Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair.

Slides:

Advertisements

Similar presentations

Whos who in the IETF Zoo? Geoff Huston Executive Director, Internet Architecture Board.

Advertisements

ICANN Plan for Enhancing Internet Security, Stability and Resiliency.

ICAO ACP WG-I – Nov 2009 Industry Activity Update Terry Davis Boeing URN (GEANT) Comments IP Mobility Work Status ICANN Work IPv6 Impact on Aircraft Systems.

Review iClickers. Ch 1: The Importance of DNS Security.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.

Armenia and Multistakeholder Model of Internet Governance Dr. Grigori Saghyan, ISOC AM Vice-President Lianna Galstyan, ISOC AM Board Member Lianna Galstyan,

ESW 7 - FCC Jeff Cohen Senior Legal Counsel Public Safety Bureau FCC Interests & Policy Around Geolocation.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Working Group 11: Consensus Cyber Security Controls March 14, 2013 Alan Paller, SANS Institute Marcus Sachs, Verizon Communications WG 11 Co-Chairs.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

1 DNSSEC BoF Internet2 Member Meeting October 15th, 2008 Noon, Napoleon A2

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

(Geneva, Switzerland, September 2014)

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

#ICANN49 Security and Stability Advisory Committee Activities Update ICANN Singapore Meeting March 2014.

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Module 10 Advanced Topics. DNS and DHCP DHCP can be configured to auto- update (using DDNS) the forward and reverse map zones Can be secured using allow-update.

CcTLD-ICANN Agreement GCC Regional Meeting Dubai, UAE 17 June, 2001 Andrew McLaughlin ICANN.

Transition of U.S. Commerce Department’s National Telecommunications and Information Administration (NTIA) Stewardship of the IANA Functions to the Global.

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

Federal Communications Commission Communications Security, Reliability and Interoperability Council Working Group 6 – Best Practice Implementation Stacy.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

DSSA-WG Progress Update Dakar – October Charter: Background At their meetings during the ICANN Brussels meeting the At-Large Advisory Committee.

Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.

Security, Stability & Resiliency of the DNS Review Team (SSR) Interaction with the Community.

CcTLD/ICANN Contract for Services (Draft Agreements) A Comparison.

Working Group 6: Secure BGP Deployment December 16, 2011 Andy Ogielski, Renesys Jennifer Rexford, Princeton U. WG 6 Co-Chairs.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Draft-mickles-v6ops-isp-cases-01.txt September 19, 2002 Cleveland Mickles V6OPS ISP Breakout Session.

Update on IPv6 Transition U.S. Federal IPv6 Task Force Jane Coffin Co-Chair of the U.S. Federal IPv6 Task Force August 2011 – CITEL PCC.I, Mar del Plata,

Update from ICANN staff on SSR Activities Greg Rattray Tuesday 21 st 2010.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs.

BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.

Working Group #4: Network Security Best Practices March 22, 2012 Presenter: Tony Tauber, Comcast WG #4 Member Via teleconference: Rod Rasmussen, Internet.

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

EAI WG meeting IETF-65, March 20, Agenda 17:40 Welcome, blue sheet, scribe, agenda bashing 17:50 Review of WG charter (approved) 17:55 Problem/framing:

CSC 104 December 13,2012. Internet Regulation: States that it is about restricting or controlling certain pieces of information. This consisting of censorship.

Transfers Task Force Briefing ICANN Domain Names Council Meeting March 12, 2002 Registry Registrar BRegistrar A.

Home Gateways and DNS Ray Bellis, Advanced Projects, Nominet UK IETF 76, Hiroshima, 9 th November 2009.

1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.

1 1 The GNSO Role in Internet Governance Presented by: Chuck Gomes Date: 13 May 2010.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

IPv6 Site-Local Discussion Bob Hinden & Margaret Wasserman IETF 56 San Francisco March 2003.

DSSA-WG Progress Update Singapore – June Charter: Background At their meetings during the ICANN Brussels meeting the At-Large Advisory Committee.

Security, Stability & Resiliency of the DNS Review Team Wednesday, 8 December 2010.

1 1 Cybersecurity : Optimal Approach for PSAPs FCC Task Force on Optimal PSAP Architecture Working Group 1 Final Report December 10 th, 2015.

Working Group 1: Evolving 911 Services Status Update December 3, 2015 Jeff Cohen, Co-Chair (APCO International) Susan Sherwood, Co-Chair (Verizon)

Policy Development Processes in the APNIC Region 4 th ASO General Assembly Santiago, Chile 24 April 2003.

CCWG on Enhancing ICANN’s Accountability Paris, July 2015.

Update on ITU-T ENUM Activities Steven D. Lind AT&T SG-A ENUM - Ad Hoc February 12, 2001.

Working Group 6: Secure BGP Deployment September 23, 2011 Andy Ogielski, Renesys Jennifer Rexford, Princeton U. WG 6 Co-Chairs.

