Today’s security challenges are unprecedented 911 Increase in viruses from 1 (1989) to 60,000 (2002) Today’s viruses are more powerful, sophisticated, and pervasive: - Code Red infected over 250,000 systems in just 9 hours - SQL Slammer infected 75,000 systems within 29 minutes

Source: McAfee Known Viruses

Incidence of Severe (Critical, Malicious, Focused) Electronic Attacks by Organization Type between January 1st 2002 and June 30th 2002 Global Electronic Attack Health 9 Other12 E-Commerce 13 Media17 Manufacturing19 Business 21 High Tech 27 Government & Non-Profit 31 Finance 47 Energy 70 Source: Riptech, Inc Attack estimates do not include worms (eg. Code Red) or Denial- of- Service attacks (eg. Smurf)) % %

The economic impact of security vulnerabilities is significant: Code Red: $2.62 Billion US Nimda : $63 Million Worldwide losses from security breaches, viruses, etc. for 1999: 1.6 US Trillion US ($ 1,600,000,000,000.00) Source: U. S. President’s Commission on Critical Infrastructure Protection

Use & Build A Worldwide Initiative to define an end-2-end integrated security & Privacy platform As mother organization Japan Korea India Europe North America Europe As cooperation Partners D4: Trust & Security SEINIT Plus all 75 projects and TFs ( Cybersecurity TF)

Policies in Focus National Security Homeland Security Economic Security More Issues En Español News Current News Video Press Briefings Proclamations Executive Orders Radio Addresses News by Date April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 June 2002 May 2002 April 2002 March 2002 February 2002 January 2002 December 2001 November 2001 October 2001 September 2001 August 2001 July 2001 June 2001 May 2001 April 2001 March 2001 February 2001 January 2001 Appointments Nominations Application Photos Photo Essays Federal Facts Federal Statistics West Wing History (Click here to download entire Strategy) The National Strategy to Secure Cyberspace The National Strategy to Secure Cyberspace is part of our overall effort to protect the Nation. It is an implementing component of the National Strategy for Homeland Security and is complemented by a National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. The purpose of this document is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact. Securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society, the federal government, state and local governments, the private sector, and the American people.National Strategy for the Physical Protection of Critical Infrastructures and Key Assets PresidentPresident | Vice President | First Lady | Mrs. Cheney | News & Policies | History & Tours | Kids | Your Government | Appointments | Contact | Text onlyVice PresidentFirst LadyMrs. CheneyNews & Policies History & ToursKidsYour GovernmentAppointmentsContactText only AccessibilityAccessibility | Search | Privacy Policy | HelpSearchPrivacy PolicyHelp Mr. John L. Osterholz DOD DOD Net-Centricto

The Internet‘s Serious Enemies They are called Security,,,, and! Viruses Hackers Privacy SW Bugs: OS,.. Governments

’’Unpredictable World ” ’’Taming the World ”

Security History (Network) None (we are all friends) – Early Internet users were researchers – Personal Computing revolution had yet to start 1988: Uh Oh! – Internet Worm, first time Internet made television... in a bad way Today – Security threats abound, but security technology is an add-on

Security is not Deployed Internet is “edge” centric –Hard to add security in the middle –Firewalls attempt to add security “quasi” edge Security is Hard –It is a “negative deliverable”  You don’t know when you have it, only when you have lost it!  Users don’t ask for it, so the market doesn’t demand it

Moat / Main Gate Outer Perimeter Controlling Castle Access Keep (Last Building in Castle to Fall) Inner Perimeter Stronghold, Higher Walls produce containment area Between Inner / Outer Perimeters Internet Security Analogy

Keep Internet Mission Critical Systems Internal Firewall Internal Network Outer Perimeter Inner Perimeter Stronghold Jewels Crown

Internet Attacks Denial of ServiceEavesdropping (secrecy) Modification (Integrity) Fabrication (Authentication) Brute Force, Hidden,... Wiretapping, Trojan Horse Man-in-the M., Viruses,...Masquerading,...

