How Internet Service Providers Can Use DNSSEC to Provide Security for Customers

Transcription

1 How Internet Service Providers Can Use DNSSEC to Provide Security for Customers A White Paper Prepared by Rob Ayoub, CISSP Global Program Director

2 TABLE OF CONTENTS The Changing Role of the ISP... 3 The Changing Threat Landscape... 4 Primary Vectors for DNS Attacks... 4 Man-in-the-Middle Attacks... 4 DNS Cache Poisoning... 5 Some Real-World Examples of Cache Poisoning... 6 DNS Offers ISP Potential Opportunities... 6 Driving the Decision for DNSSEC... 7 Factors to Build into the Decision Process... 8 Cost of Liability in Case of Failure... 8 Cost of Lost Subscribers... 9 Competitive Threat... 9 Potential for Higher Margins... 9 Stepwise Deployment of DNSSEC for an ISP... 9 Evaluate Current Capabilities... 9 Determine Where DNSSEC Fits Into Service Offerings Develop an Incremental Plan for Deployment Test and Document How VeriSign Can Help Expertise and Experience Resources Conclusion About

3 EXECUTIVE SUMMARY The role of the ISP is changing in today s Internet-dependent world. The modern ISP is providing a mix of services to their end-users that allow for increased connectivity and efficiency. This increase in service level, while demanded by end-users, puts additional liabilities back on the ISP. Many ISPs have responded responsibly to the risk, deploying Internet security software suites to their end-users at no cost. Unfortunately, the end-user s computer is no longer the only threat vector that criminals are targeting. The highlight of a critical DNS flaw in 2008 made it clear that some elements of the Internet infrastructure were at risk, and, if compromised, could be used in a manner that was undetectable at the endpoint. Given the increasing regulation around data security, it is no surprise that some ISPs have been looking at implementing additional security measures. DNSSEC (Domain Name System Security Extensions) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS), as used on Internet Protocol (IP) networks, and meant to protect online activity against Man-in-the-Middle or cache poisoning attacks. This paper will introduce DNSSEC and describe the manner in which ISPs can begin deployment. This paper will also present the resources available to ISPs as they ensure their infrastructure is properly configured to handle and process DNSSEC. THE CHANGING ROLE OF THE INTERNET SERVICE PROVIDER Internet Service Providers (ISPs) have traditionally been concerned primarily with providing data access. In the dial-up days, that s exactly what ISPs provided access to the Internet. This is still a core competency of ISPs, but the role of the ISP has expanded to hosting the Web presence of its clients, providing access to end-users, and ultimately providing more data services to both end-user and enterprise clients. As the number of Internet-enabled devices continues to increase into the trillions, ISPs will again find their roles expanding. The key challenge for ISPs today is exactly the same as for any other business to increase margins, total revenue and number of customers. The traditional access business, while a key component of the ISP offering, is a declining margin business. Increased competition from cable and satellite providers means more dollars spent to lure and retain customers. Most consumers see broadband access as a commodity and will pursue the lowest-priced alternative. This puts ISPs in the position of seeking technology and service offerings that will allow them to not only meet, but exceed their business goals. Many of these new service offerings revolve around hosted service offerings such as Unified Communications (UC) and video conferencing. In the consumer arena ISPs are feeling competition from traditional and new competitors to offer triple- and quad-play solutions on the service delivery side, enabling bundling of solutions that help decrease churn and drive enhanced average revenue per user (ARPU). As these services gain in popularity and deployment, security will be a key component and competitive differentiator. 3

