security and privacy for in-home networks€¦ · 2.6m dnssec-signed 1.3b dns queries/day •...

21
Security and Privacy for In-home Networks Jelte Jansen | Holland strikes back 3 oktober 2017

Upload: others

Post on 19-Jun-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

Security and Privacyfor In-home Networks

Jelte Jansen | Holland strikes back

3 oktober 2017

Page 2: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

SIDN Labs

.nl = the Netherlands17M inhabitants5.7M domain names2.6M DNSSEC-signed1.3B DNS queries/day

• Research team of .nl registry, SIDN

• Goal: thrust operational security, resilience, and privacy of the Internet through world-class measurement-based research and technology development

• Themes: DNS service management, topology mapping & anomaly detection, IoT homenet management

• Targeted impact: SIDN, .nl ecosystem, wider Internet community

Page 3: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

8.4 BillionDevices connected to the Internet in 2017

Source: Gartner (January 2017)

Page 4: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

20 Billionin 2020

Page 5: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

Attributed to @tkadlec

Page 6: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

The 2016 Dyn attack

1.2 TbpsFrom ‘only’ 100.000 devices

vs.Mirai

Page 7: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

What can we do?For various interpretations of ‘we’

Page 8: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

What should we do?

• Better practices for manufacturers?

• Free secure software stacks?

• International policy, regulation, certificiation?

• Clear up accountability issues?

• Generate market demand for secure products?

• Quarantine bad actors (e.g. at ISP)?

• Educate users?

• Empower users? “Yes”We need to do it all

For various interpretations of ‘we’

Page 9: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

Empower users:Protect home networks

Focus on one today:

Page 10: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

How to protect home networks?

• Home networks notoriously insecure

• Many different devices and device types

• There will always be bad devices and computers

Page 11: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

Quarantined by ISP

• “Reinstall Windows”

• 15-20 devices connected at any time

• None of them run windows.

Page 12: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

How to protect home networks?

• Lowest common denominator: IP

• So, firewall?

• We need something better

Page 13: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

The Dream

Open home security platform: open source, open standards

Automatic operation: guards and automatically blocks devices

Privacy friendly: runs locally, does not process application-level data

User-centric: automatic, but allow for ‘power-use’

Enables new business models: network-level system w/ well-defined APIs

Page 14: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

The SPIN project at SIDN Labs

• Open source in-home router/AP software that

• Helps end-users control their security and privacy in the IoT

• Helps protecting DNS operators and other service providesfrom IoT-powered DDoS attacks

• All processing done locally, no VPN, no cloud

Page 15: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

The SPIN project at SIDN Labs

• Research and prototype SPIN functions:

• Visualise network traffic

• Automatically block unwanted traffic/infected devices

• Allow ‘good’ traffic

• Scan devices

• Sharing platform for device info

Page 16: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

High-level view

TrafficCapturer

DeviceScanner

TrafficFilter

ThreatDetector

FilteringDP

Applica ons(BlockingNo fier,TopologyBrowser,SharingApplica on)

PCAP

TopologyDatabase

eventPa ern

DatabasePolicy

Database

SPINService

OtherSPINSystem

D1àT

D1ßA

T

A

PacketForwarder

Communityofsecurity

researchers topologychanges(SPINprotocol)

SPINpolicycommunity

edit

importimport

update

update

Filteringdecision

configu re

genericdeviceinfo

Incomingtraffic

Outgoingtraffic

D1

browse,export

D1ßA

D1àT

Control Packetforwardingpath

3.1 3.23.2

3.5 3.5

3.3

3.4

topologychanges

no fica onsmanualoverride

Page 17: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

Status

• Running prototype

• ‘Vertical slice’ of the concept

• Visualises basic traffic

• Blocks specified traffic

• Open source: https://github.com/SIDN/SPIN

• Full (GL-Inet) images at https://valibox.sidnlabs.nl/

Page 18: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

Future Research

• This needs to be a collaborative effort

• Collaborate on experiment visualisation/control

• Collaborate on a platform for sharing (IoT) device information

• Research into device scanning

• Research ‘circuit-breaker’ design (think power groups)

• Possibly: Repositories for known bad devices/versions

(This might be a bad thing™!)

• Possibly: Trusted traffic profiles

“My TV should stream the news and Netflix, but nothing else”

Page 19: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

Current high-level topics of interest

• Standardization

• Pilot for large scale evaluation

• Business models based on SPIN platform

• SPIN as a platform for IoT research projects

Page 20: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

Demo!

In 5 minutes at Toyoda room

Page 21: Security and Privacy for In-home Networks€¦ · 2.6M DNSSEC-signed 1.3B DNS queries/day • Research team of .nl registry, SIDN • Goal: thrust operational security, resilience,

Thank you for your attention!

Any questions?@SIDN

SIDN

SIDN.nl

Follow us