ION Mumbai - Richard Lamb: Why DNSSEC?
Upcoming SlideShare
Loading in...5
×
 

ION Mumbai - Richard Lamb: Why DNSSEC?

on

  • 754 views

Rick Lamb's DNSSEC presentation from ION Mumbai on 11 October 2012

Rick Lamb's DNSSEC presentation from ION Mumbai on 11 October 2012

Statistics

Views

Total Views
754
Views on SlideShare
754
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

ION Mumbai - Richard Lamb: Why DNSSEC? ION Mumbai - Richard Lamb: Why DNSSEC? Presentation Transcript

  • The  Business  Case  for  DNSSEC      InterOp/ION  Mumbai  2012     11  October  2012   richard.lamb@icann.org  
  • The  Business  Case  for  DNSSEC  •  Cyber  security  is  becoming  a  greater  concern  to   enterprises,  government,  and  end  users.  DNSSEC   is  a  key  tool  and  differenFator.  •  DNSSEC  is  the  biggest  security  upgrade  to   Internet  infrastructure  in  over  20  years.  It  is  a   plaHorm  for  new  security  applicaFons  (for  those   that  see  the  opportunity).  •  DNSSEC  infrastructure  deployment  has  been   brisk  but  requires  experFse.    GeOng  ahead  of  the   curve  is  a  compeFFve  advantage.  
  • Where  DNSSEC  fits  in  •  DNS  converts  names  (www.tata.in)  to   numbers  (64.37.102.54)  •  ..to  idenFfy  services  such  as  www  and  e-­‐mail  •  ..that  idenFfy  and  link  customers  to  business   and  visa  versa  
  • Where  DNSSEC  fits  in  •  ..but  CPU  and  bandwidth  advances  make   legacy  DNS  vulnerable  to  MITM  aYacks  •  DNS  Security  Extensions  (DNSSEC)  introduces   digital  signatures  into  DNS  to   cryptographically  protect  contents    •  With  DNSSEC  fully  deployed  a  business  can  be   sure  a  customer  gets  un-­‐modified  data  (and   visa  versa)  
  • The  Original  Problem:     DNS  Cache  Poisoning  A?ack     www.majorbank.se = 1.2.3.4  www.majorbank.se=?   DNS   DNS 5.6.7.8   Resolver                          Server        ENTERPRISE                           Attacker   www.majorbank.se = 5.6.7.8 Get page   Attacker Login page webserver   Username / Password   www @ Error 5.6.7.8   ISP  /   ENTERPRISE  /   END  NODE   Password databaseAnimated  slide   detailed  descripFon  at:  h?p://unixwiz.net/techFps/iguide-­‐kaminsky-­‐dns-­‐vuln.html  
  • Argghh!  Now  all  ISP  customers  get   sent  to  a?acker.   www.majorbank.se = 1.2.3.4www.majorbank.se=? DNS DNS 5.6.7.8 Resolver Server Get page Attacker Login page webserver Username / Password www @ Error 5.6.7.8 Password databaseAnimated  slide  
  • The  Bad:  DNSChanger  -­‐  ‘Biggest   Cybercriminal  Takedown  in  History’  –   4M  machines,  100  countries,  $14M  Nov  2011  h?p://krebsonsecurity.com/2011/11/malware-­‐click-­‐fraud-­‐kingpins-­‐arrested-­‐in-­‐estonia/                                                          End-­‐2-­‐end  DNSSEC  validaFon  would  have  avoided  the  problems  
  • The  Bad:  Brazilian  ISP  fall  vicFm  to  a   series  of  DNS  a?acks    7  Nov  2011  h?p://www.securelist.com/en/blog/208193214/Massive_DNS_poisoning_a?acks_in_Brazil                                                                                            End-­‐2-­‐end  DNSSEC  validaFon  would  have  avoided  the  problems  
  • The  Bad:  Other  DNS  hijacks*   •  25  Dec  2010  -­‐  Russian  e-­‐Payment  Giant  ChronoPay  Hacked   •  18  Dec  2009  –  Twi?er  –  “Iranian  cyber  army”   •  13  Aug  2010  -­‐  Chinese  gmail  phishing  a?ack   •  25  Dec  2010  Tunisia  DNS  Hijack   •  2009-­‐2012  google.*   –  April  28  2009  Google  Puerto  Rico  sites  redirected  in  DNS  a?ack   –  May  9  2009  Morocco  temporarily  seize  Google  domain  name   •  9  Sep  2011  -­‐  Diginotar  cerFficate  compromise  for  Iranian  users     •  SSL  /  TLS  doesnt  tell  you  if  youve  been  sent  to  the  correct  site,  it  only   tells  you  if  the  DNS  matches  the  name  in  the  cerFficate.  Unfortunately,   majority  of  Web  site  cerFficates  rely  on  DNS  to  validate  idenFty.   •  DNS  is  relied  on  for  unexpected  things  though  insecure.  *A  Brief  History  of  DNS  Hijacking  -­‐  Google  h?p://costarica43.icann.org/meeFngs/sanjose2012/presentaFon-­‐dns-­‐hijackings-­‐marquis-­‐boire-­‐12mar12-­‐en.pdf  