4 THE CHANGING THREAT LANDSCAPE The original model of network security was focused on protecting the network from the outside using firewalls and other traditional perimeter security devices. But modern threats have added to the complexity and challenge, and require new methods to address them. For example, links that direct users to a malicious website or attachments embedded in a blog post with malicious code are primarily enabled by client-side infections and can elude network perimeter security devices. Malware can then exploit vulnerabilities in applications and download malicious programs, such as key loggers, to steal user names, passwords and other private data. Despite years of research and awareness, the number of software vulnerabilities continues to stay steady with a constant stream of new vulnerabilities reported each quarter. The number of unique malcode signatures has increased hyper-exponentially over the past five years, with nearly 3 million unique malcode signatures reported in 2009 alone 1. Up until 2008, DNS had not been a major target for malware, and the number of vulnerabilities found each year was insignificant. In 2008, the demonstration of a critical DNS-based flaw by security researcher Dan Kaminsky raised the awareness of a flaw that affected the vast majority of DNS servers. This flaw prompted organizations to seriously evaluate the state of the DNS infrastructure. Primary Vectors for DNS Attacks There are several key vectors for DNS attacks on the operational infrastructure. Two of them are Man-in-the-Middle (MITM) and cache poisoning attacks. Both attacks involve the transmission of forged data that could re-direct users to another location on the Internet or result in a persistent Denial of Service (DoS) condition. Unsuspecting users and devices that access a fraudulent site are susceptible to a number of attacks such as malware and eavesdropping. In addition, cyber criminals can extract confidential data such as user information and credentials (e.g., credit card data and passwords) or may choose to deface the website to tarnish the brand or mislead users. This threat is magnified considering that a single DNS server is the address resolution point for thousands or even millions of users. Consequently, man-in-the-middle attacks or cache poisoning attacks based on a DNS vulnerability represent a threat that is an order of magnitude greater than other attacks. Man-in-the-Middle Attacks As the name implies, a MITM attack is an attack in which a third party is able to intercept and view the traffic between two parties without the two parties having knowledge that their transmission was intercepted. The two parties believe they are having a private conversation, and it is very difficult to detect that a third party was listening in or perhaps 1 Symantec Global Internet Security Threat Report: Trends for

5 proxying and modification data is exchanged between the two systems. A successful MITM attack can result in an array of threats, including: Hijacked s Tapped VoIP calls Spoofed websites Compromised passwords or other credentials Banking data re-rendered to conceal theft Figure 1 Illustration of a MITM Attack DNS Cache Poisoning DNS cache poisoning is a result of changing or adding records to the DNS cached data, either on the client or the recursive name server, so that a DNS query for a domain returns an IP address for another domain instead of the intended domain. The most dangerous component to DNS cache poisoning is that the end-user may have no idea that they are visiting a spoofed site because the address of the site was resolved before it was returned to the end-user. Once the cache has been poisoned, the attacker can redirect the user to a spoof of real sites and perform an array of nefarious activities, to include the following malicious activities: Identity Theft After being directed to a compromised site, users may be encouraged to enter credentials or information that can be used later. The compromised site may look exactly like the legitimate website it is impersonating, and may even proxy transactions from the legitimate site (e.g., such as a modified current account balance). When the user connects using the Internet address derived from the poisoned DNS cache information, they might be fooled into entering information about themselves through apparently legitimate requests for name, date of birth, Social Security or other national identity numbers, address, etc. 5

6 Distribution of Malware Another objective of attackers using cache poisoning is the automatic distribution of malware. Instead of releasing noisy auto-propagating malicious code into the Internet and realizing random results, the use of rogue IP addresses to redirect unsuspecting users to the attacker s site can be a more focused attack vector, enabling targeted attacks that intentionally compromise victims within a known demographic. Once a workstation initiates a session with the malicious site, malware is uploaded to the workstation without intervention by or the knowledge of the user. The biggest concern around cache poisoning and man-in-the-middle attacks is that they can be global or topologically localized, but are extremely difficult to detect by the end-user. Since the redirection comes from the DNS, no amount of endpoint security can protect against these kinds of attacks. The protection against these attacks has to come from the ISPs and network operators providing the infrastructure and DNS services that users utilize to connect in the first place. Some Real-World Examples of Cache Poisoning There are many examples of the havoc that cache poisoning can create. The following are examples that illustrate attacks that have reached public attention. In particular, these examples show just how difficult MITM and cache poisoning attacks can be to detect. In June 2008, a well-known security researcher, HD Moore, and his company BreakingPoint fell victim to a cache poisoning attack that was launched against the company s ISP. Even being security-minded, BreakingPoint, as a security research company, did not detect the attack and most employees did not even recognize that an attack had occurred. In fact, the only indication that employees had that there was a problem at all was complaints that Google was acting weird. 2 In 2009, reports began to circulate that one of Brazil's largest banks had suffered an attack that redirected its customers to fraudulent websites that attempted to steal passwords and install malware. Although the bank itself never did admit to the attack, subsequent reports suggest that as many as 1 percent of the bank s customers were affected 3. DNSSEC OFFERS ISP POTENTIAL OPPORTUNITIES DNS security can also drive opportunity for the ISP. This opportunity derives from the fact that ISP customers, especially enterprise customers, are becoming hyper-sensitive to data security and data loss prevention (DLP). Three key factors are driving enterprises to take data loss seriously: Loss of business through lost consumer trust and brand damage Fines levied through regulatory compliance violations Loss of intellectual property