IDR WG Document Status Update Sue Hares, Yakov Rekhter November 2005.

1 cellhost-ipv6-52.ppt/ December 13, 2001 / John A. Loughney Minimum IPv6 Functionality for a Cellular Host John Loughney, Pertti Suomela, Juha Wiljakka,

Interdomain Multicast BCP Draft IETF 84 Vancouver, BC Robert Sayko

Working Group 8: Priority Services CSRIC V Meeting March 16, 2016 Thomas Anderson, Co-Chair (Cisco) Bill Reidway, Co-Chair (Neustar)

Working Group 1: Evolving 911 Services Status Update March 16, 2016 Jeff Cohen, Co-Chair (APCO International) Susan Sherwood, Co-Chair (Verizon)

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

1 27Apr08 Some thoughts on Internet Governance and expansion of the Domain Name space Paul Twomey President and CEO 9 August 2008 Panel on Internet Governance.

Draft-lewis-infrastructure-security-00.txt Infrastructure Protection BCP Darrel Lewis, James Gill, Paul Quinn, Peter Schoenmaker.

DNS Session 5 Additional Topics

Policy Development Processes in the APNIC Region

Presentation transcript:

Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair

2 Working Group #4: Network Security  Description: This Working Group will examine and make recommendations to the Council regarding best practices to secure the Domain Name System (DNS) and routing system of the Internet during the period leading up to the successful global implementation of the Domain Name System Security Extensions (DNSSEC) and Secure BGP (Border Gateway Protocol) extensions.  Duration: Sept – Mar. 2013

Working Group #4 – Participants  Co-Chairs  Rod Rasmussen – Internet Identity  Rodney Joffe – Neustar  Participants  30 Organizations represented  Service Providers  Network Operators  Academia  Government  IT Consultants 3

Working Group #4 – Deliverables  Domain Name Service (DNS) Security Issues  Report and vote today  BGP and Inter-Domain Routing Security Issues  Report in March

Working Group 4 – Work Completed/Next Steps/Timeline  Report out DNS paper today  Draft issues and recommendations for Routing – Fall  Routing draft report iterations Winter  Report out Routing paper March 2013 CSRIC  Teleconferences bi-weekly – Fridays 1330 Eastern  Sub-team work parties meet in off-weeks 5

Working Group #4: Network Security Best Practices FINAL Report – DNS Best Practices

DNS Key Points  DNS is a cornerstone service provided by ISPs  Necessary for customers to use the Internet  Essential to allow customers to create and maintain their own Internet presences  Also important for Telco operations and enterprises/gov’t/etc.  A critical service that ISPs must ensure is resilient to operational challenges and protect from abuse by miscreants  As a distributed infrastructure requiring several actors to both enable and protect it, ISPs face challenges outside of their direct control in tackling many of the issues identified 7

Report Scope  Not commenting on DNSSEC work covered by WG 5 – recommend that ISPs refer to that report on this topic as appropriate (cache poisoning etc.)  Recursive DNS infrastructure  Authoritative DNS infrastructure (ISP and for ISP customers)  Domain registration of ISP and ISP customer domains  DNS operations in general that could impact ISPs and their customers  Security of DNS infrastructure 8

DNS Issues Considered  Publication of falsified malicious information  Use of falsified malicious information published by authoritative nameservers  Use/dissemination of falsified malicious information introduced in transit  Insecure zone transfers (TSIG usage)  DDoS including reflective DNS amplification DDoS attacks  Filtering/synthesized responses  NX rewriting on resolvers  Open resolvers  Ghost domains  Customers infected with DNS manipulating virus (e.g. DNSChanger)  Customers using routers with alternative DNS servers as default  Resiliency of DNS infrastructure 9

ISP Roles in DNS Issues  Attacks against & issues with ISP Recursive Infrastructure  Attacks against & issues with Authoritative DNS of ISPs themselves  Attacks against DNS Infrastructure that ISPs provide to their customers  Abuse of an ISP’s infrastructure to attack others  Subscribers of ISPs having issues with DNS  Hygiene and "other" issues touching on DNS security 10

Recommendation Process  Numerous best practices based on existing documents  Analyze issue and point to existing documentation as the source of practices to use  Prior CSRIC Reports, IETF RFCs and BCPs, ICANN SSAC Papers, NIST Special Reports, ISOC papers, SANS Reports  24 separate documents referenced 11

Recommendation Highlights  Protect recursive and authoritative DNS infrastructures from hacking/insiders/account takeovers  Protect domain names from hijacking/misconfiguration  Ensure resiliency of all DNS infrastructures  Implement BCP38 and related measures – ingress filtering to combat reflective DDOS 12

Working Group #4 – Participant List 13

Working Group #4: Network Security Best Practices September 12, 2012 Questions/Comments Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair