Category: Technical Guide

Download PDF

Over the last years, the adoption of the internet has increased exponentially. Education institutions, consumers and businesses are all heavily reliant on the internet.

In education, online learning is skyrocketing with the proliferation of online tools, apps and cost effective internet enabled devices. An increasing level of reliance on Internet access for learning and productivity has created an expectation of high performance and easy connectivity in the classroom. At the same time, bring your own device (BYOD) and cloud computing trends have led to a rapid proliferation in the number of devices and applications used on a daily basis.

Share this content:

This increased use of the internet, internet based apps, and mobile devices in the classroom brings with it several challenges for IT administrators and educators alike. To ensure a high level of quality of service, visibility into network usage and utilization is paramount for administrators. That coupled with the need for educators to satisfy their duty of care with students introduces the need for a new type of network management.

To meet these requirements, moving away from Protocol and IP address based filtering is needed. A more holistic application aware approach to network management is required to give educators and administrators the visibility and control they need. Linewize meets this challenge with our Application Aware Layer 7 Firewall.

All traffic passing through the Linewize Appliance, is identified using our heuristic signature based DPI engine. This application based identification can is then harnessed to provide a high level of visibility and control.


Signature based Identification

The Linewize Cloud Managed Firewall is an application aware firewall. Application identification is first and foremost in Linewize and all traffic is matched against our heuristic signatures on a flow basis.

Signatures take form as both categories and applications in Linewize. Individual flows are matched against an application and if a individual application match cannot be made, a category match is attempted. Categories and applications form a hierarchy which lends itself to easy filtering of multiple applications while also enabling the possibility of easy granular filtering.



signatures- Layer 7 _TWP.png 

Signatures are maintained by the Linewize Cloud and are constantly being updated for new content. Linewize appliances download the signature database via a secure channel every 24 hours. This ensures new signatures and updates are available to the device rapidly.


Connection and Flow tracking

Application identification occurs as part of the connection tracking on the Linewize appliance. Traditionally connection tracking has been used in state-full firewalls and routing appliances to assist with NAT of TCP and UDP connections traversing the firewall. Linewize extends this concept by performing connection tracking at the application layer.

At each stage of a flow or connection, Linewize collects metadata on the flow. This metadata can include things like HTTP hostname for HTTP packets, DNS queries/replies, HTTP Content Types, SSL certificate information and traditional TCP/IP based transport criteria such as Ports. At a lower level, key indicators for protocols like Bittorrent, RDP and others are also collected. This metadata paints a very accurate picture of the underlying traffic type and is used to match flows against a traffic signature in real-time.

When certain types of metadata is collected the Linewize appliance will attempt to match all metadata for that flow against the signature database. If a match is found, that particular connection flow will be marked with the matching signature and this information can then subsequently be used in application and content filtering decisions and collected for statistical purposes.

Once the flow has been identified, packets matching that particular flow are marked for a fast path. This fast path reduces latency associated with the computation cost of application layer connection tracking. The flow has been identified so we can let it pass without further detailed inspection. This technique helps maintain network performance and facilitate line speed application identification.


Heuristic traffic identification

Application identification in Linewize is heuristic based. Modern apps present themselves in different way on the network and utilize different underlying technologies. From a users perspective, there is no difference between a VOIP phone and the Facebook application they use on their computer. The difference at the networking level however is substantial.

Look into the details and you will find that VOIP traffic takes many different forms. Some VOIP products utilize standardized ports whereas others use dynamic ports negotiated at some point in the connection setup and some products use standard HTTPS. For the user, the important thing is that they can identify VOIP traffic, they should not be concerned with the underlying technology.

To solve this problem, Linewize's signatures are composed of different attributes, patterns and flow behaviors that indicate that the corresponding packets match that abstract type. In many cases, more than one piece of evidence will be required for a positive match and attributes collected may span across multiple flows to identify the connection and relationship between flows.

For a product like Youtube, this could mean that Youtube usage, on a single users machine, is composed of HTTPS traffic to,, and QUIC UDP traffic to the Youtube servers. With Linewize, this traffic is all identified holistically as Youtube.

This approach simplifies management of your network dramatically and paints a very accurate picture of your network utilization.


