Port + Protocol = Application.
The above is no longer the case. Today’s applications do not follow yesterday’s rules. Applications are no longer identified by port or protocol. Today’s applications are designed to work over any port. So if you have Port 80 or Port 443 open, applications such as Skype, MSN, Bit-torrent will use these open ports to application connectivity. Firewalls are rendered useless as you can only secure network from application that still uses port and protocol. IPS devices try to make up for it short comings, but these are usually hit and miss. To be honest, everyone knows it difficult to control port hopping applications.
With the new style applications that are now emerging and running over port 80, such as Web 2.0 apps like MSN Web messenger, Google Earth, YouTube, Facebook, Google Docs, traditional firewalls are unable to control the network against these new wave of applications without denying port 80, better known as the internet / web browsing which is of course impractical
Most organisations now require additional devices such as Deep Packet Inspection devices and Web Filtering devices, which is known to work on a hit & miss architect, adds latency and performance issues to the network but also means additional cost for hardware, support, maintenance, administration and engineering skill set for each additional device required.