01 dnssec steve
TRANSCRIPT
-
8/13/2019 01 Dnssec Steve
1/21
Security in the NetworkSecurity in the Network
Infrastructure - DNS,Infrastructure - DNS, DDoSDDoS, etc., etc.
Steve Crocker, [email protected]
Russ Mundy, [email protected]
GTER, So Paulo
December 8, 2006
-
8/13/2019 01 Dnssec Steve
2/21
2
Proactive SecurityProactive Security! Build security into the infrastructure
! Good architecture is cheaper and better than
chasing the bad guys Its less sexy but more effective
! CERTs, Firewalls, Honeynets, etc. are all good
! Networking the security community is good
! Do all of this, but also invest in thearchitecture
-
8/13/2019 01 Dnssec Steve
3/21
3
Latin AmericaLatin Americahas uniquehas unique
opportunityopportunity! Plenty of technical talent
! Networks are still in a growthstage
! Not as much legacy as NorthAmerica, Europe
! Good communication, cooperation
! Opportunity to leap ahead
-
8/13/2019 01 Dnssec Steve
4/21
4
Incidents Reported to CERT/CCIncidents Reported to CERT/CC
-
8/13/2019 01 Dnssec Steve
5/21
5
Vulnerabilities Reported to CERT/CCVulnerabilities Reported to CERT/CC
-
8/13/2019 01 Dnssec Steve
6/21
6
Attack Sophistication vs. IntruderAttack Sophistication vs. Intruder
KnowledgeKnowledgeemail propagation of malicious codestealth/advanced scanning techniques
widespread attacks using NNTP to distribute attack
widespread attacks on DNS infrastructure
executable code attacks (against browsers)
automated widespread attacks
GUI intruder tools
hijacking sessions
Internet social engineering
attacks
packet spoofing
automated probes/scans
widespreaddenial-of-service
attacks
techniques to analyzecode for vulnerabilitieswithout source code
DDoS attacks
increase in worms
sophisticated command& control
anti-forensic techniques
home users targeted
distributed attack tools
increase in wide-scaleTrojan horse distribution
Windows-based
remote controllable
Trojans (Back Orifice)
Intruder Knowledge
Atta
ckSophisticatio
n
1990 2004
-
8/13/2019 01 Dnssec Steve
7/21
7
What is www.What is www.nicnic..brbrssaddress?address?
ResolverCaching
forwarder
(recursive)
root name server
brs name server
nic.br!s name server
www.nic.br?
200.160.4.6
-
8/13/2019 01 Dnssec Steve
8/21
8
DNS: Data FlowDNS: Data Flow
master Caching forwarder
resolver
Zone administrator
Zone file
Dynamic
updates
1
2
slaves
3
4
5
-
8/13/2019 01 Dnssec Steve
9/21
9
DNS VulnerabilitiesDNS Vulnerabilities
master Caching forwarder
resolver
Zone administrator
Zone file
Dynamic
updates
1
2
slaves
3
Server protection
4
5
Corrupting data Impersonating master
Unauthorized updates
Cache impersonation
Cache pollution byData spoofing
Data protection
Altered zone data
-
8/13/2019 01 Dnssec Steve
10/21
10
SecuringSecuringDNSDNS! DNS is critical to Internet
infrastructure
! DNSSEC secures DNS responses
! Specs and software are available
! Deployment has started
-
8/13/2019 01 Dnssec Steve
11/21
Hijacking DemoHijacking Demo
Russ Mundy
SPARTA, Inc.
-
8/13/2019 01 Dnssec Steve
12/21
12
DNSSECDNSSEC
! DNSSEC is official security protocol
IETF RFCs 4033, 4034, 4035
! Protects against data spoofing and
corruption! Uses public key cryptography
Same cryptography as PKI, but just for hosts
! Implemented hierarchically
The root signs the top level domain (.br)
The TLD signs the next level (nic.br)
Etc.
-
8/13/2019 01 Dnssec Steve
13/21
13
Deployment StatusDeployment Status! Specs and Software exist
! TLD deployment has begun
Sweden (.SE) is operational Puerto Rico (.PR) is operational
RIPEs portion of in-addr.arpa is signed
.ORG, .COM and .NET have test beds
Others are in progress (.BR, et al)! Browser and desktop will take a while
Microsoft has announced support
-
8/13/2019 01 Dnssec Steve
14/21
Getting Enterprises SignedGetting Enterprises Signed! In house operation
!
Outsourced operation
-
8/13/2019 01 Dnssec Steve
15/21
InInHouse OperationHouse Operation! Software
!
Possible hardware! Operations Policies
Key lifetimes, management chain
! Procedures, Training
-
8/13/2019 01 Dnssec Steve
16/21
Outsourced OperationOutsourced Operation! Many enterprises outsource DNS service
! Registrars, hosting services, ISPs
! Managed DNS Service Providers UltraDNS, VeriSign, Akamai, Netriplex, Infoblox,
EasyDNS, DNS Made Easy
! DNS Service Providers can add DNSSEC withzero imposition on domain name holder
Except perhaps for a charge" DNS Service Providers will be the source
of many signed zones
-
8/13/2019 01 Dnssec Steve
17/21
17
Business OpportunityBusiness Opportunity! DNSSEC fits with DKIM
Provides complete security picture
! Offer managed DNS service
High availability
Organized management
! Include DNSSEC service Relieves burden from customer
-
8/13/2019 01 Dnssec Steve
18/21
18
DNSSEC DeploymentDNSSEC Deployment! Serious deployment activities emerging around the world:
http://secspider.cs.ucla.edu/tracking ~300 signed zones
Europe/RIPE region most active
! U.S. Government implementing DNSSEC in its own operations DNSSEC requirements included in latest Federal Information
Security Management Act (FISMA) requirements! Federal Information Processing Standards (FIPS) 199 & 200.
Requires incremental deployment of DNSSEC across USG agencies.
. and the contractors that provide IT resources/services to them
-
8/13/2019 01 Dnssec Steve
19/21
19
ImplementationImplementation
AssistanceAssistance! NIST Secure DNS Deployment Guide (NIST SP800-81)
http://csrc.nist.gov/publications/nistpubs/ Provides DNS threat awareness and a range of mitigation
techniques Helps agencies deploy new DNS security measures with
confidence
! DNSSEC Deployment Initiative Growing community of organizations committed to
fostering DNSSEC deployment
http://www.dnssec-deployment.org/ Resources: News, tools, deployment, test andmanagement plans, testbeds, lessons learned
Free newsletter at http://www.dnssec-deployment.org/news/dnssecthismonth/
-
8/13/2019 01 Dnssec Steve
20/21
20
For more information,For more information,
read DNSSEC THIS MONTHread DNSSEC THIS MONTH
http://www.http://www.dnssec-deploymentdnssec-deployment.org/.org/news/dnssecthismonth/news/dnssecthismonth/
-
8/13/2019 01 Dnssec Steve
21/21
Contacts & ResourcesContacts & Resources! [email protected]
! www.dnssec-deployment.org
! Slides and other DNSSEC material at:www.ripe.net/training/dnssec/
! http://www.nlnetlabs.nl/dnssec/
! http://www.dnssec.net/
Support provided by U.S. Dept. of Homeland Security, Scienceand Technology Directorate and ICANN
Cooperative work with SPARTA, NIST, MIT Lincoln Laboratory