The Business Case for DNSSEC InterOp/ION Mumbai 2012 11 October 2012

Slides:



Advertisements
Similar presentations
The Business Case for DNSSEC Tunis Tunisia April 2013
Advertisements

Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.
SCADA Security, DNS Phishing
CP3397 ECommerce.
Web security (Spoofing & TLS & DNS) Ge Zhang. Web surfing yahoo IP of yahoo? Get index.htm from Response from
DNSSEC Sample Implementation Module 1 LACNIC October 2012, Montevideo
Dane?. Enough said? No? The Longer Version…
DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
DNSSEC Deployment: Where We Are (and where we need to be) MENOG 10, Dubai 30 April 2012
DNSSEC: Where We Are (and how we get to where we want to be) APNIC 34, Phnom Penh, Cambodia August 2012
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Password?. Project CLASP: Common Login and Access rights across Services Plan
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Building Trust in Digital Online World Dr. Shekhar Kirani Vice President VeriSign India 5th June 2009 IBA Conference.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 SharePoint Momentum 17K+ Customers, 100M Licenses Leader in Gartner ® Magic Quadrants, Forrester Wave TM Continued Platform and Application Innovation.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
ICANN’s multi-stakeholder approach OAS-CICTE REMJA/OAS + WEF Cyber Crime Workshop, Montevideo, Uruguay 10 July 2012
Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Internet Trust Defined. Delivered. Electronic Business the Way It Was Meant to Be.
1 The Business Case for DomainKeys Identified Mail.
DNSSEC: Where We Are (and how we get to where we want to be)
Deploying PKI Inside Microsoft The experience of Microsoft in deploying its own corporate PKI Published: December 2003.
DNSSEC AsiaPKI - Bangkok, Thailand June 2013
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie
Using the Powerful Microsoft Azure Platform, e-SUAP Properly and Securely Manages All Steps for Customizable Business Activities Permissions MICROSOFT.
DNSSEC: A Game Changer ICCS 2012 January 9, 2012 New York, NY
Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Deploying DNSSEC: From Content to End-customer InterOp Mumbai October 2012
CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Module 9: Fundamentals of Securing Network Communication.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.
DNSSEC 101 IGF 2012, Baku, Azerbaijan 6 November 2012
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard XCS What’s New in version 10.1.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
DNSSEC Update SANOG 27 Kathmandu, Nepal January 2016
Cyber in the Cloud & Network Enabling Offense and Defense Mark Odell April 28, 2015.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
Maximize Your Hosting Business: Covering all your SSL requirements Tim Callan May 31, 2006 VeriSign / thawte Confidential.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Security Issues with Domain Name Systems
SaudiNIC Riyadh, Saudi Arabia May 2017
KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.
Living on the Edge: (Re)focus DNS Efforts on the End-Points
Cybersecurity and Governance
Tallinn, Estonia Sep 2017 Why DNSSEC Tallinn, Estonia Sep 2017
DANE: The Future of Transport Layer Security (TLS)
TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017
Securing the Internet of Things: Key Insights and Best Practices Across the Industry Theresa Bui Revon IoT Cloud Strategy.
The Business Case for DNSSEC
Presentation transcript:

The Business Case for DNSSEC InterOp/ION Mumbai October 2012

The Business Case for DNSSEC Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differentiator. DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity). DNSSEC infrastructure deployment has been brisk but requires expertise. Getting ahead of the curve is a competitive advantage.

Where DNSSEC fits in DNS converts names ( to numbers ( )..to identify services such as www and ..that identify and link customers to business and visa versa

Where DNSSEC fits in..but CPU and bandwidth advances make legacy DNS vulnerable to MITM attacks DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents With DNSSEC fully deployed a business can be sure a customer gets un-modified data (and visa versa)

The Original Problem: DNS Cache Poisoning Attack DNS Resolver = DNS Server Get page Attacker webserver Username / Password Error Attacker = Login page Password database ISP / ENTERPRISE / END NODE ENTERPRISE Animated slide detailed description at:

