Application Control uses several methods to identify traffic associated with specific applications:
- Simple pattern matching of patterns in the packets.
- Simple L4 port-based rules for applications in the Network Protocols category. Applications can be identified by their use of well known ports.
- Examination of the SSL certificates that are used.
- Behavior correlation of related signatures. When the first few packets arrive, Application Control can identify that the traffic is Facebook. As it examines more packets, it could further identify the traffic as a Facebook application.
The most complex applications to identify are applications such as Skype that use their own implementation of encrypted communication. Unlike other VoIP applications, Skype is based on peer-to-peer technology. There is no central infrastructure. The entire Skype directory of users is distributed among all the nodes in the network. Once a user registers with the service and downloads the client, their system could potentially become a node in the network, even if it is not actively making a call. Skype was designed to get around firewalls and it dynamically uses a combination of ports.
Together with signatures, Application Control uses an algorithm to identify these encrypted applications such as Skype, Winny, and Thunder. Application Control examines traffic characteristics such as packet sizes, patterns of DNS lookups, and the patterns of different ports that are used.