7 Each of these factors can cost organizations a significant amount of money. According to the latest CSI/FBI (Computer Security Institute/Federal Bureau of Investigation) survey, each data loss incident can cost organizations more than $200,000 per incident 4. In 2007, the large retailer TJX discovered it was a victim of a widespread data breach that could eventually cost well over $1 billion in fines, legal fees, credit monitoring, third-party claims, and notification and remediation costs 5. These numbers illustrate just how significant the price tag for a data breach can be. End-users have also become more sensitive to data loss. A survey conducted by RSA showed that 95 percent of end-users felt there was no excuse for a company to expose a customer's confidential information. Eighty-five percent of those respondents said they would prefer to do business with a company that has never experienced a data breach, and 82 percent of respondents said they would warn others from doing business with a company that exposed its customers' personal information 6. In order to minimize these costs, organizations are looking to their service providers to help provide the necessary end-to-end expertise required to keep consumers secure. And, wherever there is sufficient concern, the ISP, armed with the appropriate technology, can address that concern with enhanced infrastructure capabilities and value-added services. In addition to the above mentioned costs and attitudes, ISPs can expect the following from implementing a more secure infrastructure: Customers appreciate data security enhancements and may be willing to pay extra for additional services Minimizing the cost of data loss incidents can translate into reduced operational costs Gain additional business by helping organizations and users maintain compliance with regulatory requirements. Driving the Decision for DNSSEC DNSSEC refers to the hardening of the DNS infrastructure in order to prevent MITM and cache poisoning attacks. Any of these DNS attacks can lead to fraud, identity theft, or generally making a target unavailable. It is foolish to think that ISPs or any business would implement wholesale changes to technology as mission critical as DNS without tangible benefits or a demonstrable return on investment. With DNSSEC, ISPs can offer enhanced data integrity and source authentication, which are required to ensure the authenticity of domain name information and to maintain the integrity of that information in transit and provide verifiability upon receipt. This gives confidence to end-users and businesses that transactions conducted on the ISP networks are immune from cache poisoning and man-inthe-middle DNS attacks

8 As shown in Figure 2, any major technology decision has to consider both the potential reward, in terms of revenues to the ISP, as well as the costs associated with deploying that technology. Regardless of how technologically advanced the ISP is, coordinating, testing, and deploying DNSSEC is going to require targeted engineering and investment. In addition, there is the potential cost of doing nothing. Such liability costs, in terms of lost business or litigation, can easily exceed the costs of implementing the technology, yet are more difficult to estimate. The key for ISPs is to balance the risks associated with not deploying DNSSEC as well as the market differentiators and other incentives enabled by DNSSEC. As discussed below, these liabilities can be quite costly to the ISP. Figure 2 The Decision Process for an ISP Factors to Build into the Decision Process Direct costs that an organization will incur while deploying DNSSEC may seem straightforward and include the cost of hardware and software plus any labor and training, etc., required to implement the technology. However, these direct costs pale in comparison to the potential costs of not deploying technology enabled by DNSSEC. The liability costs associated with a catastrophic security breach could significantly impact the ISP s business: as noted above, either through litigation, reputation and brand damage, or immediate and residual resulting loss of business. As noted below, such liability costs can be daunting. Cost of Liability in Case of Failure As described previously, MITM and cache poisoning attacks made against ISPs operating recursive DNS services are virtually undetectable to the end-user. ISPs are not wholly responsible for securing the complex ecosystem that is DNS. For example, domain names themselves have to be signed by domain name registrants, while registrars and registries 8

