IBM tech intercepts packets to control apps

Enterprises have lost control of the applications their employees are using. IBM is now developing technology that can automatically identify applications and control their access by analysing their data traffic.
Written by Stilgherrian , Contributor

Enterprises have lost control of the applications their employees are using. IBM is now developing technology that can automatically identify applications and control their access by analysing their data traffic.

The problem is the consumerisation of the enterprise, said IBM engineering manager Dr Paul Ashley. Employees now expect that applications they use at home will also be available at work. This includes Facebook, Twitter, YouTube and VoIP applications like Skype.

The traditional approach was to lock down the workstation. That no longer works.

"People just aren't happy in those environments. They want some sort of control of their own environments," Ashley told ZDNet Australia.

"I think the days of enterprises locking down their workstations completely and not allowing people to do anything on them, I really think those days are almost over."

That presents a problem for systems administrators.

"All of a sudden your security administrators are saying, well, I'm not looking after five applications now in the enterprise, it's actually a hundred different applications being run," Ashley said.

"The risk is that these applications may be exposing the organisation to malware and different types of attack vectors that they wouldn't have had if they had better control."

This lack of control leads to three issues, according to Ashley. Most enterprises don't know what applications are running. They don't know which users are using which applications. There can also be problems with bandwidth usage.

"A customer was complaining that they continually had to buy more internet bandwidth. After a bit of analysis, what it turned out was that about 75 per cent of the traffic going over their internet pipe was just people using VoIP."

There are far more applications now than 10 years ago and they're no longer simple HTML supported by server-side scripts. They're now complex web 2.0 applications, running large amounts of JavaScript directly in the browser, according to Ashley.

The problem with that? "Lots and lots of ways that they can be compromised and provide an avenue, or a vector, to get into the user's PC or their iPad or their Android or whatever they might be using," Ashley said.

Ashley's team at IBM's Gold Coast Security Laboratory is developing technology that can intercept the enterprise's internet traffic and, using deep packet inspection, identify the applications being used and control access.

The tools Ashley described at this week's IBM Pulse 2011 event in Melbourne can even break into web browsing sessions that are being encrypted with Secure Socket Layer (SSL) by using a transparent attack. They then identify the JavaScript and execute it before it gets executed in the user's browser.

"Inspecting traffic's actually very complex. If you look at a tradition firewall, it may have only had to look at one or two packets to decide this is an FTP or a Telnet. These days you actually may have to go through a series of 20 or 30 packets going back and forward before you decide what it is," Ashley said.

Applications can also be identified by the URLs and IP addresses they use.

"We've got crawlers that go across the internet and look through different websites to classify these different websites. The combination of those two things can give you a pretty good idea of what the application is," Ashley said.

Newly discovered applications are manually classified by IBM's X-Force Security Research and Development Team.

IBM is currently able to identify around 260 applications by the traffic seen "on the wire". One or two new applications are added each week. While this might seem a small number compared with the thousands, or in the case of smartphones, hundreds of thousands, of applications available, the enterprise can simply decide to block access to all unknown applications until a user requests access and an analysis can be done.

This technology is currently in the development phase. Ashley would not be drawn on timelines for when it might be incorporated into commercial products.

Stilgherrian is attending Pulse 2011 as a guest of IBM.

Editorial standards