How do we accomplish coordinated network security in a distributed autonomous network environment?

Findings:

We find it likely that traffic in future networks will be encrypted end-to-end.

Traffic monitoring and filtering may have no more inputs than source and destination addresses, plus traffic history.

Traffic analysis will become an important part of network-based security systems.

Even when traffic is sent in the clear, as is the norm for open science data, the sheer volume of data flows guarantees that pattern-based detection will misfire often, again shifting the burden to traffic analysis.

Recommendations:

Network-based intrusion detection and prevention systems must incorporate content-blind rules or heuristics. The nature of these methods is an area for study. The inputs to such rules can include source and destination addresses, security association ID, times of observation, and possibly some key negotiation traffic.