Battling the Stupid-Bit
The Evil Bit! I’ve been thinking about RFC-3514 often over the last few quarters; that and what should be its cousin: the Stupid-Bit. I know you’re shaking your head now – poor CTO…too much time in the sales/marketing dunk tank. I’m serious, though. Not that you should be able to look at a bit in a packet and know its intent (e.g. malicious, web-surfing, financial transaction…), but rather that by understanding the context of the packet, you should be able to decide its fate. As a thought exercise, put yourself at any point in the network, and, given a packet, ask yourself, “What do I need to know about this packet in order to forward it along the way?” The set of things that our current security and networking infrastructure ask are pretty rudimentary: do we know how to get where it wants to go, i.e. have a route, arp mapping, etc.? Is it allowed to go to that host and service – match a firewall ruleset? Does it carry obvious maliciousness – match an IPS vulnerability or exploit signature? The industry is pushing this a bit further: is it allowed to talk on this port and is it coming from an authorized machine (NAC)? However, it’s my guess that you could ask yourselves a bunch of other pretty relevant questions — some of these divining an implicit evil-bit or more likely a stupid-bit set to one.
Arbor’s spent the last five years building both provider and enterprise solutions that measure network-wide normal behavior. Give us a point in your network and a packet — we can tell you if you’ve seen it before; how often; to which other hosts; between which users; what other applications were in the mix at the time; etc. We have done this in the past with flow-based inputs, and increasingly with application-specific data generators — such as our Authflow Identity Tracking agents. If you have talked to our sales-force, pm-force, or me in the last nine months, you’ve probably heard about what we’re doing in the area of deep packet data inputs. The idea is to build out our context not just network-wide, but also up and down the stack. I won’t spoil the marketing launches, so enough said about that; but where we’re going is increasingly towards putting this network-wide context into action. If you can answer a lot more questions about a packet, you can make a much better forwarding decision. Networks need to get smarter or at least not work so hard at forwarding traffic with the stupid-bit set to one.