С 1998 года я администрирую межсетевые экраны: 9 лет это было оборудование Cisco и Check Point. Потом делился опытом и преподавал курсы по межсетевым экранам в Информзащите, и уже 6 лет обучаю людей и настраиваю Palo Alto Networks NGFW. И считаю, что я еще не все знаю в этом оборудовании.
Много чего в жизни случается у сетевых администраторов: и то, что админы серверов просят открыть порт для одного сервиса, а запускают другой. И были баги в протоколах маршрутизации, которые надо было как-то прикрыть. И было то, что ты блокируешь доступ нерадивым сотрудникам, а они обходят твою защиту. В общем я из тех, кто уже наелся портовыми правилами и правилами по IP адресам.
"Межсетевой экран нового поколения и управление трафиком по имени приложения - это маркетинг", такая замечательная тема обсуждалась недавно в одном из чатов. Любое мнение и любой взгляд на вещи имеет право на существование. Сторонники этого взгляда меня иногда упрекают, что я слишком увлечен идеей межсетевых экранов нового поколения, рассказываю про APP-ID и USER-ID, что я совершенно забылся, что L4 firewall существует до сих пор во многих компаниях и этим инструментом тоже можно пользоваться и управлять трафиком.
Чтобы не спорить, просто приведу список приложений, которые ходят по 443 и 80 порту. Глядя в этот список, я лично не знаю, как можно написать правила для этих приложений, имея в руках только один критерий: порт протокола TCP/IP. А вы знаете? Расскажите пожалуйста в комментариях.
Список приложений реальной компании, которые идут по 443 порту TCP.
Всего 173 разных приложения. Отсортировано по категории.
| Application | Category | Sub Category | Technology | Bytes |
| ms-update | business-systems | software-update | client-server | 15178826 |
| java-update | business-systems | software-update | client-server | 69786 |
| ms-product-activation | business-systems | software-update | client-server | 15814 |
| ms-teams | business-systems | office-programs | client-server | 179890952 |
| evernote-base | business-systems | office-programs | client-server | 29642 |
| ms-spynet | business-systems | management | client-server | 1323558 |
| github-base | business-systems | management | client-server | 474160 |
| gist | business-systems | management | client-server | 54795 |
| paloalto-shared-services | business-systems | management | client-server | 5964 |
| adobe-creative-cloud-base | business-systems | general-business | client-server | 11182668 |
| square | business-systems | general-business | client-server | 23594 |
| metatrader | business-systems | general-business | client-server | 21518 |
| soap | business-systems | general-business | client-server | 16454 |
| appdynamics | business-systems | erp-crm | client-server | 641447 |
| google-update | business-systems | software-update | browser-based | 454858 |
| pubnub | business-systems | software-development | browser-based | 132118889 |
| google-docs-base | business-systems | office-programs | browser-based | 606681227 |
| ms-powerbi | business-systems | office-programs | browser-based | 137709225 |
| ms-office365-base | business-systems | office-programs | browser-based | 67550144 |
| google-docs-base | business-systems | office-programs | browser-based | 4024720 |
| ms-delve | business-systems | office-programs | browser-based | 1270796 |
| mailchimp | business-systems | marketing | browser-based | 23159201 |
| oracle-eloqua | business-systems | marketing | browser-based | 128619 |
| mailchimp | business-systems | marketing | browser-based | 10296 |
| oracle-eloqua | business-systems | marketing | browser-based | 8806 |
| trello-base | business-systems | management | browser-based | 659385982 |
| new-relic | business-systems | management | browser-based | 32133686 |
| datadog | business-systems | management | browser-based | 99077 |
| new-relic | business-systems | management | browser-based | 62056 |
| wrike | business-systems | management | browser-based | 44477 |
| recurly | business-systems | management | browser-based | 30095 |
| bitbucket-base | business-systems | management | browser-based | 10113 |
| windows-azure-base | business-systems | general-business | browser-based | 528937530 |
| paloalto-wildfire-cloud | business-systems | general-business | browser-based | 169078231 |
| zendesk-base | business-systems | general-business | browser-based | 3736073 |
| arcgis | business-systems | general-business | browser-based | 3375511 |
