EFF.Org - In light of the recent spate of high-profile hacking campaigns, and the overall poor state of security on the internet, NextGov.com reports that parts of the US government are advocating for a separate, “secure” internet. The idea calls for segmenting “critical” networks (not yet fully defined, but presumably including infrastructure and financial systems) and applying two security mechanisms to these networks: (1) increased deep packet inspection (DPI) to detect and prevent intrusions and malicious data; and (2) strong authentication, at least for clients. The trouble is that this “.secure” internet doesn’t make much technical or economic sense: the security mechanisms are simply not powerful or cost-effective enough to warrant re-engineering an internet.
Whether the idea is to apply different security policies to sites using a special domain name like “.secure” (and possibly the existing .edu and .gov domains), or to create a parallel internet infrastructure, is not yet clear. (Although government representatives say the idea is not to create a parallel infrastructure, that is the most “secure” form of the idea, and I therefore expect the idea to begin to incorporate elements of new, separate infrastructure for the most important networks as the idea matures.)
Whether the idea is to apply different security policies to sites using a special domain name like “.secure” (and possibly the existing .edu and .gov domains), or to create a parallel internet infrastructure, is not yet clear. (Although government representatives say the idea is not to create a parallel infrastructure, that is the most “secure” form of the idea, and I therefore expect the idea to begin to incorporate elements of new, separate infrastructure for the most important networks as the idea matures.)
Intrusion Detection and Prevention
From the NextGov article:Today, searches of the .gov domain are conducted by the Einstein program, an intrusion prevention and detection system under the direction of the Homeland Security Department that monitors only federal traffic for signs of unauthorized access. It alerts response teams to potential attacks and automatically blocks penetration in some cases.The .secure network would apparently involve an increase in the use of intrustion detection and prevention systems (IDS and IPS). It’s not clear why increasing the use of such systems would require new legislation or even a special new network. Network operators can, and do, deploy such systems now on their own networks to protect their own sites. (And as we know, the government has no qualms about using DPI to surveil the entire country without a warrant.)
A problem is that IDS/IPS are very expensive to operate. Distinguished security engineers Bellovin, et al. explain why expanding the EINSTEIN system to cover much more ground is prohibitively expensive. IDS/IPS works best when carefully tuned for particular, relatively small networks.
Another problem is that IDS and IPS have limited applicability, for several reasons.
- There is only a very weak global definition of “malicious” network traffic. Strong security assertions tend to be local to a particular application or network, rather than global to the network as a whole or to all applications. A network request that would destroy site A might be merely meaningless to site B, and possibly even normal functionality for site C. Some traffic is widely-agreed to be bad, such as the binary executable for a piece of malware. But even then, security researchers (including those working on the .secure network!) need to download malware to do their jobs.
- It is very easy, sometimes even trivial, to encode malicious data in such a way that an IDS/IPS won’t recognize it as malicious, but will still have its evil effect on the target system. (Newsham and Ptacek wrote a pioneering paper on evading IDS/IPS. Hackers have refined the techniques since then, and IDS/IPS vendors have refined their counter-measures. But like signature-based anti-virus software, fundamentally this is a cat-and-mouse game that IDS/IPS systems cannot consistently or conclusively win against a motivated attacker.)
- IDS/IPS, by their nature, tend to have very high equipment costs because they store and crunch huge amounts of data. Even more expensive is the salaries for the teams of network security experts that have to analyze the huge amounts of data. As a result, IDS/IPS tends to get defined down; network engineers tend to stop saying “intrustion prevention system” and start saying “post-breach forensic data source”. Obviously, having a way to do forensics is valuable in itself — but reliable, automatic intrusion prevention remains a dream.