Identification of SSL traffic

Over 60% of HTTP traffic is now encrypted with asymmetric SSL encryption, more commonly known as HTTPS.

For many content filtering systems, SSL encryption has been a huge issue. SSL protects the users data by encrypting and signing the HTTPS packets at the network layer so that its protected from eaves dropping and modification. Driven by users desire for privacy, SSL adoption has increased exponentially and is the defacto standard for protecting data on the internet.

Providing identification, visibility and filtering on traffic that is encrypted with SSL is just as important as maintaining users privacy. Many content filtering vendors inspect SSL traffic through the installation of artificial certificates and decrypting the traffic in transit. This approach violates the users privacy, requires the installation of certificates on users devices and incurrs significant computational cost on filtering appliances.

Linewize takes an approach which centers around the SNI parameter and certificate details in the initial TLS negotiation. The SNI parameter is part of the initial SSL negotiation when the client connects to the remote webserver. This parameter was introduced to the TLS specification to accomodate shared load balancers and web servers that need to respond to HTTPS requests with different certificates on demand. The SNI parameter is passed by the client as the domain name and this is identified by Linewize and matched with the signatures.

This means that HTTPS traffic can be identified and matched to an application type in much the same way as regular HTTP traffic without the need for full decryption of the connection. This approach maintains users privacy while still providing visibility and control over this traffic.


Bittorrent, VPNS and Proxy Servers

Peer to peer systems such as BitTorrent and filtering avoidance software utilizing VPN’s and Proxy servers pose an especially challenging task for network administrators. These systems are specifically designed to evade filtering software and are impossible to filtering and identify using traditional filtering techniques.

Heuristic based identification comes into its own with this type of traffic. Linewize uses pattern matching techniques to identify peer to peer traffic and through the collection of statistics our signatures are constantly evolving to match changing peer to peer networks and filtering avoidance software.


Unidentified Flows and Websites

The internet is a constantly evolving place. Hundreds of new applications and websites are launched on a daily basis and users browsing habits change as new tools appear in the market.

For things like Adult content and VPN/Proxys, it is crucial that filtering systems keep up to date with these new applications and websites on a daily basis. Periodic updates of categories can not keep up with the changing internet.

Linewize harnesses the power of cloud computing to solve this problem and works with several category providers to assist with malware and adult content identification. Unclassified website traffic originating from any Linewize appliance is crosschecked against these suppliers and where possible classified. This classification is done on the Linewize cloud platform and the results are feed directly into the signatures that all devices retrieve on a daily basis. This means new websites appearing on our platform are categorized within 24 hours and will be filtered automatically if they appear in categories that are filtered.

Linewize has a team of R&D engineers that develop signatures for complex applications like youtube and over 90% of traffic is classified with Linewize.


Visibility and Reporting on Application Usage

Insight and visibility into your network is crucial on todays networks. With Linewize, traffic is classified into individual applications and categories. This information is pushed to our secure Cloud Platform and is available in real-time through the intuitive cloud dashboard.

Linewize appliances are constantly pushing metadata to the cloud platform using a highly compressed, encrypted HTTPS connection. Metadata on traffic flows is pushed in real-time as flow states change and additional context information is sent on a per-flow basis, including users and applications, and the total user time spent on an application or website per flow.

Linewize then leverages the elastic power of Big-Data cloud computing systems to aggregate and display traffic analysis data on an application and user basis across a customizable time period. Traditional relational databases would take hours to deliver a query on a user or application basis. Linewizes cloud architecture is powered by a highly optimized software stack designed for elastic scalability.

Instead of relying on traditional relational SQL databases, Linewize utilizes a collection of NOSQL, read optimized and highly compressed specialized databases and aggregation engines. These systems, while powering a tremendously large data set, delivers the ability to search through and poll data within seconds as opposed to minutes. By utilizing this technology in the cloud, Linewize can provide fast real-time reporting through the cloud dashboard without impacting network performance.

This data provides administrators and educators with an application centric view over their network which can be used to diagnose networking issues, locate bottlenecks and manage content access from a position of knowledge.


Traffic Reporting _ layer 7 _TWP.png


Detailed breakdowns of individual applications are available through our intuitive interface, right down to individual connection flows and automated reports can be created from within the cloud dashboard. Data is aggregated on hourly and daily basis which makes identifying trends and changes in network usage over time very easy. Statistics can be viewed across different dimensions to provide visibility of application usage on a user, host, and group basis.