| taobao | business-systems | general-business | browser-based | 2840714 |
| recruitee | business-systems | general-business | browser-based | 2275184 |
| apple-vpp | business-systems | general-business | browser-based | 136394 |
| dynatrace-app-monitoring | business-systems | general-business | browser-based | 31102 |
| windows-azure-base | business-systems | general-business | browser-based | 24050 |
| taobao | business-systems | general-business | browser-based | 11265 |
| bitrix24 | business-systems | erp-crm | browser-based | 2144933 |
| salesforce-base | business-systems | erp-crm | browser-based | 44137 |
| skype | collaboration | voip-video | peer-to-peer | 51908422 |
| viber-base | collaboration | voip-video | client-server | 147812985 |
| discord | collaboration | voip-video | client-server | 29336519 |
| viber-downloading | collaboration | voip-video | client-server | 2931096 |
| alipay | collaboration | social-business | client-server | 1092532 |
| zoom-base | collaboration | internet-conferencing | client-server | 845247238 |
| webex-base | collaboration | internet-conferencing | client-server | 113852433 |
| webex-base | collaboration | internet-conferencing | client-server | 185029 |
| whatsapp-base | collaboration | instant-messaging | client-server | 84367427 |
| snapchat | collaboration | instant-messaging | client-server | 1350572 |
| telegram | collaboration | instant-messaging | client-server | 20766 |
| disqus | collaboration | web-posting | browser-based | 1211829 |
| pastebin-base | collaboration | web-posting | browser-based | 35121 |
| google-hangouts-base | collaboration | voip-video | browser-based | 1518895904 |
| mail.ru-base | collaboration | social-networking | browser-based | 2325309717 |
| facebook-base | collaboration | social-networking | browser-based | 895739760 |
| mail.ru-base | collaboration | social-networking | browser-based | 209706858 |
| vkontakte-base | collaboration | social-networking | browser-based | 131769144 |
| twitter-base | collaboration | social-networking | browser-based | 107072500 |
| pinterest-base | collaboration | social-networking | browser-based | 18129636 |
| facebook-base | collaboration | social-networking | browser-based | 1151868 |
| vkontakte-base | collaboration | social-networking | browser-based | 1126002 |
| linkedin-base | collaboration | social-networking | browser-based | 517648 |
| quora-base | collaboration | social-networking | browser-based | 429627 |
| odnoklassniki-base | collaboration | social-networking | browser-based | 324121 |
| google-plus-base | collaboration | social-networking | browser-based | 227731 |
| odnoklassniki-base | collaboration | social-networking | browser-based | 144567 |
| twitter-base | collaboration | social-networking | browser-based | 140914 |
| reddit-base | collaboration | social-networking | browser-based | 113681 |
| tumblr-base | collaboration | social-networking | browser-based | 78509 |
| meetup-base | collaboration | social-networking | browser-based | 57025 |
| foursquare | collaboration | social-networking | browser-based | 24716 |
| linkedin-base | collaboration | social-networking | browser-based | 23049 |
| pinterest-base | collaboration | social-networking | browser-based | 9858 |
| sharepoint-online | collaboration | social-business | browser-based | 74999233 |
| myownconference | collaboration | internet-conferencing | browser-based | 2415474509 |
| google-meet | collaboration | internet-conferencing | browser-based | 2811776 |
| whatsapp-web | collaboration | instant-messaging | browser-based | 452452447 |
| facebook-chat | collaboration | instant-messaging | browser-based | 9572224 |
| slack-base | collaboration | instant-messaging | browser-based | 1649864 |
| whatsapp-web | collaboration | instant-messaging | browser-based | 281318 |
| boldchat-logmein | collaboration | instant-messaging | browser-based | 158277 |
| mail.ru-mail | collaboration | browser-based | 1334267485 | |
| gmail-base | collaboration | browser-based | 277832908 | |
| outlook-web-online | collaboration | browser-based | 169940528 | |
| hotmail | collaboration | browser-based | 65997147 | |
| mail.ru-mail | collaboration | browser-based | 46064290 | |
| gmail-base | collaboration | browser-based | 1980879 | |
| outlook-web | collaboration | browser-based | 8608 | |
| firebase-cloud-messaging | general-internet | internet-utility | client-server | 205583856 |
