security and privacy for in-home networks€¦ · 2.6m dnssec-signed 1.3b dns queries/day •...
TRANSCRIPT
![Page 1: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/1.jpg)
Security and Privacyfor In-home Networks
Jelte Jansen | Holland strikes back
3 oktober 2017
![Page 2: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/2.jpg)
SIDN Labs
.nl = the Netherlands17M inhabitants5.7M domain names2.6M DNSSEC-signed1.3B DNS queries/day
• Research team of .nl registry, SIDN
• Goal: thrust operational security, resilience, and privacy of the Internet through world-class measurement-based research and technology development
• Themes: DNS service management, topology mapping & anomaly detection, IoT homenet management
• Targeted impact: SIDN, .nl ecosystem, wider Internet community
![Page 3: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/3.jpg)
8.4 BillionDevices connected to the Internet in 2017
Source: Gartner (January 2017)
![Page 4: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/4.jpg)
20 Billionin 2020
![Page 5: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/5.jpg)
Attributed to @tkadlec
![Page 6: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/6.jpg)
The 2016 Dyn attack
1.2 TbpsFrom ‘only’ 100.000 devices
vs.Mirai
![Page 7: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/7.jpg)
What can we do?For various interpretations of ‘we’
![Page 8: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/8.jpg)
What should we do?
• Better practices for manufacturers?
• Free secure software stacks?
• International policy, regulation, certificiation?
• Clear up accountability issues?
• Generate market demand for secure products?
• Quarantine bad actors (e.g. at ISP)?
• Educate users?
• Empower users? “Yes”We need to do it all
For various interpretations of ‘we’
![Page 9: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/9.jpg)
Empower users:Protect home networks
Focus on one today:
![Page 10: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/10.jpg)
How to protect home networks?
• Home networks notoriously insecure
• Many different devices and device types
• There will always be bad devices and computers
![Page 11: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/11.jpg)
Quarantined by ISP
• “Reinstall Windows”
• 15-20 devices connected at any time
• None of them run windows.
![Page 12: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/12.jpg)
How to protect home networks?
• Lowest common denominator: IP
• So, firewall?
• We need something better
![Page 13: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/13.jpg)
The Dream
Open home security platform: open source, open standards
Automatic operation: guards and automatically blocks devices
Privacy friendly: runs locally, does not process application-level data
User-centric: automatic, but allow for ‘power-use’
Enables new business models: network-level system w/ well-defined APIs
![Page 14: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/14.jpg)
The SPIN project at SIDN Labs
• Open source in-home router/AP software that
• Helps end-users control their security and privacy in the IoT
• Helps protecting DNS operators and other service providesfrom IoT-powered DDoS attacks
• All processing done locally, no VPN, no cloud
![Page 15: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/15.jpg)
The SPIN project at SIDN Labs
• Research and prototype SPIN functions:
• Visualise network traffic
• Automatically block unwanted traffic/infected devices
• Allow ‘good’ traffic
• Scan devices
• Sharing platform for device info
![Page 16: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/16.jpg)
High-level view
TrafficCapturer
DeviceScanner
TrafficFilter
ThreatDetector
FilteringDP
Applica ons(BlockingNo fier,TopologyBrowser,SharingApplica on)
PCAP
TopologyDatabase
eventPa ern
DatabasePolicy
Database
SPINService
OtherSPINSystem
D1àT
D1ßA
T
A
PacketForwarder
Communityofsecurity
researchers topologychanges(SPINprotocol)
SPINpolicycommunity
edit
importimport
update
update
Filteringdecision
configu re
genericdeviceinfo
Incomingtraffic
Outgoingtraffic
D1
browse,export
D1ßA
D1àT
Control Packetforwardingpath
3.1 3.23.2
3.5 3.5
3.3
3.4
topologychanges
no fica onsmanualoverride
![Page 17: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/17.jpg)
Status
• Running prototype
• ‘Vertical slice’ of the concept
• Visualises basic traffic
• Blocks specified traffic
• Open source: https://github.com/SIDN/SPIN
• Full (GL-Inet) images at https://valibox.sidnlabs.nl/
![Page 18: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/18.jpg)
Future Research
• This needs to be a collaborative effort
• Collaborate on experiment visualisation/control
• Collaborate on a platform for sharing (IoT) device information
• Research into device scanning
• Research ‘circuit-breaker’ design (think power groups)
• Possibly: Repositories for known bad devices/versions
(This might be a bad thing™!)
• Possibly: Trusted traffic profiles
“My TV should stream the news and Netflix, but nothing else”
![Page 19: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/19.jpg)
Current high-level topics of interest
• Standardization
• Pilot for large scale evaluation
• Business models based on SPIN platform
• SPIN as a platform for IoT research projects
![Page 20: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/20.jpg)
Demo!
In 5 minutes at Toyoda room
![Page 21: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,](https://reader036.vdocument.in/reader036/viewer/2022070810/5f0943c37e708231d425fe33/html5/thumbnails/21.jpg)
Thank you for your attention!
Any questions?@SIDN
SIDN
SIDN.nl
Follow us