Presentation on theme: "Today’s security challenges are unprecedented 911 Increase in viruses from 1 (1989) to 60,000 (2002) Today’s viruses are more powerful, sophisticated,"— Presentation transcript:
Today’s security challenges are unprecedented 911 Increase in viruses from 1 (1989) to 60,000 (2002) Today’s viruses are more powerful, sophisticated, and pervasive: - Code Red infected over 250,000 systems in just 9 hours - SQL Slammer infected 75,000 systems within 29 minutes
Incidence of Severe (Critical, Malicious, Focused) Electronic Attacks by Organization Type between January 1st 2002 and June 30th 2002 Global Electronic Attack Health 9 Other12 E-Commerce 13 Media17 Manufacturing19 Business 21 High Tech 27 Government & Non-Profit 31 Finance 47 Energy 70 Source: Riptech, Inc. 2002 - Attack estimates do not include worms (eg. Code Red) or Denial- of- Service attacks (eg. Smurf)) % %
The economic impact of security vulnerabilities is significant: Code Red: $2.62 Billion US Nimda : $63 Million Worldwide losses from security breaches, viruses, etc. for 1999: 1.6 US Trillion US ($ 1,600,000,000,000.00) Source: U. S. President’s Commission on Critical Infrastructure Protection
Use & Build A Worldwide Initiative to define an end-2-end integrated security & Privacy platform As mother organization Japan Korea India Europe North America Europe As cooperation Partners D4: Trust & Security SEINIT Plus all 75 projects and TFs ( Cybersecurity TF)
Security History (Network) None (we are all friends) – Early Internet users were researchers – Personal Computing revolution had yet to start 1988: Uh Oh! – Internet Worm, first time Internet made television... in a bad way Today – Security threats abound, but security technology is an add-on
Security is not Deployed Internet is “edge” centric –Hard to add security in the middle –Firewalls attempt to add security “quasi” edge Security is Hard –It is a “negative deliverable” You don’t know when you have it, only when you have lost it! Users don’t ask for it, so the market doesn’t demand it
Moat / Main Gate Outer Perimeter Controlling Castle Access Keep (Last Building in Castle to Fall) Inner Perimeter Stronghold, Higher Walls produce containment area Between Inner / Outer Perimeters Internet Security Analogy
Keep Internet Mission Critical Systems Internal Firewall Internal Network Outer Perimeter Inner Perimeter Stronghold Jewels Crown
Internet Attacks Denial of ServiceEavesdropping (secrecy) Modification (Integrity) Fabrication (Authentication) Brute Force, Hidden,... Wiretapping, Trojan Horse Man-in-the M., Viruses,...Masquerading,...
Some Internet Security Protocols Application - e-mail + PGP, S/MIME Transport - Primarily Web + SSL/TLS + Secure Shell (SSH) Network + IPsec –MIPv6 Routing Security Infrastructure + DNSsec - PKI + SNMPv3 security You are here Political Economic Application Presentation Session Transport Network Link Physical
Internet Security and Privacy with IPv6 -Analogy IPsec-o-IPv6 Folks, Just Surfing with Random Address for Privacy Steel Pipe
Large-Scale End-to-End Security The Internet IPsec Terminal IPsec terminal RR Global AddressPrivate Address IPv4-NAT IPv6 Global Address RR NAT Low interoperability between different vendors Site-to-Site Secure Communication End-to-End Secure Communications R Secure Transmission Low security on the LAN End-to-end secure communication Office A Office B Business Partner Easy to partner with new customer Easy to setup IP-VPN between end-to-end terminals with IPv6 Secure Transmission
IPsec Protects all upper-layer protocols. Requires no modifications to applications. –But smart applications can take advantage of it. Useful for host-to-host, host to gateway, and gateway-to-gateway. –Latter two used to build VPNs.
Doesn’t IPsec work with IPv4? Yes, but… It isn’t standard with v4. Few implementations support host-to-host mode. –Even fewer applications can take advantage of it.
No NATs NATs break IPsec, especially in host- to-host (P2P) mode. With no NATs needed, fewer obstacles to use of IPsec. Note carefully: NATs provide no more security than an application-level firewall.
Can you do 3 things in ONE GO? e2e Security Mobility e2e Communication It‘s Acrobatic! The Road Warrior is a Clown!
Fire wall Network The Internet RR Application Gateway DHCP Server PC NAT LAN Private AddressGlobal Address Link-Local Site-LocalGlobal PRIVACY: Addressing Model IPv6 IPv4-NAT
Several choices for configuring the interface ID of an address: –manual configuration (of interface ID or whole addr) –DHCPv6 (configures whole address) –automatic derivation from 48-bit IEEE 802 address or 64-bit IEEE EUI-64 address –pseudo-random generation (for client privacy) the latter two choices enable “serverless” or “stateless” autoconfiguration, when combined with high-order part of the address learned via Router Advertisements Link-Local Site-LocalGlobal Configuring Interface IDs
IPv6 includes non-global addresses, similar to IPv4 private addresses (“net 10”, etc.) a topological region within which such non-global addresses are used is called a zone zones come in different sizes, called scopes (e.g., link-local, site-local,…) unlike in IPv4, a non-global address zone is also part of the global addressable region (the “global zone”) => an interface may have both global and non-global addresses Link-Local Site-LocalGlobal Non-Global Addresses
Address Zones and Scopes The Global Internet Site R R Link Link Each oval is a different zone; different colors indicate different scopes
Recycling IP Addresses Limited Noticeable Fog Generalised use of NAPT, RSIP? IPv6 Deployment Address Transparency IPsec FOG Issues Exhaustion NAT-over-NAT BrokenPermanet Thick Fog NATs between even ISPs Successful Restored e-2-e e-2-e works Clears! Intranet, Proxies & Firewalls may remain Scenario 1 Scenario 2 Complete Failure
Authentication Challenges There is username/password And then there is everything else –SecurID –Smart Card –ATM Card –Biometrics The “password” you cannot change... There are also “safety” hazards...
Recommendations of ISOC/IAB/IETF INET 2002 June 19 - while export controls have loosened, Cisco and others are still forced to distinguish between US and non-US versions of code, around crypto. It was suggested that USG simply drop all export restrictions on crypto code using the new Advanced Encryption Standard - we still don't know how to deploy a global Public Key Infrastructure, making global IPSEC privacy/authentication difficult (research funding) - ditto secure/scalable/quickly-converging global and local routing - ditto on intrusion detection as a service provider service (detecting and mitigating attacks of various kinds) Richard Clarke
Recommendations of ISOC/IAB/IETF INET 2002 June 19 - ditto secure/scalable/quickly-converging global and local routing - ditto on intrusion detection as a service provider service (detecting and mitigating attacks of various kinds) Richard Clarke
Societal Challenges Shift from ISP to.. Personal ISP Bring Trust to Internet – Banking – Government ( evoting ) – E-commerce Security-aware Society Security Divide! (Security Haves and Have-Nots ) Security for EveryOne & Everything
Conclusions IPv6 mandates and enables an important improvement in security. Much of the improvement comes from standard, usable, IPsec. The very large address space may provide for other, innovative security mechanisms.