| windows-push-notifications | general-internet | internet-utility | client-server | 116116300 |
| apple-maps | general-internet | internet-utility | client-server | 17704949 |
| ms-store | general-internet | internet-utility | client-server | 5773005 |
| icloud-base | general-internet | internet-utility | client-server | 133246 |
| apple-push-notifications | general-internet | internet-utility | client-server | 25908 |
| rss | general-internet | internet-utility | client-server | 18701 |
| yandex-disk | general-internet | file-sharing | client-server | 12179106383 |
| whatsapp-file-transfer | general-internet | file-sharing | client-server | 2111020699 |
| syncplicity-base | general-internet | file-sharing | client-server | 1717261628 |
| dropbox-base | general-internet | file-sharing | client-server | 31050952 |
| syncplicity-base | general-internet | file-sharing | client-server | 18435998 |
| dropbox-base | general-internet | file-sharing | client-server | 2713020 |
| jumpshare-base | general-internet | file-sharing | client-server | 1691140 |
| ms-onedrive-base | general-internet | file-sharing | client-server | 1291962 |
| syncplicity-uploading | general-internet | file-sharing | client-server | 150800 |
| sourceforge-base | general-internet | file-sharing | client-server | 64523 |
| google-base | general-internet | internet-utility | browser-based | 13154647578 |
| web-browsing | general-internet | internet-utility | browser-based | 1711577674 |
| yandex-maps | general-internet | internet-utility | browser-based | 1386447360 |
| google-play | general-internet | internet-utility | browser-based | 352330892 |
| google-analytics | general-internet | internet-utility | browser-based | 321610138 |
| google-maps | general-internet | internet-utility | browser-based | 21722945 |
| yahoo-web-analytics | general-internet | internet-utility | browser-based | 18132317 |
| google-base | general-internet | internet-utility | browser-based | 18038698 |
| bing-maps | general-internet | internet-utility | browser-based | 2107633 |
| google-app-engine | general-internet | internet-utility | browser-based | 1222032 |
| yandex-maps | general-internet | internet-utility | browser-based | 1191654 |
| google-analytics | general-internet | internet-utility | browser-based | 817525 |
| websocket | general-internet | internet-utility | browser-based | 736767 |
| pushbullet | general-internet | internet-utility | browser-based | 165458 |
| web-browsing | general-internet | internet-utility | browser-based | 52523 |
| google-play | general-internet | internet-utility | browser-based | 43366 |
| yahoo-web-analytics | general-internet | internet-utility | browser-based | 40463 |
| acme-protocol | general-internet | internet-utility | browser-based | 35296 |
| google-cache | general-internet | internet-utility | browser-based | 33703 |
| speedtest | general-internet | internet-utility | browser-based | 24987 |
| wetransfer-downloading | general-internet | file-sharing | browser-based | 340164024 |
| wetransfer-base | general-internet | file-sharing | browser-based | 172208779 |
| google-drive-web | general-internet | file-sharing | browser-based | 127409055 |
| adobe-cloud | general-internet | file-sharing | browser-based | 10578110 |
| google-drive-web | general-internet | file-sharing | browser-based | 2172083 |
| firefox-send | general-internet | file-sharing | browser-based | 1046245 |
| google-cloud-storage-download | general-internet | file-sharing | browser-based | 24098 |
| google-cloud-storage-base | general-internet | file-sharing | browser-based | 19038 |
| boxnet-base | general-internet | file-sharing | browser-based | 18874 |
| wetransfer-base | general-internet | file-sharing | browser-based | 12097 |
| instagram-base | media | photo-video | client-server | 552858617 |
| rtcp | media | photo-video | client-server | 350228025 |
| cloudinary-base | media | photo-video | client-server | 88773251 |
| xbox-live | media | gaming | client-server | 10891014 |
| origin | media | gaming | client-server | 6972513 |
| steam | media | gaming | client-server | 2770429 |
| itunes-base | media | audio-streaming | client-server | 3020896 |
| soundcloud-base | media | audio-streaming | client-server | 1232273 |
| youtube-base | media | photo-video | browser-based | 36672755685 |
| facebook-video | media | photo-video | browser-based | 513998340 |
