Tunneling, in its broadest definition, can include three flavors: encryption, protocol-in-protocol, and application mode switching. We've already discussed the importance of SSL decryption followed by further detection. Protocol-in-protocol, however, involves decoding the application protocol, and detecting/decoding again to "de-tunnel" the application traffic (which addresses a common practice -- instant messaging or peer-to-peer filesharing tunneling through HTTP).

Detecting mode-switching is harder still. This is where one application substantially shifts functions -- such as when IM users initiate a file transfer, or when WebEx participants initiate desktop sharing. But it is important to understand this: organizations may want to enable IM for close customer contact, but have a different perspective on file transfers. The same could be said for WebEx -- enable for salespeople, but have concerns about desktop sharing -- where critical information could be inadvertently shared as well.

Deduce the application

Now that we've deconstructed the application traffic -- that is, done the decryption, detection, decoding and de-tunneling -- we must deduce the specific application. More specifically, we need to turn to pattern matching and behavioral analysis.

For the majority of applications, we can use a signature, examining the unique attributes of the deconstructed application and matching it to a known application pattern. Every application has unique properties. 99.9% of applications, if properly deconstructed, can be identified with a signature.