9 alike have to accept DNSSEC records. Never the less, ISPs play an important part in driving the adoption of DNSSEC. DNSSEC provides a considerable security improvement for the customers that ISP s serve. That improvement in security helps decrease the liability that ISPs would have in any attacks against their DNS infrastructure. Cost of Lost Subscribers Lost subscribers could be another concern of ISPs who do not deploy DNSSEC. As MITM and cache poisoning attacks become better known, end-users are likely to become frustrated with data loss, identity theft and infection of their machines. ISPs that are late to deploy DNSSEC and address security threats proactively stand to lose subscribers who seek safer alternatives. Competitive Threat ISPs are constantly looking for new competitive factors and market differentiators in an environment that s quickly being commoditized with an array of access technologies. By failing to implement DNSSEC, ISPs lose ground to their more agile competitors who will claim more secure data services enabled by a more secure network and DNS infrastructure substrate. An ISP who does not actively engage in the deployment of DNSSEC stands to lose competitively. Potential for Higher Margins Many organizations treat security like an insurance policy and are willing to pay higher premiums on the basis of better loss protection. By offering a more secure infrastructure, deployment of DNSSEC gives ISPs justification to charge higher premiums on services that sit on top of the DNSSEC foundation, which encompasses virtually any IP-based network transaction function. These higher margins alone should ultimately cover the costs required to deploy DNSSEC, with additional minimized subscriber churn as a result of a more trustworthy network infrastructure equally augmenting the return from such an investment. STEPWISE DEPLOYMENT OF DNSSEC FOR AN ISP has conducted in-depth research into the deployment of DNSSEC for ISPs, based on interviews with U.S. market-leading ISPs and businesses, and has developed a stepwise deployment strategy for ISPs to consider as they develop an implementation plan. The following steps, based on the experiences of ISPs that have taken the steps to deploy DNSSEC in their organization, will ensure a smooth transition. Evaluate Current Capabilities Obviously evaluating current capabilities is the very first step that should be conducted by an ISP preparing to deploy DNSSEC. An ISP needs to review (conduct assessment) its network and inform its technical staff on what is needed to upgrade and manage the DNS recursive services. 9

10 Additionally, hardware and software across the entire organization needs to be evaluated. DNSSEC requires more processing power than traditional DNS and is only supported by certain software builds. Additionally, the packet sizes are considerably larger (could be up to two-and-a-half times larger) in DNSSEC and may require updates to security policies or packet forwarding devices throughout the organizations. Larger packets may also result in more transmission control protocol (TCP) transactions rather than user datagram protocol (UDP) transactions, and consideration should be given to this as well, particularly when evaluating implications on firewall and other middlebox policies. An ISP has to deploy DNSSEC with care. The average help desk cost is between $12 and $40 per incident 7. A haphazard DNSSEC deployment could cause disruptions to customers, and help desk staff has to be prepared to handle any incidents that come in. Conversely, costs avoided through subscriber compromise or other incidents that drive help desk call volume will be minimized once DNSSEC is deployed. A phased model that allows ISPs to deploy DNSSEC at the recursive layer before subscribers are utilizing it at home or within the enterprise will ease operational complexities that may arise if customer deployment DNSSEC validation functions before their ISPs. Additionally, it may keep subscribers from migrating away from ISP DNS resolvers to globally open or internal-only DNS resolvers. Evaluations of current capability will require detailed assessments and will be very specific to the ISP s automation and organization. Companies that have already been through this exercise recommend obtaining the services of a capable consultant if your in-house expertise is marginal. Determine Where DNSSEC Fits Into Service Offerings DNSSEC will be the cornerstone of additional service offerings that require security guarantees. ISPs need to consider where DNSSEC fits into the deployment of larger service offerings. By understanding which future service offerings will incorporate DNSSEC as part of the underlying messaging, ISPs can better determine the required timeline for DNSSEC deployment. ISPs have to ask themselves who the target of DNSSEC-based services will be and how these services will be priced. ISPs have the opportunity to position DNSSEC as a competitive advantage as DNSSEC can improve adherence to regulatory requirements for ISP customers. Once customers understand the value that DNSSEC provides them in terms of protection against cache poisoning, those same customers will be more willing to pay a premium for services that utilize DNSSEC. Develop an Incremental Plan for Deployment ISPs should carefully evaluate their existing infrastructure and upgrade plans as they develop their deployment plans. New equipment purchases should handle DNSSEC traffic. 7 Cut-Help-Desk-Costs-Without-Sacrificing-Service/ 10

