Presentation is loading. Please wait.

Presentation is loading. Please wait.

Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4.

Published byGregory Johns Modified over 8 years ago

Similar presentations

Presentation on theme: "Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4."— Presentation transcript:

1 Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4

2 2 Working Group #4: Network Security Best Practices Description: This Working Group will examine and make recommendations to the Council regarding best practices to secure the Domain Name System (DNS) and routing system of the Internet during the period leading up to some significant deployment of protocol extensions such as the Domain Name System Security Extensions (DNSSEC), Secure BGP (Border Gateway Protocol) and the like. The scope and focus is currently deployed and available feature-sets and processes and not future or non-widely deployed protocol extensions. Duration: September 2011 – March 2013

3 Working Group #4 – Participants  Co-Chairs  Rod Rasmussen – Internet Identity  Rodney Joffe – Neustar  Participants  30 Organizations represented  Service Providers  Network Operators  Academia  Government  IT Consultants 3

4 Working Group #4 – Participant List 4

5 Working Group #4 – Deliverables  Domain Name Service (DNS) Security Issues  Reported on in September 2012  BGP and Inter-Domain Routing Security Issues  Report and vote today 5

6 Working Group #4: Network Security Best Practices FINAL Report – Routing Security Best Practices March 6, 2013 Presenter: Tony Tauber, Comcast WG #4

7 Routing Key Points  Routing security is an environmental good  Unilateral action does not entirely benefit practitioners  Deployment details and scenarios vary  Recommendations should as well  Autonomy is sacrosanct  Key feature of the operational Internet 7

8 Report Scope  Capabilities in currently deployed gear  Not commenting on protocol extension work  Handled in WG #6  ISP Network Operational Practices  Enterprise Network Operational Practices  Administrative Practices 8

9 Routing Issues Considered  BGP Session-Level Vulnerability  Session Hijacking  Denial of Service (DoS) Vulnerability  Source-address filtering  BGP Injection and Propagation Vulnerability  BGP Injection and Propagation Countermeasures  BGP Injection and Propagation Recommendations  Other Attacks and Vulnerabilities of Routing Infrastructure  Hacking and unauthorized 3rd party access to routing infrastructure  ISP insiders inserting false entries into routers  Denial-of-Service Attacks against ISP Infrastructure  Attacks against administrative controls of routing identifiers 9

10 Deployment Scenarios  Vary according to topology  Stub network vs. Transit network  Vary as a function of scale  Number of BGP routers  Number of BGP sessions  Size of Operational staff 10

11 Recommendation Process  Leverage existing security recommendations  Taken together recommendations can be confusing, contradictory  Tailor advice based on deployment scenarios  IETF RFCs and BCPs, ICANN SSAC Papers, NIST Special Reports, ISOC papers, SANS Reports  Over a dozen separate documents referenced 11

12 Recommendation Highlights  Perform explicit filtering of BGP prefixes  Customer relationships  Protect against spoofed IP source addresses  Source validation at network edge  Filter internal address space inbound from Internet  Use extra steps to lessen impact of route leaks  Coarse AS-path filters  Maximum-Prefix limits 12

13 Working Group #4: Network Security Best Practices March 6, 2013 Questions/Comments Presenter: Tony Tauber, Comcast WG #4 Co-Chair

Download ppt "Working Group #4: Network Security – Best Practices March 6, 2013 Presenters: Rod Rasmussen, Internet Identity Tony Tauber, Comcast WG #4."

Similar presentations

RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
An Operational Perspective on BGP Security Geoff Huston February 2005.

An Operational Perspective on BGP Security Geoff Huston February 2005.
The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.

FCC CSRIC III Working Group 4 Network Security Best Practices Rodney Joffe SVP and Senior Technologist, Neustar, Inc.
Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”

The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University January.

Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University January.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Computer Science Department Princeton University

A Routing Control Platform for Managing IP Networks Jennifer Rexford Computer Science Department Princeton University
Challenge: Securing Routing Protocols Adrian Perrig

Challenge: Securing Routing Protocols Adrian Perrig

Similar presentations

Ads by Google