8/10/2019 Clean Pipes - Who is Responsible

1/2

Clean Pipes: Who is Responsible?

In his book 'Cyber War: The Next Threat to National Security and What to Do About

It', former White House cybersecurity czar Richard Clarke argued for thedeployment of deep-packet inspection systems in Tier 1 service providers to block

malware prior to reaching end-customer networks. This approach was echoed in a

recent press release by Ashley Stephenson, CEO of Corero Network Security.

Stephenson admonished,

"Instead of taking an 'every man for himself' approach to battling cyber

attacks, Internet Service Providers need to step forward and deliver

protected Internet services that remove the known malicious traffic before it

impacts their enterprise customers."

Is this approach realistic technologically? Is there a sustainable business model forcarriers to deliver this? While everyone agrees that the less malicious traffic that

travels the last mile to the customer premise the better, there are significant hurdles

to implementation of clean pipe technologies in service provider networks. The

chief technological hurdle was humorously framed by Steve Bellovin of AT&T

Research in RFC 3514 - The Security Flag in the IPv4 Header.

"Firewalls [CBR03], packet filters, intrusion detection systems, and

the like often have difficulty distinguishing between packets that

have malicious intent and those that are merely unusual. The problem

is that making such determinations is hard. To solve this problem,

we define a security flag, known as the "evil" bit, in the IPv4[RFC791] header. Benign packets have this bit set to 0; those that

are used for an attack will have the bit set to 1."

Given the current resistance of malicious attackers to implementing the "evil" bit,

how exactly does one determine which traffic is unwanted? IPS and IDS

technologies have a historical problem with high false positive rates, particularly

when custom-developed applications do not follow relevant standards. These false

positive events require investigation and tuning of the detection platform both at

initial provisioning and when the customer implements new applications.

Tuning requires detailed knowledge of the protocols, policies, applications and

business processes in use. In DDoS attacks on web servers for example, what

constitutes an attack for a customer with limited web traffic is normal for high

traffic sites. A new product launch for a gaming company can be indistinguishable

from an attack when looked at by sheer volume of bandwidth or rate of new client

connections. Each customer presents unique challenges to getting the balance right.

8/10/2019 Clean Pipes - Who is Responsible

2/2

Pointing the Finger

If the carrier blocks traffic in the cloud, it is a foregone conclusion that customers

will point their finger at the service provider any time there is a performance or

connectivity problem with a customer application. The service provider would then

expend considerable time and expense proving they are not at fault.

Service providers look to scale their service offerings by avoiding customization as

much as possible. With high administrative overhead and support costs, it is difficult

to imagine a business model that makes sense to deliver clean pipes when simple

over-provisioning has proven cost-effective and does not open the door to liability.

Cui bono

How does a service provider move from a sales model that depends on selling

incrementally more bandwidth each year to one where the customer pays forsomething that is not delivered (i.e. presumed malicious traffic)? Any service that

significantly reduces the traffic that is delivered to the customer premises is robbing

Peter to pay Paul.

Customers would still need to enhance and maintain their own perimeter defense

infrastructure as the most dangerous current attacks cant be blocked by a solution

in the service provider cloud. These attacks closely mimic normal and expected

communications and leverage 0-day exploits that elude all but the most

sophisticated malware analysis. According to the Trustwave 2014 Security

Pressures report, targeted malware and advanced persistent threats are the fastest

growing vectors of attack and the greatest risk to corporate assets.

While the principle of clean pipe services makes sense from the standpoint of

national security, there are few economic drivers for service provider adoption and

considerable technical barriers to implementation. With the current political

distaste for regulation that Clarke bemoans in 'Cyber War', it seems unlikely that

this approach will gain any traction in an ever more crowded security marketplace.