11 Software builds should be evaluated and tested for DNSSEC support. Additionally, coordination with primary equipment vendors will be critical as ISPs move to deploy DNSSEC in their organization. Test and Document Test and document is the final step of a DNSSEC rollout. With comprehensive testing, verification and documentation, an ISP can be secure in its knowledge that the solution operates as designed. For many ISPs, testing only involves the building of a test bed, allowing DNSSEC to be tested in isolation from the production network. Being able to tweak a configuration without impacting real traffic or customers is essential to building a robust DNSSEC environment prior to rolling it out. HOW VENDORS CAN HELP DNSSEC is not effective if only operating at the root level of the Internet. In order to provide a secure infrastructure, DNSSEC must be in place throughout the system, supported by all domains and validation functions enabled on all recursive name servers. ISPs are key to DNSSEC rollout, and numerous vendors are committed to helping ISPs make the transition to DNSSEC in a timely and efficient manner. There are a variety of vendors and consultants well-positioned to be trusted advisors in this role, having the expertise, experience and resources to help ISPs make sense of this new technology and adapt accordingly for their specific operating environment. Expertise and Experience Many vendors and consultants have worked to create a methodical deployment strategy to minimize potential disruptions to organizations deploying DNSSEC. ISPs can look toward these experienced vendors and consultants to ensure a smooth transition from DNS to DNSSEC. Resources Many vendors are taking multiple steps to drive DNSSEC adoption and simplify implementation for domain name registrars, ISPs, registrants, and other members of the DNS ecosystem. These steps include publishing technical resources; providing test environments for implementers and vendors to evaluate the compatibility of their equipment with DNSSEC; leading educational sessions for registrars, ISPs, and other communities; and developing tools to simplify DNSSEC management. CONCLUSION The Internet has evolved from its origins as test of concept for computer communications to one of the key public infrastructures relied on globally by billions of users. Despite its effectiveness up to now, some of the key components of the Internet were simply not 11

12 designed securely enough to handle the critical and sensitive nature of information traveling across it today. DNSSEC addresses some of the security challenges inherent to DNS today and provides a foundation for the era of hyper-connectedness we are entering. Ultimately, DNSSEC implementation increases security for the Internet and users of ISP services, which will allow for improved services to the end-user and ensure a more reliable and secure network into the future. 12

13 CONTACT US Silicon Valley 331 E. Evelyn Ave. Suite 100 Mountain View, CA Tel Fax San Antonio 7550 West Interstate 10, Suite 400, San Antonio, Texas Tel Fax Auckland Bangkok Beijing Bengaluru Bogotá Buenos Aires Cape Town Chennai Colombo Delhi / NCR Dhaka Dubai Frankfurt Hong Kong Istanbul Jakarta Kolkata Kuala Lumpur London Mexico City Milan Moscow Mumbai Manhattan Oxford Paris Rockville Centre San Antonio São Paulo Seoul Shanghai Silicon Valley Singapore Sophia Antipolis Sydney Taipei Tel Aviv Tokyo Toronto Warsaw ABOUT FROST & SULLIVAN London 4, Grosvenor Gardens, London SWIW ODH,UK Tel 44(0) Fax 44(0) GoFrost myfrost@frost.com Based in Mountain View, California, is a global leader in strategic growth consulting. This white paper is part of s ongoing strategic research into the Information Technology industries. regularly publishes strategic analyses of the major markets for products that encompass storage, management, and security of data. Frost & Sullivan also provides custom growth consulting to a variety of national and international companies. The information presented in this publication is based on research and interviews conducted solely by and, therefore, is subject to fluctuation. takes no responsibility for any incorrect information supplied to us by manufacturers or end-users. All copyright and other proprietary notices must be retained. No license to publish, communicate, modify, commercialize or alter this document is granted. For information regarding permission, write: 331 E. Evelyn Ave. Suite 100 Mountain View, CA