Working Group #4: Network Security Best Practices

1. Working Group #4: Network Security Best Practices June 6, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair

2. Working Group #4: Network Security • Description: This Working Group will examine and make recommendations to the Council regarding best practices to secure the Domain Name System (DNS) and routing system of the Internet during the period leading up to the successful global implementation of the Domain Name System Security Extensions (DNSSEC) and Secure BGP (Border Gateway Protocol) extensions. • Duration:  Sept. 2011 – Mar. 2013

3. Working Group #4 – Participants • Co-Chairs • Rod Rasmussen – Internet Identity • Rodney Joffe – Neustar • Participants • 30 Organizations represented • Service Providers • Network Operators • Academia • Government • IT Consultants • Four new members with expertise in routing plus some DNS

4. Working Group #4 – Update to Deliverables • Updated deliverables and schedule for work group • Domain Name Service (DNS) Security Issues • Report in September • BGP and Inter-Domain Routing Security Issues • Report in March 2013 • Focus of work group is now on the DNS work • Open questions around addressing important edge filtering/spoofing issues and their relation to routing and impact on network security. • Sub-team is meeting separately to propose incorporating

5. Working Group 4 - Work Completed • Primary DNS issues identified – focus of team for summer • Attacks against & issues with ISP Recursive Infrastructure • ISP insiders inserting entries into resolvers, hacking of infrastructure, etc. • Attacks against & issues with Authoritative DNS of ISPs themselves • DDOS of nameservers, hijacking of ISP's domain name, hacking nameservers, etc. • Attacks against DNS Infrastructure that ISPs provide to their customers • Hacking of authoritative DNS servers, attacks against customer DNS or domain management accounts, social engineering of ISP staff, etc. • Abuse of an ISP’s infrastructure to attack others • Things like reflective DDOS attacks, caching of malicious domains • Subscribers of ISPs having issues with DNS • DNS changer viruses, customer premise equipment with non-ISP DNS settings, etc. • Hygiene and "other" issues touching on DNS security • Insecure zone transfers, ISPs or "alternative" DNS providers using NX re-direct, etc. • Routing issues identified and some side-work underway

6. Working Group 4 – Current Work • Focus on DNS paper for September CSRIC meeting • Smaller working teams looking at each DNS topic area • Pull in BCP’s and operational advisories • NIST work especially useful • Write-up topics and editing • Sub-team looking at edge filtering/spoofing issues • Routing work simmering on back burner

7. Working Group 4 - Next Steps/Timeline • Finalize remaining DNS subteams • Draft issues and recommendations for DNS – June/July • DNS draft report iterations July/August • Report out DNS paper September CSRIC • Subteams for routing and edge issues over summer • Draft issues and recommendations for Routing – Fall • DNS draft report iterations Winter • Report out Routing paper March 2013 CSRIC • Teleconferences bi-weekly – Fridays 1330 Eastern • Sub-team work parties meet in off-weeks