1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Slides:

Advertisements

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Advertisements

The following 10 questions test your knowledge of client site assignment in Configuration Manager Configuration Manager 2007 Client Site Assignment.

Review iClickers. Ch 1: The Importance of DNS Security.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Module 4: Configuring Network Connectivity

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Module 3 Windows Server 2008 Branch Office Scenario.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

1 Name Service in IPv6 Mobile Ad-hoc Network connected to the Internet Jaehoon Jeong, ETRI PIMRC 2003.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

1 System support & Management Protocols Lesson 13 NETS2150/2850 School of Information Technologies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.

1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Understanding Active Directory

Windows Server 2008 Chapter 8 Last Update

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Course 201 – Administration, Content Inspection and SSL VPN

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

1 DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr.

Introduction to Networking Concepts. Introducing TCP/IP Addressing Network address – common portion of the IP address shared by all hosts on a subnet/network.

Chapter 17 Domain Name System

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Domain Name System CH 25 Aseel Alturki

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.

1 Windows 2008 Configuring Server Roles and Services.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

1 Kyung Hee University Chapter 18 Domain Name System.

Juan Ortega 8/13/09 NTS300. “The problem with version 5 relates to an experimental TCP/IP protocol called the Internet Stream Protocol, Version 2, originally.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

Configuring Name Resolution and Additional Services Lesson 12.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Security fundamentals Topic 10 Securing the network perimeter.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Introduction to Active Directory

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.

Windows Vista Configuration MCTS : Advanced Networking.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

1 Improving the resilience of DNS ENISA – Athens Productive DNSSEC environments Lutz Donnerhacke IKS GmbH, Jena DNSSEC e164.arpa.

Securing the Network Perimeter with ISA 2004

Peer-to-peer networking

Goals Introduce the Windows Server 2003 family of operating systems

Computer Networks Presentation

Presentation transcript:

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb

2 A protocol from better times An ancient protocol People were friendly and trustworthy Internet was a warm and fuzzy place DNS is a protocol from admins for admins Main assumption: Computers do not lie Idea: A hierarchical distributed database Store locally, read globally

3 Playground to extend DNS works, so use is as a container DNS scales, so push a lot of data in in-addr.arpa DNS can be misused as a catchword repository: DNS may have multiple roots, so introduce private name spaces

4 Playground to manipulate Push all initial requests to a payment site Prevent requests to bad sites Offer own search engine for NXDOMAIN Geolocation for efficient content delivery Geolocation for lawful content selection Provide different software updates Prevent worm updates

5 trustroute +trace Modelling real world data as DNS records Transferring data into DNS primary server Transferring data into DNS secondaries Updating meta data in parent zone Delivering data to recursive servers Processing by resolver code Providing structures to applications Interpreting data by users

6 Securing the data flow Two possible design goals: Detect manipulation Prevent wire-tapping Facing typical problems The compatibility hydra Partial roll-out Satellite networks Still designed by admins: NSEC(3)

7 DNS SECurity Trust the primary name server data Signed by the zone-c A framework to verify integrity Signature chains up to a trust anchor In band key management DS records in parent zone (but glue!) Supports caching as well as offloading Provides peer authentication

8 Trust anchor management The root is signed In band key roll-overs: RFC 5011 Fill the gaps (parent zone not signed) Manual trust anchors: Edit files on disk Trust Anchor Repositories: Look aside zones DS do.main => DLV do.main.dlv.pro.vi.der Question: Precedence of sources?

9 The last mile In an ideal world, apps use a new API Error messages might become helpful Validation errors are SERVFAIL Resolver offloading Provide validated data with AD Allow validator chaining with CD Question: Provide bogus data at all? Attacks on the last mile even for LEAs

10 Finally gain benefits DNSSEC adds trust to DNS Use DNS as a hierarchical distributed DB Manage your SSHFPs centrally Manage your CERTs distributed Manage your OpenPGP keys distributed Do not deliver poisoned data to clients Validate late, validate centrally

11 Further Consequences Current practice for Intranets Build a separate network using site specific names and numbers Provide application layer gateways, NAT, Split-DNS, and VPN for non-local access Hide internal structure Statically map necessary services (Firewall) Provide local “root” services (Active Directory)

12 Current Intranets

13 The IPv6 impact IPv6 provides public, globally routable IPs Clients do IPv6 automatically (even tunnel) IPv6 provides end-to-end communication IPv6 is not designed to be translated Future protocols rely on direct channels Web 2.0: Numerous bits from different servers Client to client communication Shortest routing for “quality enhancements”

14 The DNSSEC impact Validation chain from a well-known key Clients may have the key hardcoded Only one root possible No local names Prevents rdata and NXDOMAIN rewriting Consistent external and internal view Enterprise DNS rely on DNSSEC from everywhere (DirectAccess, SSH, _tcp …)

15 The horrible mobile client Public mobile networks are everywhere Mobile clients Important status symbols Roam in and out quickly Always on: Cloud services Can’t be configured IPv6 Exposes internal DNS servers Create mobile peer-to-peer networks

16 Future (Intra)Nets

17 Modern intranets Accept consistency requirement Local WLAN and mobile networks REST web applications instead of VPN Secure the services, not the networks Secure the data, not the servers (cloud) Authenticate the user, not the computer Use DNS as trustworthy resource Always use direct communication

18 Conclusion IPv6 and DNSSEC dramatically change the design of modern networks Information hiding policies do not work Centralized policy enforcement unusable Concentrate on benefits Build stable, globally routable networks Enforce data security at the data level Trust the people, not the devices

19 Did you sign your zones? Why not?