  • The  Good:  Securing  DNS  with  DNSSEC   Attacker’s record does not validate – drop it www.majorbank.se = 1.2.3.4www.majorbank.se=? DNS DNS 1.2.3.4 Resolver Server with with Attacker DNSSEC DNSSEC www.majorbank.se = 5.6.7.8 Get page Login page webserver Username / Password www @ Account Data 1.2.3.4Animated  slide  
  • The  Good:  Resolver  only  caches   validated  records     www.majorbank.se = 1.2.3.4  www.majorbank.se=?   DNS   DNS 1.2.3.4   Resolver   Server with   with   DNSSEC   DNSSEC   Get page     Login page webserver     Username / Password www @     Account Data 1.2.3.4     ISP  /   ENTERPRISE   ENTERPRISE  /   END  NODE  Animated  slide  
  • DNSSEC  interest  from  governments   •  Sweden,  Brazil,  Netherlands  and  others   encourage  DNSSEC  deployment  to  varying   degrees   •  Mar  2012  -­‐  AT&T,  CenturyLink  (Qwest),  Comcast,   Cox,  Sprint,  TimeWarner  Cable,  and  Verizon  have   pledged  to  comply  and  abide  by  US  FCC  [1]   recommendaFons  that  include  DNSSEC..  “A  report  by   Gartner  found  3.6  million  Americans  geOng  redirected  to  bogus   websites  in  a  single  year,  cosFng  them  $3.2  billion.,”[2].   •  2008  US  .gov  mandate.    >60%  operaFonal.  [3]  [1]  FCC=Federal  CommunicaFons  Commission=US  communicaFons  Ministry    [2]  h?p://securitywatch.pcmag.com/security/295722-­‐isps-­‐agree-­‐to-­‐fcc-­‐rules-­‐on-­‐anF-­‐botnet-­‐dnssec-­‐internet-­‐rouFng      [3]  h?p://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2008/m08-­‐23.pdf  
  • Security  as  DifferenFator  and   Edge  •  DifferenFator   –  Increased  cyber  security  awareness  for  govts  and   industry   –  Major  ISP  says  security  now  on  checklist  for   customers  •  DNSSEC  Service  and  Support   –  94/316  TLDs  (e.g.,  .com,.in,.nl,..)   –  Growing  ISPs  adopFon*   –  Available  to  84%  of  domains   –  Vendor  support  (ISC/BIND,  Microsoo..)   –  gTLDs  (e.g.,  .bank,  .search)  require  it  *COMCAST  Internet  (18M),  TeliaSonera  SE,  Sprint,Vodafone  CZ,Telefonica  CZ,  T-­‐mobile  NL,  SurfNet  NL,  SANYO  InformaFon  Technology  SoluFons  JP,  others..    
  • +1-­‐202-­‐709-­‐5262   US-­‐NSTIC  effort            VoIP   DNS  is  a  part  of  all  IT  ecosystems     OECS  ID  effort  lamb@xtcn.com   Smart  Electrical  Grid   mydomainname.com  
  • The  Bad:  SSL  DiluFon  of  Trust     The  Good:  DNSSEC  =  Global  “free”  PKI   CA  CerFficate  roots  ~1482   DNSSEC  root  -­‐  1   Content  security   Cross-­‐ Content  security   “Free  SSL”   Commercial  SSL   organizaFonal  and   cerFficates  for  Web   trans-­‐naFonal   CerFficates  for   and  e-­‐mail  and  “trust   idenFty  and   Web  and  e-­‐mail   agility”   authenFcaFon   Network  security   DANE  and  other  yet  to  be   IPSECKEY  RFC4025   E-­‐mail  security   discovered  security    DKIM  RFC4871   innovaFons,  enhancements,   Securing  VoIP   and  synergies   Login  security   Domain  Names   SSHFP  RFC4255  hYps://www.eff.org/observatory  hYp://royal.pingdom.com/2011/01/12/internet-­‐2010-­‐in-­‐numbers/  
  • Opportunity:  New  Security  Products  •  Improved  Web  SSL  and  cerFficates  for  all*  •  Secured  e-­‐mail  (S/MIME)  for  all*  •  Validated  remote  login  SSH,  IPSEC*  •  Securing  VoIP  •  Cross  organizaFonal  digital  idenFty  systems  •  Secured  content  delivery  (e.g.  configuraFons,   updates,  keys)  •  Securing  Smart  Grid  efforts  •  A  global  PKI  •  Increasing  trust  in  e-­‐commerce   A  good  ref  h?p://www.internetsociety.org/deploy360/dnssec/   *IETF  standards  complete  or  currently  being  developed  
  • DNSSEC:  Internet  infrastructure  upgrade  to  help  address  today’s  needs  and  create  tomorrow’s  opportunity.  
  • The  Internet’s  Phone  Book  -­‐  Domain   Name  System  (DNS+DNSSEC)   www.majorbank.se = 1.2.3.4 www.majorbank.se=? DNS DNS 1.2.3.4 Resolver Server Get page Login page webserver Username / Password www @ Account Data 1.2.3.4 ISP/  HotSpot  /   Majorbank.se (Registrant)   Enterprise/  End   Node   DNS Server .se (Registry)   DNS ServerAnimated  slide   . (Root)