| youtube-uploading | media | photo-video | browser-based | 470462307 |
| vimeo-base | media | photo-video | browser-based | 14566308 |
| http-video | media | photo-video | browser-based | 8174640 |
| youtube-base | media | photo-video | browser-based | 2433691 |
| imgur-base | media | photo-video | browser-based | 1470841 |
| vimeo-base | media | photo-video | browser-based | 70472 |
| khan-academy | media | photo-video | browser-based | 17653 |
| ooyala | media | photo-video | browser-based | 12971 |
| poker-stars | media | gaming | browser-based | 148522 |
| http-audio | media | audio-streaming | browser-based | 371290 |
| cotp | networking | infrastructure | network-protocol | 5894 |
| t.120 | networking | infrastructure | network-protocol | 1533 |
| stun | networking | infrastructure | network-protocol | 1160 |
| anydesk | networking | remote-access | client-server | 105785591 |
| teamviewer-base | networking | remote-access | client-server | 45385 |
| ms-rdp | networking | remote-access | client-server | 8192 |
| snmp-base | networking | infrastructure | client-server | 1494 |
| tor | networking | encrypted-tunnel | client-server | 606950853 |
| panos-global-protect | networking | encrypted-tunnel | client-server | 402808794 |
| teamviewer-web | networking | remote-access | browser-based | 58077 |
| http-proxy | networking | proxy | browser-based | 10572 |
| quic | networking | infrastructure | browser-based | 35715114 |
| ssl | networking | encrypted-tunnel | browser-based | 422215882315 |
Представьте, что будет, если бизнес попросит вас что-то запретить, поскольку это не нужно для бизнеса, допустим приложение tor. Или, наоборот, разрешить teamviewer только администраторам. А как вы это сделаете без анализа трафика?
Список приложений реальной компании, которые идут по 80 порту TCP.
Всего 58 разных приложений.
| Application | App Category | App Sub Category | App Technology | Bytes |
| google-update | business-systems | software-update | browser-based | 39775304 |
| google-calendar-base | business-systems | office-programs | browser-based | 5543 |
| hubspot | business-systems | marketing | browser-based | 6657 |
| windows-azure-base | business-systems | general-business | browser-based | 35307 |
| bitrix24 | business-systems | erp-crm | browser-based | 102916201 |
| salesforce-base | business-systems | erp-crm | browser-based | 3231 |
| adobe-update | business-systems | software-update | client-server | 782760792 |
| ms-update | business-systems | software-update | client-server | 37306979 |
| ms-sms | business-systems | management | client-server | 440450451 |
| eset-remote-admin | business-systems | management | client-server | 49650280 |
| github-base | business-systems | management | client-server | 15115 |
| soap | business-systems | general-business | client-server | 86570957 |
| ldap | business-systems | auth-service | client-server | 1826 |
| mail.ru-base | collaboration | social-networking | browser-based | 1337406 |
| twitter-base | collaboration | social-networking | browser-based | 324831 |
| vkontakte-base | collaboration | social-networking | browser-based | 60566 |
| odnoklassniki-base | collaboration | social-networking | browser-based | 57030 |
| facebook-base | collaboration | social-networking | browser-based | 14346 |
| linkedin-base | collaboration | social-networking | browser-based | 1318 |
| sharepoint-base | collaboration | social-business | browser-based | 8536214 |
| confluence-base | collaboration | social-business | browser-based | 17603 |
| telegram | collaboration | instant-messaging | client-server | 37686 |
| web-browsing | general-internet | internet-utility | browser-based | 97595584642 |
| web-crawler | general-internet | internet-utility | browser-based | 21175241 |
| google-base | general-internet | internet-utility | browser-based | 20595418 |
| yandex-maps | general-internet | internet-utility | browser-based | 9699762 |
| google-maps | general-internet | internet-utility | browser-based | 4570121 |
| google-analytics | general-internet | internet-utility | browser-based | 3025564 |
| flash | general-internet | internet-utility | browser-based | 2619471 |
| websocket | general-internet | internet-utility | browser-based | 740807 |
| bing-maps | general-internet | internet-utility | browser-based | 518081 |
| silverlight | general-internet | internet-utility | browser-based | 241640 |
