{"id":2479,"date":"2012-05-31T14:32:34","date_gmt":"2012-05-31T21:32:34","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=2479"},"modified":"2012-06-04T09:06:58","modified_gmt":"2012-06-04T16:06:58","slug":"dealing-with-unknown-traffic-in-your-data-center","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2012\/05\/dealing-with-unknown-traffic-in-your-data-center\/","title":{"rendered":"Dealing with Unknown Traffic in Your Data Center"},"content":{"rendered":"<p>In <a title=\"First Data Center Summit Recap\" href=\"https:\/\/www.paloaltonetworks.com\/blog\/2012\/03\/data-center-summit-learnings-from-the-road\/\" target=\"_blank\">previous posts<\/a>\u00a0, we have explored various <a title=\"Second Data Center Summit Recap\" href=\"https:\/\/www.paloaltonetworks.com\/blog\/2012\/05\/recap-from-the-data-center-summit\/#more-2454\" target=\"_blank\">data center security best practices<\/a>\u00a0\u00a0in protecting the data center, and of course Palo Alto Network\u2019s fundamental approach starts off with application visibility. Applications in the data center can largely be divided into:<\/p>\n<ol>\n<li>Known data center applications \u2013 enterprise off-the-shelf, custom and home-grown.<\/li>\n<li>Management applications using RDP, Telnet, SSH to control the enterprise applications in (1)<\/li>\n<li>Rogue or misconfigured applications.<\/li>\n<\/ol>\n<p>The first set of applications should be allowed for authorized employees, the second set of applications should be enabled only for a select group of IT users, and the third set of applications should be remediated or dropped.<\/p>\n<p><!--more--><\/p>\n<p>We can achieve each of the objectives above with a combination of App-ID<sup>TM <\/sup>and User-ID<sup>TM<\/sup>. With our App-ID technologies, we not only identify enterprise applications but we can also create custom App-IDs for unique applications within the individual enterprise. But more importantly, any traffic that cannot be identified is categorized as unknown.<\/p>\n<p>Now, in a data center environment, should there be any unknown traffic? If you\u2019ve identified your applications (and I mean <em>all <\/em>of your applications), then there should not be any unknown traffic, right? Or at least the unknown is likely to fall in the bucket of threats or rogue applications.<\/p>\n<p>I subscribe to the notion that you can\u2019t control what you can\u2019t see. Therefore, visibility into all traffic is important in a data center with prolific application developers implementing applications on any port that is convenient. Application proliferation (and hence the threat vector within these applications) is becoming more of an issue with the easy instantiation of virtual machines and the ease that applications can be deployed on them.<\/p>\n<p>How do you deal with unknown traffic in the data center? First, take a look at your unknown traffic category in your Application Command Center, or drill into the unknown application reports that we generate once a day. Based on the analysis, if you\u2019ve missed the identification of custom or home-grown applications, you can define a custom-ID for that traffic. Be sure to restrict the custom-ID traffic by source\/destination zone and IP address. For enterprise applications that we don\u2019t yet support, send a packet capture to Palo Alto Networks and we will create an application signature for you. Then, for what unknown traffic is left, observe the users, top source and destination addresses, and threats. You can also use detailed traffic and threat logs to drill into the specific communications between two hosts to determine if there is a threat associated with it. Unknown traffic with large session sizes over commonly open ports (like DNS) or strange uncommon\u00a0ports\u00a0are things to watch out for.<\/p>\n<p>And, if you haven\u2019t deployed Palo Alto Networks firewalls, we\u2019ll provide you with a comprehensive Application Visibility Report (AVR) on the traffic within your data center when you complete an evaluation with us. The applications we identify in your data center could possibly be what you expect. On the other hand, there may unknown traffic that would be a revelation. Take the Data Center <a href=\"http:\/\/connect.paloaltonetworks.com\/AVR\" target=\"_blank\">AVR challenge <\/a>and find out!<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In previous posts\u00a0, we have explored various data center security best practices\u00a0\u00a0in protecting the data center, and of course Palo Alto Network\u2019s fundamental approach starts off with application visibility. Applications in the &hellip;<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[75],"tags":[59,31,12,29],"coauthors":[771],"class_list":["post-2479","post","type-post","status-publish","format-standard","hentry","category-data-center-2","tag-app-id","tag-application-control","tag-data-center","tag-threat-prevention"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/2479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=2479"}],"version-history":[{"count":8,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/2479\/revisions"}],"predecessor-version":[{"id":2486,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/2479\/revisions\/2486"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=2479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=2479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=2479"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=2479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}