Security in the Network Infrastructure - DNS, DDoS,, etc.

Similar documents

Establishment of a Kerala Police CyberDome High Tech Public- Private Partnership Centre for Cyber Security and Innovations.

Securing DNS Infrastructure Using DNSSEC

DNSSEC Explained. Marrakech, Morocco June 28, 2006

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

DNSSEC Briefing for GAC and ccnso

Strengthening our Ecosystem through Stakeholder Collaboration. Jia-Rong Low, Sr Director, Asia 20 August 2015

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Data Security & Privacy

Domain Name System Security (DNSSEC)

Current Counter-measures and Responses by the Domain Name System Community

FAQ (Frequently Asked Questions)

Computer System Security Updates

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

DNS Security: New Threats, Immediate Responses, Long Term Outlook Infoblox Inc. All Rights Reserved.

DOMAIN NAME SECURITY EXTENSIONS

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Computer Networks: Domain Name System

Payment Card Industry (PCI) Data Security Standard

Deploying DNSSEC: From End-Customer To Content

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

Server Certificates based on DNSSEC

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

Measures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN

Certified Ethical Hacker Exam Version Comparison. Version Comparison

DNS Security Survey for National Computer Security Incident Response Teams December 2010

"This is a truly remarkable attack, but not. just in its scope hackers successfully. penetrated one of the most secure

Before the. Committee on Energy and Commerce Subcommittee on Communications and Technology United States House of Representatives

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Cyber Security and Control System Survivability:

HACKING RELOADED. Hacken IS simple! Christian H. Gresser

A Survey of cctld DNS Vulnerabilities. ITU cctld Workshop March 3, 2003

Georgia College & State University

State of the Cloud DNS Report

DNSSEC: INFRASTRUCTURE A PROTOCOL TOWARD SECURING THE INTERNET

WHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid

Internet Security and Resiliency: A Collaborative Effort

Next Steps In Accelerating DNSSEC Deployment

State of the Cloud DNS Report

Securing Your Business with DNS Servers That Protect Themselves

Beyond the Noise: More Complex Issues with Incident Response

PCI Security Scan Procedures. Version 1.0 December 2004

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory

Network Security: Introduction

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Cyber Security and Critical Information Infrastructure

IANA Functions to cctlds Sofia, Bulgaria September 2008

Network Incident Report

Secure Domain Name System (DNS) Deployment Guide

ITL BULLETIN FOR JANUARY 2011

Introduction to the DANE Protocol

Verisign/ICANN Proposal in Response to NTIA Request

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

DNS and BIND. David White

Securing Your Business with DNS Servers That Protect Themselves

MOC 20413C: Designing and Implementing a Server Infrastructure

Securing Your Business with DNS Servers That Protect Themselves

COSC 472 Network Security

Emerging Security Technological Threats

NANOG DNS BoF. DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS

Securing Your Business with DNS Servers That Protect Themselves

DNSSEC for Everybody: A Beginner s Guide

Comments on Docket Number , Enhancing the Security and Stability of the Internet s Domain Name and Addressing System

DeltaV System Cyber-Security

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

WHITE PAPER. An Introduction to Network- Vulnerability Testing

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

September 20, 2013 Senior IT Examiner Gene Lilienthal

Robotics Core School 1

Secure Domain Name System (DNS) Deployment Guide

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks

Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

STATE OF DNS AVAILABILITY REPORT

CH ENSA EC-Council Network Security Administrator Detailed Course Outline

SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Progress of DNS Security Deployment in the Federal Government

CISCO IOS NETWORK SECURITY (IINS)

Network and Host-based Vulnerability Assessment

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

DNS. Spring 2016 CS 438 Staff 1

DNSSEC Deployment a case study

DNSSEC Applying cryptography to the Domain Name System

Alternatives and Enhancements to CAs for a Secure Web

THE TOP 4 CONTROLS.

