Moving beyond port-based traffic classification isn't easy, but because the "threat industry" now has application-level exploits and applications are at the heart of many data leaks, enterprises must rise to the challenge. Here are the key techniques necessary to achieve application traffic classification, how that classification can be implemented as a set of useful controls, and the production requirements for such an infrastructure component.

Application-centric traffic classification first has to deconstruct traffic (detect and decrypt, decode and de-tunnel) to be able to deduce the application.

The first step is to detect the application protocol being used. Please note this is not just capturing TCP and port and then assuming the application protocol, but detecting the actual application protocol in use (for example, HTTP, SMTP).

This may require decryption. If it's SSL, decrypt it. Given that forward proxy decryption of SSL is well understood, this isn't a technical challenge. It is, however, a sensitive issue, so it must be handled with care. Once decrypted, detect the application protocol within. The process of decryption and detection slightly narrows the list of potential applications, but more importantly, enables application protocol decoding.

The second step is to decode the application protocol. This enables several different services (described later), but most important for understanding the application, you need to come to grips with the type of tunneling used.