The history of TCP port 80 started a long time ago when the IANA assigned TCP port 80 for HTTP activity and TCP port 443 for secure HTTP (HTTPS). HTTP was designed as a protocol to transport requests and data between clients and web servers. Using this information, you could then lock down your firewall to only allow TCP port 80 and 443 so that other applications would be blocked.
This worked okay, for a while, until application developers figured out ways of tunnelling their data over port 80. Nowadays you can have a whole range of applications running on this port including:
- VOIP
- BitTorrent
- Remote screen sharing
- Content distribution networks (CDNs)
- Video and music streaming
- Online file hosting and gaming services
- Proxied web traffic
One solution to the problem has been to deploy proxy servers, but most applications can now work around this.
There are many reasons why you should find out what your Internet connection has been used for. In some cases users may be downloading copyrighted material, in others you may be liable for higher bandwidth costs as users stream more and more media content into your network from content distribution networks.
So, what can you do to figure out what is happening on your network.
- Use a smart firewall
In recent years there has been a lot of innovation in the area of application aware firewalls. These look at network packet content to determine what applications are being tunnelled over TCP port 80. They can then block the application depending on your network use policy. One thing you need to be careful about: the more applications you monitor for, the greater the load on the firewall, which will mean reduced throughput. In some cases a forklift upgrade is required to detect new applications.
- Deploy a deep packet inspection tool
Another option is to take the deep packet inspection (DPI) functionality off the firewall and onto a device which is monitoring what is going to and from your firewalls. One of the advantages of this approach is that you can add further application detection support more easily than you can on application aware firewalls. DPI tools don’t come without their own challenges; some say that DPI tools cannot handle encrypted traffic which some applications use. This is true to a point in that the tool cannot see what data is been transferred. However, you can still detect the presence of the application by looking for its specific signature in the network packets. The application itself will have a very unique footprint on your network.
- Monitor traffic going to and from your network perimeter
I would always recommend that traffic patterns be monitored at the perimeters of networks. Unusual activity like large uploads or downloads should be checked as it could be an indicator that someone has found a new way to share information on the Internet. Also watch out for unusual activity outside of business hours as this can be a sign of applications like BitTorrent running. From a technology point of view you can either look at leveraging flow data or port mirroring to get visibility. Flow data is normally available from layer 3 type devices like routers whereas port mirroring features are normally found on network switches.
- Monitor DNS lookups
Monitoring DNS traffic can be a useful way for spotting strange applications on your network. In a lot of cases the applications will need to do a DNS lookup before they can connect to external servers. Once you have DNS monitoring in place, you can then search for specific hostnames like Skype or Dropbox. This approach can also work with detecting activity associated with content distribution networks, as the DNS look-ups can reveal what sites triggered the CDN activity
As this article suggests, the web is dead. Long live the Internet. What do you do to detect what is been tunnelled over port 80 on your network? Comments welcome.