Presentation is loading. Please wait.

Presentation is loading. Please wait.

Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair.

Published byFrancine Miller Modified over 8 years ago

Similar presentations

Presentation on theme: "Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair."— Presentation transcript:

1 Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair

2 2 Working Group #4: Network Security  Description: This Working Group will examine and make recommendations to the Council regarding best practices to secure the Domain Name System (DNS) and routing system of the Internet during the period leading up to the successful global implementation of the Domain Name System Security Extensions (DNSSEC) and Secure BGP (Border Gateway Protocol) extensions.  Duration: Sept. 2011 – Mar. 2013

3 Working Group #4 – Participants  Co-Chairs  Rod Rasmussen – Internet Identity  Rodney Joffe – Neustar  Participants  30 Organizations represented  Service Providers  Network Operators  Academia  Government  IT Consultants 3

4 Working Group #4 – Deliverables  Domain Name Service (DNS) Security Issues  Report and vote today  BGP and Inter-Domain Routing Security Issues  Report in March 2013 4

5 Working Group 4 – Work Completed/Next Steps/Timeline  Report out DNS paper today  Draft issues and recommendations for Routing – Fall  Routing draft report iterations Winter  Report out Routing paper March 2013 CSRIC  Teleconferences bi-weekly – Fridays 1330 Eastern  Sub-team work parties meet in off-weeks 5

6 Working Group #4: Network Security Best Practices FINAL Report – DNS Best Practices

7 DNS Key Points  DNS is a cornerstone service provided by ISPs  Necessary for customers to use the Internet  Essential to allow customers to create and maintain their own Internet presences  Also important for Telco operations and enterprises/gov’t/etc.  A critical service that ISPs must ensure is resilient to operational challenges and protect from abuse by miscreants  As a distributed infrastructure requiring several actors to both enable and protect it, ISPs face challenges outside of their direct control in tackling many of the issues identified 7

8 Report Scope  Not commenting on DNSSEC work covered by WG 5 – recommend that ISPs refer to that report on this topic as appropriate (cache poisoning etc.)  Recursive DNS infrastructure  Authoritative DNS infrastructure (ISP and for ISP customers)  Domain registration of ISP and ISP customer domains  DNS operations in general that could impact ISPs and their customers  Security of DNS infrastructure 8

9 DNS Issues Considered  Publication of falsified malicious information  Use of falsified malicious information published by authoritative nameservers  Use/dissemination of falsified malicious information introduced in transit  Insecure zone transfers (TSIG usage)  DDoS including reflective DNS amplification DDoS attacks  Filtering/synthesized responses  NX rewriting on resolvers  Open resolvers  Ghost domains  Customers infected with DNS manipulating virus (e.g. DNSChanger)  Customers using routers with alternative DNS servers as default  Resiliency of DNS infrastructure 9

10 ISP Roles in DNS Issues  Attacks against & issues with ISP Recursive Infrastructure  Attacks against & issues with Authoritative DNS of ISPs themselves  Attacks against DNS Infrastructure that ISPs provide to their customers  Abuse of an ISP’s infrastructure to attack others  Subscribers of ISPs having issues with DNS  Hygiene and "other" issues touching on DNS security 10

11 Recommendation Process  Numerous best practices based on existing documents  Analyze issue and point to existing documentation as the source of practices to use  Prior CSRIC Reports, IETF RFCs and BCPs, ICANN SSAC Papers, NIST Special Reports, ISOC papers, SANS Reports  24 separate documents referenced 11

12 Recommendation Highlights  Protect recursive and authoritative DNS infrastructures from hacking/insiders/account takeovers  Protect domain names from hijacking/misconfiguration  Ensure resiliency of all DNS infrastructures  Implement BCP38 and related measures – ingress filtering to combat reflective DDOS 12

13 Working Group #4 – Participant List 13

14 Working Group #4: Network Security Best Practices September 12, 2012 Questions/Comments Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair

Download ppt "Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair."

Similar presentations

Whos who in the IETF Zoo? Geoff Huston Executive Director, Internet Architecture Board.

Whos who in the IETF Zoo? Geoff Huston Executive Director, Internet Architecture Board.
ICANN Plan for Enhancing Internet Security, Stability and Resiliency.

ICANN Plan for Enhancing Internet Security, Stability and Resiliency.
ICAO ACP WG-I – Nov 2009 Industry Activity Update Terry Davis Boeing URN (GEANT) Comments IP Mobility Work Status ICANN Work IPv6 Impact on Aircraft Systems.

ICAO ACP WG-I – Nov 2009 Industry Activity Update Terry Davis Boeing URN (GEANT) Comments IP Mobility Work Status ICANN Work IPv6 Impact on Aircraft Systems.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.

FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.
Armenia and Multistakeholder Model of Internet Governance Dr. Grigori Saghyan, ISOC AM Vice-President Lianna Galstyan, ISOC AM Board Member Lianna Galstyan,

Armenia and Multistakeholder Model of Internet Governance Dr. Grigori Saghyan, ISOC AM Vice-President Lianna Galstyan, ISOC AM Board Member Lianna Galstyan,
ESW 7 - FCC Jeff Cohen Senior Legal Counsel Public Safety Bureau FCC Interests & Policy Around Geolocation.

ESW 7 - FCC Jeff Cohen Senior Legal Counsel Public Safety Bureau FCC Interests & Policy Around Geolocation.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Working Group 11: Consensus Cyber Security Controls March 14, 2013 Alan Paller, SANS Institute Marcus Sachs, Verizon Communications WG 11 Co-Chairs.

Working Group 11: Consensus Cyber Security Controls March 14, 2013 Alan Paller, SANS Institute Marcus Sachs, Verizon Communications WG 11 Co-Chairs.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.

#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Similar presentations

Ads by Google