Snort OpenAppID introduction: Open source application control

The OpenAppID engine for Snort promises to enable organizations to create an open source application firewall. Kevin Beaver explores how it works.

How is your enterprise network's Layer 7 protection looking these days? Odds are application control is the elusive...

final frontier that few organizations have yet to explore beyond decades-old technologies found in traditional content-filtering systems and firewalls.

However, at this year's RSA Conference, Cisco Systems Inc. announced an engine for its open source Snort intrusion detection system that might prove to be an effective tool for application-layer security. It's called OpenAppID.

As good as OpenAppID sounds, it's still new, so be prepared for the bumps in the road that are inevitable for any new software.

In this tip, we'll introduce OpenAppID, review its features and determine the use cases in which it may make sense for enterprises.

OpenAppID: How does it work?

According to Cisco, OpenAppID effectively enables a business to create its own application firewall. With a set of application identifiers -- essentially signatures for identifying traffic from specific applications -- network and security admins can create, share and implement custom application detection rules within Snort systems. OpenAppID can be used to alert, block, perform contextual analysis and report what's truly happening with application usage on the network.

These robust features put the admin in the driver's seat for responding to existing and emerging threats by identifying rogue applications and malicious usage. Additionally, it removes the dependence on Layer 7 security vendors. Until now, enterprises needing the ability to detect and potentially block application-layer traffic have had no choice but to purchase a commercial product. With OpenAppID, enterprises can now use Snort -- a tool many security pros are quite familiar with -- as the basis to essentially build a customized, open source application firewall that alerts or blocks application traffic based on the organization's needs.

OpenAppID currently supports more than 1,500 applications. Admins can write their own application detectors as well.

You can download the latest development release of OpenAppID here.

A sampling of the numerous apps supported by OpenAppID

A sampling of the numerous apps supported by OpenAppID.

OpenAppID: Can it work for you?

One thing I've learned about open source is that you usually get what you pay for. Snort is a proven tool and OpenAppID seems to be a beneficial feature, so this freebie could have some substance. But that doesn't mean it's automatically going to work as well as commercial alternatives (e.g., next-generation firewalls). As good as Snort is and as good as OpenAppID sounds, it's still new, so be prepared for the bumps in the road that are inevitable for any new software, as well as new features and changes in the coming months.

I learned a lot about Sourcefire's application-aware offerings while working on this book. It's a worthy set of technologies that can benefit the complex enterprise networks. However, I don't believe Cisco is looking to cannibalize its commercial line with open source products such as Snort and OpenAppID. Hopefully the company will build out both so enterprises can choose which path to go down.

But with that said, should an enterprise experiment with OpenAppID to gain better control of network security at Layer 7? Here are some things to consider before jumping on the OpenAppID bandwagon:

  1. First and foremost, ask: What is your enterprise security program trying to accomplish? What are its current business risks? Surprisingly, many organizations don't know the answers to these questions. The last thing you need to do is implement a new technology to fix a new problem associated with a risk you don't yet know about that may or may not be a big deal in your enterprise environment.
  2. What existing security controls does your company have in place that may already provide the capabilities of OpenAppID (e.g., next-generation firewalls, content filtering, endpoint protection)? How is OpenAppID different? Better?
  3. Does your organization have the in-house expertise to implement and oversee such a tool? With OpenAppID, you're in control; are you up for the challenge? Even if you are from a technical perspective, what about time? Whenever an enterprise takes on a new network security function, it has to give something else up or it'll wind up not doing anything effectively. What are you willing to give up in order to create more time for OpenAppID and network application protection?

If none of these questions raise concerns, then chances are OpenAppID is a good fit for the business. Try it out in a test environment, or at least in a subset of your production network that won't be adversely affected, until you get it configured properly. There's nothing like selling management on a proof-of-concept that ends up creating more problems than it solves.

When it comes to Layer 7 security, criminal hackers are highly innovative with application and malware-related attacks. Though enterprises might be a few steps behind, there's no reason they can't be on the same playing field. Just like how most street fights end up on the ground, most network security challenges end up at Layer 7; that's where enterprise security teams need to focus. The free network application controls offered by OpenAppID just might provide that level of protection and visibility you need in order to advance your network security to the next level.

About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic, LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments of network systems as well as Web and mobile applications. He has authored/co-authored 11 books on information security including the best-selling Hacking For Dummies, The Practical Guide to HIPAA Privacy and Security Compliance and Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter @kevinbeaver.

This was last published in May 2014

Dig Deeper on Open source security tools and software