620 likes | 754 Views
Internet Infrastructure Protection . May 23, 2006 Steve Crocker, steve@shinkuro.com ICANN Security and Stability Committee Shinkuro, Inc. My Primary Message. Build security into the infrastructure Good architecture is cheaper and better than chasing the bad guys
E N D
Internet Infrastructure Protection May 23, 2006 Steve Crocker, steve@shinkuro.com ICANN Security and Stability Committee Shinkuro, Inc.
My Primary Message • Build security into the infrastructure • Good architecture is cheaper and better than chasing the bad guys • It’s less sexy but more effective • CERTs, Firewalls, Honeynets, etc. are all good • Networking the security community is good • Do all of this, but also invest in the architecture 2
Latin America has unique opportunity • Plenty of technical talent • Networks are still in a growth stage • Not as much legacy as North America, Europe • Good communication, cooperation • Opportunity to leap ahead 3
Attack Sophistication vs. Intruder Knowledge email propagation of malicious code DDoS attacks “stealth”/advanced scanning techniques increase in worms sophisticated command & control widespread attacks using NNTP to distribute attack widespread attacks on DNS infrastructure executable code attacks (against browsers) anti-forensic techniques Attack Sophistication automated widespread attacks home users targeted GUI intruder tools distributed attack tools hijacking sessions increase in wide-scale Trojan horse distribution widespread denial-of-service attacks Internet social engineering attacks Windows-based remote controllable Trojans (Back Orifice) techniques to analyze code for vulnerabilities without source code automated probes/scans packet spoofing Intruder Knowledge 6 1990 2004
Internet Infrastructure Threats • Physical disruption of major lines and switching centers • Loss of DNS service continuity and/or fidelity • Loss of routing infrastructure continuity and/or fidelity • Flooding of network or specific sites, i.e. denial of service attack 7
Internet Infrastructure Protection • DNSSEC • Address Security • DDoS suppression 8
Segments • Demo • DNS & DNSSEC basics • Deployment Issues • Opportunity!
Hijack Demo • Connect to BADNET network • We will intercept your queries…
DNSSEC Basics Slides from RIPE NCC
Why DNSSEC? • DNS is not secure • Known vulnerabilities • People depend more and more on DNS • DNSSEC protects against data spoofing and corruption 13
DNS: Known Concepts • Known DNS concepts: • Delegation, Referral, Zone, RRs, label, RDATA, authoritative server, caching forwarder, stub and full resolver, SOA parameters, etc 14
2 1 3 Caching forwarder (recursive) 4 8 5 9 Add to cache 6 10 TTL 7 Reminder: DNS Resolving Question: www.ripe.net A root-server www.ripe.net A ? “go ask net server @ X.gtld-servers.net” (+ glue) www.ripe.net A ? Resolver 193.0.0.203 www.ripe.net A ? gtld-server “go ask ripe server @ ns.ripe.net” (+ glue) www.ripe.net A ? “193.0.0.203” ripe-server
Zone administrator 1 2 3 4 5 Zone file slaves DNS: Data Flow master Caching forwarder Dynamic updates resolver
Zone administrator 3 5 4 2 1 Zone file slaves DNS Vulnerabilities Corrupting data Impersonating master Cache impersonation master Caching forwarder Dynamic updates resolver Cache pollution by Data spoofing Unauthorized updates Altered zone data Server protection Data protection
DNSSEC protects.. DNSSEC protects against data spoofing and corruption • DNSKEY/RRSIG/NSEC: provides mechanisms to establish authenticity and integrity of data • DS: provides a mechanism to delegate trust to public keys of third parties • A secure DNS will be used as an infrastructure with public keys • However it is NOT a PKI 18
DNSSEC Current State • RFC 4033 • DNS Security Introduction and Requirements • RFC 4034 • Resource Records for the DNS Security Extensions • RFC 4035 • Protocol Modifications for the DNS Security Extensions • March 2005 • Obsoletes RFC 2535 19
DNSSEC hypersummary • Data authenticity and integrity by signing the Resource Records Sets • Public DNSKEYs used to verify the RRSIGs • Children sign their zones with their private key • Authenticity of that key established by signature/checksum by the parent (DS) • Ideal case: one public DNSKEY distributed 20
Deployment Issues • Getting the Root Signed • Getting TLDs Signed • Getting Enterprises Signed • Resolvers • Applications
Key Generation A Key Distribution B Root Signing C Serving Signed Root D TLD Key Acquisition E Serving Signed Root with TLD Keys F Root Signing Road Map
Current Status Zone Walking Zone Size Getting TLDs Signed -- Issues
TLD Zone Status • .SE (Sweden) is signed and operational • RIPE’s portion of in-addr.arpa is signed • .ORG, .COM and .NET have test beds • More coming
NSEC (“Next Secure”) makes it possible to “walk the zone” to find all entries Some (many?) TLD operators object NSEC3, using hashes, solves this problem NSEC3 design is done(?) Shakedown workshop at DENIC in early May Good progress. Further testing and documentation needed Zone Walking
Memory requirements expand three to five times for a fully signed zone Significant impact on large zones -- COM, NET, ORG, DE, UK, … Current design requires one NSEC record for every delegation, even if it’s not signed “Opt-in” requires NSEC (or NSEC3) record only for signed zones (Some call this “opt-out”. Same thing.) Slightly different but equivalent security Much lower initial impact Opt-in is coming with NSEC3 Zone Size
In house operation Outsourced operation Getting Enterprises Signed
Software Possible hardware Operations Policies Key lifetimes, management chain Procedures, Training Become a founding operator… In House Operation
Many enterprises outsource DNS service Registrars, hosting services Managed DNS Service Providers UltraDNS, VeriSign, Akamai, Netriplex, Infoblox, EasyDNS, DNS Made Easy DNS Service Providers can add DNSSEC with zero imposition on domain name holder Except perhaps for a charge DNS Service Providers will be the source of many signed zones Outsourced Operation
Opportunity! • Meanwhile, in the short run, it’s up to us. • Be a DNSSEC founding operator • Sign your zone • Be the primary for others • Be a secondary • Tuesday we will announce a small directory of primary and secondary signer/operators • http://www.dnssec-deployment.org/zones • Sign up. Talk to us today. Send email.