Some Internet Security Protocols Application - + PGP, S/MIME Transport - Primarily Web + SSL/TLS + Secure Shell (SSH) Network + IPsec –MIPv6 Routing Security Infrastructure + DNSsec - PKI + SNMPv3 security You are here Political Economic Application Presentation Session Transport Network Link Physical

Internet Security and Privacy with IPv6 -Analogy IPsec-o-IPv6 Folks, Just Surfing with Random Address for Privacy Steel Pipe

Large-Scale End-to-End Security The Internet IPsec Terminal IPsec terminal RR Global AddressPrivate Address IPv4-NAT IPv6 Global Address RR NAT Low interoperability between different vendors Site-to-Site Secure Communication End-to-End Secure Communications R Secure Transmission Low security on the LAN End-to-end secure communication Office A Office B Business Partner Easy to partner with new customer Easy to setup IP-VPN between end-to-end terminals with IPv6 Secure Transmission

IPsec Protects all upper-layer protocols. Requires no modifications to applications. –But smart applications can take advantage of it. Useful for host-to-host, host to gateway, and gateway-to-gateway. –Latter two used to build VPNs.

Doesn’t IPsec work with IPv4? Yes, but… It isn’t standard with v4. Few implementations support host-to-host mode. –Even fewer applications can take advantage of it.

No NATs NATs break IPsec, especially in host- to-host (P2P) mode. With no NATs needed, fewer obstacles to use of IPsec. Note carefully: NATs provide no more security than an application-level firewall.

Can you do 3 things in ONE GO? e2e Security Mobility e2e Communication It‘s Acrobatic! The Road Warrior is a Clown!

Fire wall Network The Internet RR Application Gateway DHCP Server PC NAT LAN Private AddressGlobal Address Link-Local Site-LocalGlobal PRIVACY: Addressing Model IPv6 IPv4-NAT

Several choices for configuring the interface ID of an address: –manual configuration (of interface ID or whole addr) –DHCPv6 (configures whole address) –automatic derivation from 48-bit IEEE 802 address or 64-bit IEEE EUI-64 address –pseudo-random generation (for client privacy) the latter two choices enable “serverless” or “stateless” autoconfiguration, when combined with high-order part of the address learned via Router Advertisements Link-Local Site-LocalGlobal Configuring Interface IDs

IPv6 includes non-global addresses, similar to IPv4 private addresses (“net 10”, etc.) a topological region within which such non-global addresses are used is called a zone zones come in different sizes, called scopes (e.g., link-local, site-local,…) unlike in IPv4, a non-global address zone is also part of the global addressable region (the “global zone”) => an interface may have both global and non-global addresses Link-Local Site-LocalGlobal Non-Global Addresses

Address Zones and Scopes The Global Internet Site R R Link Link Each oval is a different zone; different colors indicate different scopes

Recycling IP Addresses Limited Noticeable Fog Generalised use of NAPT, RSIP? IPv6 Deployment Address Transparency IPsec FOG Issues Exhaustion NAT-over-NAT BrokenPermanet Thick Fog NATs between even ISPs Successful Restored e-2-e e-2-e works Clears! Intranet, Proxies & Firewalls may remain Scenario 1 Scenario 2 Complete Failure

Authentication Challenges There is username/password And then there is everything else –SecurID –Smart Card –ATM Card –Biometrics  The “password” you cannot change...  There are also “safety” hazards...

Recommendations of ISOC/IAB/IETF INET 2002 June 19 - while export controls have loosened, Cisco and others are still forced to distinguish between US and non-US versions of code, around crypto. It was suggested that USG simply drop all export restrictions on crypto code using the new Advanced Encryption Standard - we still don't know how to deploy a global Public Key Infrastructure, making global IPSEC privacy/authentication difficult (research funding) - ditto secure/scalable/quickly-converging global and local routing - ditto on intrusion detection as a service provider service (detecting and mitigating attacks of various kinds) Richard Clarke

Recommendations of ISOC/IAB/IETF INET 2002 June 19 - ditto secure/scalable/quickly-converging global and local routing - ditto on intrusion detection as a service provider service (detecting and mitigating attacks of various kinds) Richard Clarke

Societal Challenges Shift from ISP to.. Personal ISP Bring Trust to Internet – Banking – Government ( evoting ) – E-commerce Security-aware Society Security Divide! (Security Haves and Have-Nots ) Security for EveryOne & Everything

Conclusions IPv6 mandates and enables an important improvement in security. Much of the improvement comes from standard, usable, IPsec. The very large address space may provide for other, innovative security mechanisms.