How to Determine the Risk Level for an Application
Application Characteristics That Determine Risk
The Palo Alto Networks research team uses the application behavioral characteristics to determine a risk rating of 1 through 5. The characteristics are an integral piece of the application visibility that administrators can use to learn more about a new application that they may find on the network and in turn, make a more informed decision about how to treat the application. Note that many applications carry multiple behavioral characteristics.
Application Behavioral Characteristics
- Prone to misuse:used for nefarious purposes or is easily configured to expose more than intended.
Examples include SOCKS, as well as newer applications such as DropBoks, AppleJuice and NEOnet.
- Tunnels other applications:able to transport other applications.
Examples include SSH and SSL as well as Hopster, TOR and RTSP, RTMPT.
- Has known vulnerabilities: application has had known vulnerabilities.
- Transfers files:able to transfer files from one network to another.
Examples include FTP and TFTP as well as webmail, online filesharing applications like Megaupload and YouSendIt.
- Used by malware: has been used to propagate malware, initiate an attack or steal data. Applications that are used by malware include collaboration (email, IM, etc) and general Internet categories (file sharing, Internet utilities).
- Consumes bandwidth: application consumes 1 Mbps or more regularly through normal use.
Examples include P2P applications such as BitTorrent, Xunlei and DirectConnect as well as media applications, software updates and other business applications.
- Evasive: uses a port or protocol for something other than its intended purpose with intent to ease deployment or hide from existing security infrastructure.
With the knowledge of which applications are traversing the network, their individual characteristics and which employees are using them, Company X is enabled to more effectively decide how to treat the applications traffic through associated security policies.