Upload
gregory-johns
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
Working Group #4: Network Security – Best Practices
March 6, 2013
Presenters:Rod Rasmussen, Internet IdentityTony Tauber, ComcastWG #4
2
Working Group #4: Network Security Best Practices
• Description: This Working Group will examine and make recommendations to the Council regarding best practices to secure the Domain Name System (DNS) and routing system of the Internet during the period leading up to some significant deployment of protocol extensions such as the Domain Name System Security Extensions (DNSSEC), Secure BGP (Border Gateway Protocol) and the like. The scope and focus is currently deployed and available feature-sets and processes and not future or non-widely deployed protocol extensions.
• Duration: September 2011 – March 2013
Working Group #4 – Participants
Co-Chairs Rod Rasmussen – Internet Identity Rodney Joffe – Neustar
Participants 30 Organizations represented Service Providers Network Operators Academia Government IT Consultants
3
Working Group #4 – Deliverables
Domain Name Service (DNS) Security IssuesReported on in September 2012
BGP and Inter-Domain Routing Security IssuesReport and vote today
5
Working Group #4: Network Security Best Practices
FINAL Report – Routing Security Best Practices
March 6, 2013
Presenter:Tony Tauber, ComcastWG #4
Routing Key Points
Routing security is an environmental goodUnilateral action does not entirely benefit
practitionersDeployment details and scenarios vary
Recommendations should as wellAutonomy is sacrosanct
Key feature of the operational Internet
7
Report Scope
Capabilities in currently deployed gearNot commenting on protocol extension work
Handled in WG #6ISP Network Operational PracticesEnterprise Network Operational PracticesAdministrative Practices
8
Routing Issues Considered BGP Session-Level Vulnerability
Session Hijacking Denial of Service (DoS) Vulnerability Source-address filtering
BGP Injection and Propagation Vulnerability BGP Injection and Propagation Countermeasures BGP Injection and Propagation Recommendations
Other Attacks and Vulnerabilities of Routing Infrastructure Hacking and unauthorized 3rd party access to routing infrastructure ISP insiders inserting false entries into routers Denial-of-Service Attacks against ISP Infrastructure Attacks against administrative controls of routing identifiers
9
Deployment Scenarios
Vary according to topologyStub network vs. Transit network
Vary as a function of scaleNumber of BGP routersNumber of BGP sessionsSize of Operational staff
10
Recommendation Process
Leverage existing security recommendationsTaken together recommendations can be
confusing, contradictoryTailor advice based on deployment scenariosIETF RFCs and BCPs, ICANN SSAC Papers, NIST
Special Reports, ISOC papers, SANS ReportsOver a dozen separate documents referenced
11
Recommendation Highlights
Perform explicit filtering of BGP prefixesCustomer relationships
Protect against spoofed IP source addressesSource validation at network edgeFilter internal address space inbound from Internet
Use extra steps to lessen impact of route leaksCoarse AS-path filtersMaximum-Prefix limits
12