DNS Resolver = DNS Server Get page Attacker webserver Username / Password Error Login page Password database Argghh! Now all ISP customers get sent to attacker. Animated slide

The Bad: DNSChanger - ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M Nov End-2-end DNSSEC validation would have avoided the problems

The Bad: Brazilian ISP fall victim to a series of DNS attacks 7 Nov End-2-end DNSSEC validation would have avoided the problems

The Bad: Other DNS hijacks* 25 Dec Russian e-Payment Giant ChronoPay Hacked 18 Dec 2009 – Twitter – “Iranian cyber army” 13 Aug Chinese gmail phishing attack 25 Dec 2010 Tunisia DNS Hijack google.* – April Google Puerto Rico sites redirected in DNS attack – May Morocco temporarily seize Google domain name 9 Sep Diginotar certificate compromise for Iranian users SSL / TLS doesn't tell you if you've been sent to the correct site, it only tells you if the DNS matches the name in the certificate. Unfortunately, majority of Web site certificates rely on DNS to validate identity. DNS is relied on for unexpected things though insecure. *A Brief History of DNS Hijacking - Google

The Good: Securing DNS with DNSSEC DNS Resolver with DNSSEC = DNS Server with DNSSEC Get page webserver Username / Password Account Data Login page Attacker = Attacker’s record does not validate – drop it Animated slide

The Good: Resolver only caches validated records DNS Resolver with DNSSEC = DNS Server with DNSSEC Get page webserver Username / Password Account Data Login page ENTERPRISEISP / ENTERPRISE / END NODE Animated slide

DNSSEC interest from governments Sweden, Brazil, Netherlands and others encourage DNSSEC deployment to varying degrees Mar AT&T, CenturyLink (Qwest), Comcast, Cox, Sprint, TimeWarner Cable, and Verizon have pledged to comply and abide by US FCC [1] recommendations that include DNSSEC.. “A report by Gartner found 3.6 million Americans getting redirected to bogus websites in a single year, costing them $3.2 billion.,” [2] US.gov mandate. >60% operational. [3] [1] FCC=Federal Communications Commission=US communications Ministry [2] [3]

Security as Differentiator and Edge Differentiator – Increased cyber security awareness for govts and industry – Major ISP says security now on checklist for customers DNSSEC Service and Support – 94/316 TLDs (e.g.,.com,.in,.nl,..) – Growing ISPs adoption* – Available to 84% of domains – Vendor support (ISC/BIND, Microsoft..) – gTLDs (e.g.,.bank,.search) require it *COMCAST Internet (18M), TeliaSonera SE, Sprint,Vodafone CZ,Telefonica CZ, T-mobile NL, SurfNet NL, SANYO Information Technology Solutions JP, others..

VoIP mydomainname.com DNS is a part of all IT ecosystems US-NSTIC effort Smart Electrical Grid OECS ID effort

The Bad: SSL Dilution of Trust The Good: DNSSEC = Global “free” PKI CA Certificate roots ~1482 Login security SSHFP RFC4255 DANE and other yet to be discovered security innovations, enhancements, and synergies Content security Commercial SSL Certificates for Web and Content security “Free SSL” certificates for Web and and “trust agility” Network security IPSECKEY RFC4025 Cross- organizational and trans-national identity and authentication security DKIM RFC4871 DNSSEC root - 1 Domain Names Securing VoIP

Opportunity: New Security Products Improved Web SSL and certificates for all* Secured (S/MIME) for all* Validated remote login SSH, IPSEC* Securing VoIP Cross organizational digital identity systems Secured content delivery (e.g. configurations, updates, keys) Securing Smart Grid efforts A global PKI Increasing trust in e-commerce A good ref *IETF standards complete or currently being developed

DNSSEC: Internet infrastructure upgrade to help address today’s needs and create tomorrow’s opportunity.

The Internet’s Phone Book - Domain Name System (DNS+DNSSEC) Get page webserver Username / Password Account Data DNS Resolver = DNS Server Login page ISP/ HotSpot / Enterprise/ End Node Majorbank.se (Registrant) DNS Server.se (Registry) DNS Server. (Root) Animated slide

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.