really wishes to block."
That's why Cisco believes OpenAppID may ultimately prove most valuable by helping enterprises improve their visibility into application traffic inside the network. Brvenik said though the majority of large organizations have had application firewalls or NGFWs with inline application traffic filtering enabled for a long time; many don't understand which applications are used internally.
"We see application firewalls at the edge of the network for controlling access to things like Facebook, but we don't see a lot of organizations measuring application usage and managing application policy inside an environment," Brvenik said. "Custom application detection, for example, is a weakness in many commercial offerings, but with OpenAppID, users can write their own detectors to identify that traffic."
Going forward, Brvenik said he sees OpenAppID as an important supporting component of the vendor's commercial application traffic visibility and security products, ultimately helping enterprises to learn when and how to implement granular application control on their own, without relying on vendor expertise. He's optimistic enterprises will eventually be able to feed OpenAppID rules and other data into a variety of commercial security products to support better defense in depth.
"Finding a commercial product that doesn't support Snort rules is hard these days, and hopefully something similar will happen with OpenAppID as time goes on," Brvenik said. "We want this to become a key element in enterprises' defensive postures all around, and as it does, it'll become something attackers will have to contend with. In the end it's always about getting in the way of attackers and making them have to change the way they do business."
Network security expert Kevin Beaver offers a technical introduction to OpenAppID open source application control.
In this video, Cisco's Martin Roesch discusses how OpenAppID represents Cisco's commitment to open source security technology.