| google-translate-base | general-internet | internet-utility | browser-based | 4350 |
| google-cloud-storage-download | general-internet | file-sharing | browser-based | 96246048 |
| google-cloud-storage-base | general-internet | file-sharing | browser-based | 448350 |
| webdav | general-internet | file-sharing | browser-based | 10636 |
| rss | general-internet | internet-utility | client-server | 1408540 |
| google-earth | general-internet | internet-utility | client-server | 72542 |
| owncloud-base | general-internet | file-sharing | client-server | 28030450 |
| bittorrent | general-internet | file-sharing | peer-to-peer | 255311 |
| http-video | media | photo-video | browser-based | 1802022379 |
| youtube-base | media | photo-video | browser-based | 168954 |
| imgur-base | media | photo-video | browser-based | 9384 |
| http-audio | media | audio-streaming | browser-based | 164406630 |
| steam | media | gaming | client-server | 1206799 |
| origin | media | gaming | client-server | 40212 |
| xbox-live | media | gaming | client-server | 29807 |
| shoutcast | media | audio-streaming | client-server | 8838223 |
| http-proxy | networking | proxy | browser-based | 346789 |
| ssl | networking | encrypted-tunnel | browser-based | 13076750 |
| anydesk | networking | remote-access | client-server | 130897265 |
| ms-rdp | networking | remote-access | client-server | 21360 |
| teamviewer-base | networking | remote-access | client-server | 4220 |
| ocsp | networking | infrastructure | client-server | 31566328 |
| socks | networking | proxy | network-protocol | 4335 |
| cotp | networking | infrastructure | network-protocol | 5540 |
| t.120 | networking | infrastructure | network-protocol | 3418 |
| stun | networking | infrastructure | network-protocol | 2418 |
Как запретить bittorent портовым firewall?
Если у вас есть задача что-то из динамических приложений запретить или разрешить, то нужен критерий «приложение» в политике безопасности, потому что в поле «порт» написано «any».
Мне больше нечего сказать.
Можно купить L4 firewall и написать правило, разрешающее порт tcp/80, можно не покупать и не писать - влияние на безопасность будет одинаковое... только второе бесплатно. На роутерах есть такие же списки доступа.
Приложения давно изменились: они специально заточены, чтобы обходить межсетевые экраны L4 и работают над обходом L7.
Вы пробовали когда-нибудь заблокировать skype, telegram, tor, teamviewer?
Вы пробовали отловить админа, который вместо web приложения повесил на 80 порт сервис RDP, для работы из дома удаленно?
Приложения давно изменились: они специально заточены, чтобы обходить межсетевые экраны L4 и работают над обходом L7.
Вы пробовали когда-нибудь заблокировать skype, telegram, tor, teamviewer?
Вы пробовали отловить админа, который вместо web приложения повесил на 80 порт сервис RDP, для работы из дома удаленно?
PS:
Для разнообразия список приложений реальной компании, которые идут по 3389 порту
15 разных приложений рвалось на порт 3389.
| Application | App Category | App Sub Category | App Technology | Bytes |
| ms-rdp | networking | remote-access | client-server | 222 010 161 069 |
| cotp | networking | infrastructure | network-protocol | 6 344 743 |
| web-browsing | general-internet | internet-utility | browser-based | 5 993 |
| ssl | networking | encrypted-tunnel | browser-based | 5 553 |
| socks | networking | proxy | network-protocol | 867 |
| sip | collaboration | voip-video | peer-to-peer | 503 |
| dicom | business-systems | general-business | client-server | 491 |
| ms-ds-smb-base | business-systems | storage-backup | client-server | 448 |
| mssql-db-base | business-systems | database | client-server | 332 |
| corba | business-systems | general-business | client-server | 328 |
| rpc | networking | infrastructure | network-protocol | 324 |
| afp | business-systems | storage-backup | client-server | 298 |
| ms-sms | business-systems | management | client-server | 296 |
| rmi-iiop | business-systems | general-business | client-server | 287 |
Специально привел порт 3389, чтобы показать что там не только Microsoft RDP.
Вы видите, что часть приложений передало мало байт. Это трафик сетевых сканеров. То есть в компании открыт порт 3389 наружу, а сканер пытается тыкать в него пакетами разных приложений и это видит APP-ID.
По порту 3389 стандартно работает 8 различных приложений.
И список примеров можно продолжать бесконечно…