DNS Security, Stability and Resiliency

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Using the Domain Name System for System Break-ins

Network Security Administrator

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

Transcription:

Security in the Network Infrastructure - DNS, DDoS,, etc. GTER, São Paulo December 8, 2006 Steve Crocker, steve@shinkuro.com Russ Mundy, mundy@sparta.com

Proactive Security Build security into the infrastructure Good architecture is cheaper and better than chasing the bad guys It s less sexy but more effective CERTs, Firewalls, Honeynets, etc. are all good Networking the security community is good Do all of this, but also invest in the architecture 2

Latin America has unique opportunity Plenty of technical talent Networks are still in a growth stage Not as much legacy as North America, Europe Good communication, cooperation Opportunity to leap ahead 3

Incidents Reported to CERT/CC 4

Vulnerabilities Reported to CERT/CC 5

Attack Sophistication vs. Intruder email propagation of malicious code Knowledge DDoS attacks stealth /advanced scanning techniques increase in worms widespread attacks using NNTP to distribute attack sophisticated command & control widespread attacks on DNS infrastructure executable code attacks (against browsers) automated widespread attacks GUI intruder tools hijacking sessions Internet social engineering attacks packet spoofing automated probes/scans widespread denial-of-service attacks techniques to analyze code for vulnerabilities without source code anti-forensic techniques home users targeted distributed attack tools increase in wide-scale Trojan horse distribution Windows-based remote controllable Trojans (Back Orifice) Attack Sophistication Intruder Knowledge 1990 2004 6

What is www.nic nic.br s address? root name server www.nic.br? br s name server Caching forwarder (recursive) Resolver nic.br s name server 200.160.4.6 7

DNS: Data Flow Zone administrator Zone file 1 master 4 Caching forwarder Dynamic updates 2 3 slaves 5 resolver 8

DNS Vulnerabilities Corrupting data Zone administrator Zone file 1 Impersonating master master 4 Cache impersonation Caching forwarder Dynamic updates 2 3 slaves Unauthorized updates Cache pollution by Data spoofing Altered zone data 5 resolver Server protection Data protection 9

Securing DNS DNS is critical to Internet infrastructure DNSSEC secures DNS responses Specs and software are available Deployment has started 10

Hijacking Demo Russ Mundy SPARTA, Inc.

DNSSEC DNSSEC is official security protocol IETF RFCs 4033, 4034, 4035 Protects against data spoofing and corruption Uses public key cryptography Same cryptography as PKI, but just for hosts Implemented hierarchically The root signs the top level domain (.br) The TLD signs the next level (nic.br) Etc. 12

Deployment Status Specs and Software exist TLD deployment has begun Sweden (.SE) is operational Puerto Rico (.PR) is operational RIPE s portion of in-addr.arpa is signed.org,.com and.net have test beds Others are in progress (.BR, et al) Browser and desktop will take a while Microsoft has announced support 13

Getting Enterprises Signed In house operation Outsourced operation

In House Operation Software Possible hardware Operations Policies Key lifetimes, management chain Procedures, Training

Outsourced Operation Many enterprises outsource DNS service Registrars, hosting services, ISPs Managed DNS Service Providers UltraDNS, VeriSign, Akamai, Netriplex, Infoblox, EasyDNS, DNS Made Easy DNS Service Providers can add DNSSEC with zero imposition on domain name holder Except perhaps for a charge DNS Service Providers will be the source of many signed zones

Business Opportunity DNSSEC fits with DKIM Provides complete security picture Offer managed DNS service High availability Organized management Include DNSSEC service Relieves burden from customer 17

DNSSEC Deployment Serious deployment activities emerging around the world: http://secspider.cs.ucla.edu/ tracking ~300 signed zones Europe/RIPE region most active U.S. Government implementing DNSSEC in its own operations DNSSEC requirements included in latest Federal Information Security Management Act (FISMA) requirements Federal Information Processing Standards (FIPS) 199 & 200. Requires incremental deployment of DNSSEC across USG agencies.. and the contractors that provide IT resources/services to them 18

Implementation Assistance NIST Secure DNS Deployment Guide (NIST SP800-81) http://csrc.nist.gov/publications/nistpubs/ Provides DNS threat awareness and a range of mitigation techniques Helps agencies deploy new DNS security measures with confidence DNSSEC Deployment Initiative Growing community of organizations committed to fostering DNSSEC deployment http://www.dnssec-deployment.org/ Resources: News, tools, deployment, test and management plans, testbeds, lessons learned Free newsletter at http://www.dnssecdeployment.org/news/dnssecthismonth/ 19

For more information, read DNSSEC THIS MONTH http://www.dnssec-deployment dnssec-deployment.org/ news/dnssecthismonth/ 20

Contacts & Resources Steve@shinkuro.com www.dnssec-deployment.org Slides and other DNSSEC material at: www.ripe.net/training/dnssec/ http://www.nlnetlabs.nl/dnssec/ http://www.dnssec.net/ Support provided by U.S. Dept. of Homeland Security, Science and Technology Directorate and ICANN Cooperative work with SPARTA, NIST, MIT Lincoln Laboratory