What apps hide in corporate networks?

Palo Alto Networks has been looking through its customers' logs to uncover what employees are doing on the company network.
Written by Michael Lee, Contributor

Palo Alto Networks has been looking through its customers' logs to uncover what employees are doing on the company network.

(Credit: Michael Lee/ZDNet Australia)

The company took the logs from equipment used by its customers, and, with permission, pored over the stats to see what applications are being used inside more than 1600 companies, 30 per cent of which are in the Asia-Pacific region.

Asia Pacific big on social

The investigation found that social-networking use in the Asia-Pacific region is higher than in other parts of the world, with local organisations using an average of 20 different forms of social networks. In total, senior product marketing manager Brian Tokuyoshi said that 34 different social-networking applications are seen in total globally.

Another result that Tokuyoshi pointed to is that Tumblr is outstripping Facebook in terms of bandwidth used in the corporate environment. He admitted that this could be the effect of Tumblr being more media intensive, with most Tumblr posts consisting of one or more images. However, he said that this traffic is on the increase more so in Australia than in other parts of the world.

"Tumblr has taken a considerable amount of bandwidth inside businesses inside Australia and New Zealand, and the rest of the world is catching up."

In addition, Tokuyoshi said that people have begun to switch from interacting with Twitter, Facebook and other "traditional" forms of social media as spectators, instead behaving more as participants.

"We used to note that people were taking a very passive role at looking at content. In 2011, we actually noted that people are participating very heavily in the social-media applications. They became not only observers, but actually participants in the environment."

Dropbox, Megaupload popular

Other services that have frequent use are web-based file-sharing services, such as Dropbox and the now-defunct Megaupload service. He is concerned that the use of the services is seeing business processes overridden or bypassed, such as when files are meant to be archived when sent via email.

However, he found that the type of sites typically used for entertainment or non-business use can be easily identified by the amount of bandwidth they use. Services that can be used for business purposes, like Dropbox and Google Drive, use comparatively less bandwidth.

Tokuyoshi said that this is likely due to the fact that the sort of files sent in the corporate environment are only slightly larger than those typically acceptable for email.

Debunking the port 80 myth

Tokuyoshi once had a conversation with an analyst, who said that businesses only need to look at traffic over port 80 to check app usage, since that's the port that web requests are meant to use.

"Does that mean everything that going across port 80 is web based? That it's browser based? There's a lot of stuff that's going on port 80 that's not browser based," Tokuyoshi said.

Tokuyoshi said that from 566 applications, observed running on corporate environments, only 157 applications have been using port 80 exclusively.

"Only 28 per cent of applications were only using port 80, and that leads one to think about what about the other 72 per cent of applications out there — what are they using?"

Tokuyoshi said that Skype and video-conferencing apps, which could be used in business contexts, often use different ports, in order to get around port-based defences. Unfortunately, applications like UltraSurf, Hamachi and Tor use other ports for the same reason. A business generally wouldn't want those applications in its environment, since they can circumvent security controls and URL filtering, and could also make the detection of botnets like TDL-4 harder, as these "proxy" applications operate in a similar way — by opening ports and contacting other servers.

"UltraSurf is a very sneaky application in the way it updates itself. It actually goes out, looks for and tries to contact a command-and-control server [and] it tries to update all the number of new proxies that are appearing, so that even if one goes down, it knows where to go in another location. Oddly enough, that's exactly how things like TDL-4 operate."

Those security managers who only monitor port 80 are missing ports responsible for 67 per cent of all bandwidth, he said.

"If we're only thinking [like] how the analyst was telling me, 'All you need to worry about is port 80', you're missing about 67 per cent of the traffic, and that's not something I would recommend as best practice for anybody."

Editorial standards