DNSSEC Deployment is… • … the transition from specs to operation • … a multinational effort • … a complex process • … a project that needs your help 31
Organizational Matters • Pockets of expertise • Sweden, Netherlands, U.S., Japan • Active test bed and deployment in a few places • Deployment Working Group active 32
What’s Needed • Local efforts in each country • Regional cooperation for training, etc. • Awareness campaigns • Testing • Application development 33
Government Role(s) • Awareness, motivation • Prioritization – protect critical infrastructure • Funding of key local activities • Participation in global forum • Adoption and leadership internally 34
Contacts & Resources • steve.shinkuro.com • www.dnssec-deployment.org • Slides and other DNSSEC material at: www.ripe.net/training/dnssec/ • http://www.nlnetlabs.nl/dnssec/ • http://www.dnssec.net/ ===================================== Support provided by U.S. Dept. of Homeland Security, Science and Technology Directorate Cooperative work with Sparta, NIST, MIT Lincoln Laboratory
Acknowledgements • Olaf Kolkman, RIPE • Edward Lewis, NeuLevel • The Whole DNSSEC Deployment Working Group 36
Address Validation is Essential • Address spoofing is a key component of multiple attacks • Must check at ingress • Every ISP must do this 38
What is Address Validation? • Does the source address belong to this customer? • Requires knowing authorized source addresses • Same as destination addresses • Requires checking • Adds cost, hardware • Do it anyway • Insist your peers do it too 39
Suppression of Distributed Denial of Service (DDoS) Attacks 40
The Denial of Service Problem • Denial of service attacks are increasing • This will get worse – probably much worse • Law enforcement is important but necessarily at the wrong end of the problem • Technical changes in the Internet would help a lot 41
A modest(?) proposal for controlling DDoS Attacks • Identify sources of traffic • Identify “well managed” computers on “well managed” networks • Traffic from well managed networks gets preference 42
“Well managed” • “Well managed” computers aren’t zombies • Details on the next slide • Well managed networks quarantine computers which appear to be infected or misbehaving • Well managed networks report misbehaviors and accept reports of misbehaviors 43
Weeding out Zombies • Regular configuration checking • Either within the enterprise • Or by an outside service • Tight configuration control • (Eventually) certified appliances 44
Network Wide Cooperation • Traffic among well managed networks gets preference • Traffic from same sites is labeled with a “good” bit • Eerily similar to Bellovin’s “evil” bit(!) • When there is congestion, traffic from unmanaged hosts on unmanaged networks is dropped • How is traffic labeled? • Diffserv? IP header bit? MPLS? Other? 45
DDoS Policy Approaches • Pressure on the vendor to supply machines that are safe out of the box • Establishment of an ethic that machines should be safe, i.e. it’s the vendor’s problem, not the user’s. This all requires R&D, clarity of vision, and perseverance. Not an overnight process. 46
Arguments in Favor • Similar to VPN over private lines, but potentially more efficient • Adds incentive to improve security in hosts and networks • Raises DDoS protection to a primary goal • Incremental – works well with a small set of core ISPs and expands smoothly • Robust – does not require 100% correct operation • Failures can be detected; adjustments can be made 47
Critique • Sharp shift in policy • Requires strong cooperation among ISPs • Who sets the rules? • Enforcement issues • Who determines when an ISP or a customer isn’t complying? • What appeals process? • Efficiency issue for large ISPs: Is it feasible to filter traffic at high speed? 48
Working Together? • Why is so hard to work closely together over the net? • Email and Instant Messaging… Is that all there is? • Need flexible, easily configurable, user-controlled file-sharing, screen-sharing, etc. • Need very low cost 50