CloudCampus Solution V100R021C00 Design and Deployment Guide for Multi-Campus Network Interconnection
Application Identification
Basic Concepts
Application Identification and Application Identification Modes
Application Identification
Precise identification of applications on a network is the prerequisite and basis for network services such as intelligent traffic steering, QoS, application optimization, and security. Service policies can be applied in subsequent service processes only after applications are identified.
Application Identification Modes
SD-WAN application identification can be implemented in two modes: first packet identification (FPI) and service awareness (SA), as shown in Figure 2-19.
- FPI
FPI can identify the application type at the first data flow of an application. It can quickly identify applications, and is mainly used for SaaS applications with fixed destination addresses or ports.
- SA
SA performs deep packet analysis and accurately identifies common applications based on the characteristics in application payloads.
When a packet reaches the application identification module, the FPI is performed. If an application can be identified through the first packet, the SA is no longer performed. If the application fails to be identified, the SA is performed.
For the FPI and SA, the FPI signature database and SA signature database are preconfigured on CPEs. The CPEs can identify common applications based on the application definition (port, feature, and behavior) in the signature database. In addition, the FPI and SA also support customized applications, so that users can customize special applications.
FPI
Application Scenarios
- NAT must be configured on the path that the application passes through. If the application cannot be identified, it may be discarded after route selection because NAT is not configured for SYN and ACK packets.
- As the pervasive use of clouds, customers want to send SaaS and trusted network traffic directly from branches to the Internet instead of forwarding data through the data center. This improves the bandwidth utilization and reduces the transmission delay and costs.
- When enterprises use their own applications or applications that run on the Internet, the Internet traffic is known and trusted, but other HTTP/HTTPS traffic is unknown or suspicious. If a specific application cannot be identified through the first data packet, all HTTP/HTTPS traffic must be sent to the Internet or sent to the security web gateway or HQ for further check by the enterprise firewall and IDS/IPS resources.
Implementation
FPI is implemented by matching the first packet of a data flow based on 3-tuple information, 5-tuple information, or DSCP values, or based on the domain name or SA cache. Applications are matched based on L3-L4 information of the packet. Therefore, if multiple applications have the same L3-L4 information, the applications may be incorrectly identified. In addition, the FPI process is simple, so the processing performance of FPI is higher than that of SA.
FPI can identify applications in customized application mode or through the predefined FPI signature database. With FPI enabled, the system first matches applications customized based on the triplet against the defined L3-L4 rules or domain names against the IP addresses translated from domain names using DNS snooping. If no match is found, the system then matches applications through SA.
- Customized application: Applications can be customized based on the triplet, domain name, and 5-tuple and/or DSCP value.
- If an application is customized based on the triplet, you only need to specify the destination IP address, protocol type, and destination port number. The system matches an application based on the destination IP address, destination port number, and protocol type. If the application is not matched, the system matches the application based on the source IP address, source port number, and protocol type.
- Applications can be customized based on domain names. The system obtains the mapping between domain names and applications based on specific rules, and obtains the mapping between domain names and IP addresses during DNS interaction. By doing this, the system obtains the mapping between IP addresses and applications. In this situation, the FPI-enabled system can identify customized applications through DNS association.
- On CPEs, rules can be created by using advanced rules that contain 5-tuple information and/or DSCP value. 5-tuple information includes the source IP address, destination IP address, protocol type, source port number, and destination port number of application packets.
- FPI signature database: Common applications based on the protocol number, port number, and domain name are preconfigured in the FPI signature database. The FPI function is associated through the DNS. When a client initiates a page access request, a DNS request is sent, requesting to access the specific IP address. The DNS server sends back a DNS response packet. When the packet traverses the CPE, the CPE parses it to obtain the IP address. The application ID, port number, and protocol number are queried in the FPI signature database based on the URL. The triplet information is then associated with the IP address, and a DNS association entry is generated. When receiving the DNS response packet, the client requests to access the application. Then, when the packet traverses the CPE, the application is identified based on the DNS association entry.
SA
Application Scenarios
The enterprise network uses a router as the egress gateway to connect to the WAN. To ensure network quality and regulate employees' online behaviors, the service awareness technology can be used to identify various applications on the network and control identified application protocols.
Implementation
Signature identification is the basic technology of service awareness. Different applications usually use different protocols that have their distinctive characteristics. These characteristics may be specific ports, specific character strings, or specific bit sequences, and characteristics that can identify a protocol are called characteristic code. Signature identification determines an application by detecting characteristic codes in data packets. Since characteristic codes of some protocols are embedded in multiple packets, characteristics field-based identification must collect multiple packets to identify the protocol type. This technology analyzes service flows passing through a device and compares the analysis result with the signature database loaded to the device. By detecting characteristic codes in data packets, the system can identify applications and implement refined policy control based on the identification result.
The SA signature database is also called the SA signature database. Applications can be identified in predefined application mode or through the SA signature database predefined on the CPE.
- Predefined application mode: Applications are identified based on triplet or keywords. On the CPE, rules can be created through triplet, keywords, or both triplet and keywords. The triplet refers to the server IP address, protocol type, and port number. The keywords are signatures of a data packet or a data flow corresponding to the application and uniquely identify the application.
- SA signature database: Applications are identified based on the SA signature database. The SA signature database can have 500+ or 6000+ records, depending on the device type. The SA signature database can be upgraded through Huawei Security Center Platform. The SA signature database needs to be updated frequently because applications on the live network change rapidly. If the SA signature database is not updated in time, some applications may fail to be identified.
Deployment Process
No. |
Task Name |
Description |
|---|---|---|
1 |
- |
|
2 |
- |
|
3 |
If predefined applications cannot meet requirements, you can customize applications. |
|
4 |
Create a customized FPI application group and add predefined FPI applications to it. Create a customized SA application group and add predefined SA applications to it. |