Clean Pipes: Who is Responsible?

In his book 'Cyber War: The Next Threat to National Security and What to Do About
It', former White House cybersecurity czar Richard Clarke argued for the
deployment of deep-packet inspection systems in Tier 1 service providers to block
malware prior to reaching end-customer networks. This approach was echoed in a
recent press release by Ashley Stephenson, CEO of Corero Network Security.
Stephenson admonished,

"Instead of taking an 'every man for himself' approach to battling cyber
attacks, Internet Service Providers need to step forward and deliver
protected Internet services that remove the known malicious traffic before it
impacts their enterprise customers."

Is this approach realistic technologically? Is there a sustainable business model for
carriers to deliver this? While everyone agrees that the less malicious traffic that
travels the last mile to the customer premise the better, there are significant hurdles
to implementation of clean pipe technologies in service provider networks. The
chief technological hurdle was humorously framed by Steve Bellovin of AT&T
Research in RFC 3514 - The Security Flag in the IPv4 Header.

"Firewalls [CBR03], packet filters, intrusion detection systems, and
the like often have difficulty distinguishing between packets that
have malicious intent and those that are merely unusual. The problem
is that making such determinations is hard. To solve this problem,
we define a security flag, known as the "evil" bit, in the IPv4
[RFC791] header. Benign packets have this bit set to 0; those that
are used for an attack will have the bit set to 1."

Given the current resistance of malicious attackers to implementing the "evil" bit,
how exactly does one determine which traffic is unwanted? IPS and IDS
technologies have a historical problem with high false positive rates, particularly
when custom-developed applications do not follow relevant standards. These false
positive events require investigation and tuning of the detection platform both at
initial provisioning and when the customer implements new applications.

Tuning requires detailed knowledge of the protocols, policies, applications and
business processes in use. In DDoS attacks on web servers for example, what
constitutes an attack for a customer with limited web traffic is normal for high
traffic sites. A new product launch for a gaming company can be indistinguishable
from an attack when looked at by sheer volume of bandwidth or rate of new client
connections. Each customer presents unique challenges to getting the balance right.

Pointing the Finger

If the carrier blocks traffic in the cloud, it is a foregone conclusion that customers
will point their finger at the service provider any time there is a performance or
connectivity problem with a customer application. The service provider would then
expend considerable time and expense proving they are not at fault.

Service providers look to scale their service offerings by avoiding customization as
much as possible. With high administrative overhead and support costs, it is difficult
to imagine a business model that makes sense to deliver clean pipes when simple
over-provisioning has proven cost-effective and does not open the door to liability.

Cui bono

How does a service provider move from a sales model that depends on selling
incrementally more bandwidth each year to one where the customer pays for
something that is not delivered (i.e. presumed malicious traffic)? Any service that
significantly reduces the traffic that is delivered to the customer premises is robbing
Peter to pay Paul.

Customers would still need to enhance and maintain their own perimeter defense
infrastructure as the most dangerous current attacks cant be blocked by a solution
in the service provider cloud. These attacks closely mimic normal and expected
communications and leverage 0-day exploits that elude all but the most
sophisticated malware analysis. According to the Trustwave 2014 Security
Pressures report, targeted malware and advanced persistent threats are the fastest
growing vectors of attack and the greatest risk to corporate assets.

While the principle of clean pipe services makes sense from the standpoint of
national security, there are few economic drivers for service provider adoption and
considerable technical barriers to implementation. With the current political
distaste for regulation that Clarke bemoans in 'Cyber War', it seems unlikely that
this approach will gain any traction in an ever more crowded security marketplace.