Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Published byShawn Pitts Modified over 9 years ago

Similar presentations

Presentation on theme: "DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department."— Presentation transcript:

1

2 DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department of Homeland Security Office of the CIO Scott Rose National Institute of Standards and Technology

3 Homeland Security Technology Background DNSSEC Overview OMB M-08-23 “Securing the Federal Government's Domain Name System Infrastructure”. All agencies must deploy DNSSEC by December 2009. Internet Systems Consortium: DNSSEC “only full solution” to DNS attacks Considered more viable long-term solution Cryptographic signatures over DNS data (not messages) Assures integrity of results returned from DNS queries Users can validate source authenticity and data integrity Checks chain of signatures up to root Protects against tampering in caches, during transmission Email Validation overview Detects and Blocks spoofed/forged mail Sender Policy Framework (SPF) for domains that do not send email “Path Based” - Senders publish acceptable message paths (IP) for domain Near-zero deployment requirements for senders DNS records only, no change to outbound servers Domain Keys Identified Mail (DKIM) for domains authorized to send mail “Signature based” - Senders insert digital cryptographic signature in emails for domain Requires cryptographic operation by sender and receiver’s gateway infrastructure

4 Cyber and Network Security Program The “Kaminsky Bug” Rapid, widespread and resilient Reduces time required to poison recursive name server's cache All known name server implementations are affected –Some more than others (took < 10s to poison the cache) –Most implementations patched; now as easy/difficult to poison as any other implementation Even patched software vulnerable –cache poisoning attempt possible in < 10 hours

5 Cyber and Network Security Program What DNSSEC Provides Cryptographic signatures over DNS data (not messages) Assures integrity of results returned from DNS queries: –Users can validate source authenticity and data integrity Checks chain of signatures up to root –Chain completely contained within DNS (no PKI or X.509 certs needed) –Protects against tampering in caches, during transmission Not provided: message encryption, security for denial-of-service attacks

6 Cyber and Network Security Program DNSSEC Chain of Trust Data ZSK KSK Data ZSK KSK ZSK KSK KSKs ZSK KSK ZSK KSK KSKs ZSK KSK KSK’s often serve as the “anchor” of authentication chain. The higher up in the tree, the more useful the trust anchor Trust Anchors installed on client resolvers. “.” – DNS root. gov. opm.gov. nist.gov. se.

7 Homeland Security FNS Tiger Team: DNSSEC and E-Mail Validation Network and Infrastructure Security Subcommittee, ISIMC, Federal CIO Council 7 FY11 FISMA Metrics for DNSSEC and Email Validation: Network Security Protocols: DNSSEC: % of external-facing second-level DNS Names signed; % of external-facing DNS hierarchies with all sub-domains (second-level and below) signed Boundary Protection: Email Validation: % of agency email systems that implement sender verification (anti-spoofing) technologies when sending messages from/to government agencies or the public such as S/MIME, DKIM, and SPF.

8 Office of the Chief Information Officer8 UNCLASSIFIED/FOR OFFICIAL USE ONLY Current Federal DNSSEC Status

Download ppt "DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Authentication Approaches Phillip Hallam-Baker VeriSign Inc.

Authentication Approaches Phillip Hallam-Baker VeriSign Inc.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.

Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.

Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Similar presentations

Ads by Google