Application and Content Filtering

Traditional firewalls offer filtering TCP/IP criteria as well as Layer 2 criteria such as mac address. Many content filtering systems extend this approach to include website filtering that matches keywords in URL’s for websites using regular expressions.

For application content filtering Linewize utilizes its Signature based application layer identification system described above. 

Along with normal filtering criteria, such as port and IP address, with Linewize you can filter applications directly. Filtering on application rather than port and IP based criteria or url is much simpler for an administrator and with the cloud dashboard, managing filtering policies is very easy. Rules can include time of day schedules, user and user group membership, device fingerprint and other criteria.

Application layer filtering rules are configured from within the cloud dashboard and separately in the Classroom management tools Classwize.

-- For more information on Classwize and using the cloud dashboard visit our wiki.

From the cloud dashboard, administrators can create policies that control access to certain applications, websites and content. A policy is much like a traditional firewall rule in that it contains certain criteria that must match for the rule to be applied. A single filtering policy could “block adult content” for all users, or “block facebook for students during school hours”. Normally administrators will create several rules that shape internet use and align with the internet use policy.

Linewize encourages a much more open filtering approach that encourages good digital citizenship rather than blacket blocking and whitelisting and our application level filtering is geared towards this approach by providing very granular filtering capabilities.


Blocking custom websites and content

Along with filtering content based on the Linewize signatures, Application layer policies can be created to block custom signatures and websites. Administrators can create their own objects or lists that contain websites and then utilize these in the application layer policies.

Domains are matched using a domain specific wildcard algorithm. For example to block you would add “” to an object or application layer filtering policy. This would result in all traffic, HTTP or HTTPS going to being identified by the policy. This also extends to subdomains, so requests to would also match.

To match only a subdomain of, you would specify that subdomain. For example, to match you would create an object with “” as an entry. Wildcards like “htt*://*” have no effect in Linewize and will not match.

Note: Where it makes sense, Linewize recommends using our signatures rather than blocking websites by url. Modern websites use a combination of CDN's and delivery networks that often are not matched by simple url filtering.


Time, User Group and Subnet/VLAN based filtering

As with all policies in the cloud dashboard, Linewize application layer policies can be applied at specific times, scheduled to become active at a future date, apply only to specific users or user groups and apply only to specific VLANs or subnets.

This functionality is key as it enables customized filtering for different end users and devices. Time schedules can be created by administrators in the cloud dashboard and user and group identification ties into the identity management systems automatically.

-- More information on identity management can be found on our Wiki


Filtering exceptions

In many environments it is commonplace to block access to an application for all users with the exception of a select few. Linewize facilitates this need through the use of “Allow Policies”. When creating application filtering policies, Linewize offers administrators the option to allow access to a resource that was otherwise filtered by another policy.

 Block Content - Layer 7 _TWP.png


As filtering policies are evaluated in order, from top to bottom, “Allow Polices” can be placed above “Block Policies” and will allow access for specific user groups, times or network subnets.

This facilitates the easy creation of more comprehensive filtering rulesets that utilize group membership and other criteria.

Allow Policies can also be used to allow individual websites that would otherwise be blocked an signature based policy. This means individual websites can be cherry picked and excluded from filtering if desired.


Alerting and Reporting

Visibility over filtered content is crucial for effective management of your network along with educating students and users about appropriate internet usage. Filtering violations can be viewed from the cloud dashboard, via emailed reporting and emailed alerting. Filtering violations are treated with the same level of reporting granularity as normal cloud dashboard reporting. This means you can identify individual filtering violations on a user basis in realtime.

Alerting and emailed reporting can also be extended to only apply for certain groups and emailed alerts can be delivered directly in real-time to the right recipient for a specific user group.

-- For more information on alerting, see our wiki



Linewize takes a heuristic approach to application identification. This coupled with the elastic power of cloud computing and an intuitive cloud dashboard provide a high level of visibility and control into your network.

With Linewize you get accurate, realtime, and up to date user and application centric control over your network.

Get the PDF version of this Technical Guide
Share this content:
Download PDF
As Recognised By