In submarine warfare, Identify Friend or Foe (IFF) is vital. In the network world, we could accomplish this by requiring that all packets are signed, so that only "friendly" packets are processed. However, this doesn't mean you can safely ignore all signed packets. If you are a submarine commander, it's important to track all contacts, so you don't run into them. Likewise, with information security, all contacts should be analyzed for anomalies, regardless of an IFF tag.
The technology to accomplish network IFF isn't here yet, but here's how it would work:
- Your IDS would use heuristic analysis to try to identify signed packets that look suspicious -- for example, traffic tunneled over protocols that aren't compliant with network policy or packets originating in a production DMZ that attempt a root login in another zone.
- Once you have the ability to sign packets and monitor traffic through heuristic analysis, IDS can revoke credentials for hostile packets.
Sounds good so far, but here's the problem: Network-level PKI is beyond our present capabilities. We can't execute wire-speed enterprise packet-level certificate revocation checking or Online Certificate Status Protocol (OCSP) with gigabit-speed traffic. Nor can IDSes perform real-time anomaly detection and certificate revocation.
Nonetheless, as our defensive perimeters vanish, we'll need certificate protection at the packet level to achieve real intrusion prevention. Look for crypto accelerators and hardware security modules to leverage IFF technology in core networks. This will mean significant investment in cryptography technology, but it will be worth it to avoid being the litigation poster child for Sarbanes-Oxley or HIPAA.
Consider the benefits. Once the suspect packets' certificates are revoked or disabled, all other nodes within one router hop can be alerted that the compromised host is no longer trusted. This will provide damage control while the CIRT is mobilized. As with military IFF, we could use the intelligence to combine tactics. For example, we could use a honeypot monitoring unused IP addresses to alert IDSes and legitimate hosts that hosts in certain subnets are hostile. This will essentially tag traffic from the subnet with the "evil bit1," so it is presumed hostile when encountered.
1 The "evil bit" is part of Steve Bellovin's RFC 3514 April fool's joke.