• No results found

Network Infrastructure Under Siege

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Network Infrastructure Under Siege"

Copied!
41
0
0

Loading.... (view fulltext now)

Download now ( 41 Page )

Full text

(1)

Information Security Decisions | © TechTarget

Network Infrastructure Under Siege

Char Sample

Security Engineer, CERT

(2)

Disclaimer

● Standard Disclaimer

- This talk represents the opinions and research of the

presenter only and not those of her employer. This talk is NOT a CERT sanctioned talk.

(3)

Introduction

● Who am I

- Background

- What is Infrastructure

(4)

Agenda

● Network Layer: Routing

- Global

- Local

● Transport/Session Layer: SSL

(5)

Network: Routing

● What is routing

● How does it work

- Basic Routing Algorithm

- Global - Local ● Routing Problems - Prefix hijacking - Byzantine Routing ● Routing Security

(6)

Routing

● How does it work

- Packets are forwarded to neighbor router.

● Router either recognizes from table or mask

● Router forwards if it does not recognize.

- Basic Routing Algorithm

If packet prefix is on the network then deliver

else if packet prefix matches static route then use it else if packet prefix in routing table then deliver

(7)

Routing

● Consider each step in the routing algorithm and where

things can go wrong.

- Is packet on the network? – Prefix hijacking.

- Destination in the routing table?

● Routing table secure?

(8)

Routing

● Global: BGP - AS to IP mappings - 3 layers ● Edge ● Aggregation ● Core ● Local: OSPF

(9)
(10)

Routing Example #1

● Prefix hijack BGP AS23724

● A lot of conflicting information

● 15% traffic or routes?

● Intentional or not?

● Who was affected?

- A fair number of Chinese sites.

- So too were US sites, .gov and .mil.

(11)
(12)

Routing Example #2

● February 2012 Australia.

● Malice or not?

● Often the first reaction is to assume malice, while

overlooking incompetence or laziness.

- Lack of filters (max prefix limits instead)

- Route leaks

(13)
(14)

Securing Routing

● S-BGP

● Resource Infrastructure Public Key Infrastructure (RPKI)

● Route Origin Authentication (ROA)

(15)

Routing Security

● What can you do?

- Find out what your provider is doing?

- If planning a cloud migration find out what the provider is doing?

(16)

Transport/Session: SSL

● How SSL works

- Browser gets a digital certificate from the site at session start.

● That certificate has a public key to start an encrypted session, much like SSH.

● But unlike SSH, which asks the user "should I trust the endpoint?", public key infrastructure automates the trust.

- That certificate is signed by the CA.

● The cert w/ associated public key) is built into the browser's certificate store.

● Browser to verifies the signature.

● What can go wrong with SSL

- Encryption itself is pretty good.

(17)
(18)
(19)

SSL - Security

● Client concerns

● Server concerns

(20)
(21)

Application: DNS

● What is DNS

● How does it work

● Security Problems with DNS

(22)

22

DNS & Why We Care

● Provides the name to IP address mappings.

● Created as scaleable method to replace original

ARPANet host & address file.

● A globally distributed, loosely coherent, scalable,

reliable, dynamic hierarchical database

● Originally DNS security not considered.

● DNS quickly became a critical service of the Internet

(23)

Why Do We Care?

● Other applications rely on properly working DNS

● IPv6 is even more reliant on reliable DNS.

● Good attacks are invisible to the end user.

(24)

24

How DNSWorks

4 Major Components

- Resolvers ● Stub ● Recursive - Servers ● Caching ● Authoritative

(25)

25

Split Functionality

Caching DNS Server Stub resolver End-user www.char.com Authoritative DNS Servers Recursive Resolver

(26)

DNS Vulnerabilities

● Basic Vulnerability Types:

- DoS - Data Modification ● Cache poisoning ● Request redirection/hijacking - Zone enumeration - Tunneling - Fast flux 26

(27)
(28)
(29)
(30)
(31)
(32)
(33)

33

Securing DNS

● Done through a combination of the following:

- Configurations

- Software

(34)

Configurations

● Separate out functionality

- Authoritative nameserver (ANS) by itself, public.

- Caching nameserver (CNS) ideally separated from recursive resolver.

● CNS tightly secured and isolated.

(35)

Securing DNS - DNSSEC

● What is DNSSEC?

- DNS Security Extensions

- Digital signatures

● How does it work?

- Signed Resource Record.

- Zone signing key (ZSK) & (KSK).

● What do I need to know?

- Read up.

- Get training.

- Determine provider’s knowledge.

(36)
(37)

Securing DNS - Monitoring

● DNS monitoring

- As a part of IDS

- As a form of IDS

● DNS in the cloud

- 2009 Majority of operators did not know how to implement DNSSEC.

- Tunneling problem.

(38)

Conclusion

● There are lots of areas of concern within the

infrastructure.

● The infrastructure offers an excellent target for cyber

attacks and cyber crime.

● There are many efforts to improve security.

● Get involved, even if it’s just making your views known to

(39)

Sources of Information

● IETF: www.ietf.org - Routing ● www.bgpmon.net ● www.arbornetworks.com ● www.teamcrymu.org - SSL ● www.eff.org ● www.sans.edu - DNS ● www.isc.org ● www.dnssec.net ● tools.netsa.cert.org

(40)

Q&A

● …and Answers…

Information Security Decisions | © TechTarget

(41)

Contact

Char Sample

Security Engineer,

Carnegie Mellon University CERT

[email protected]

Information Security Decisions | © TechTarget

Featured Member of the TechTarget Editorial Speaker Bureau

References

Download now ( PDF - 41 Page - 3.65 MB )

Related documents

Public Key Infrastructure

– A secure procedure is needed to generate and transmit the public key and private key to the user.. Components of PKI. •

Agenda. PKI Defined Terminology Key Technical Concepts Key Infrastructure Concepts Practical Uses. o o o o o. Important Considerations of Being a CA

Alice Bob Message Digest Hash Function Encrypt Signature Expected Digest Decrypt.. Public-Key – Encryption Encrypted Sym Key Encrypt Sym Key Encrypted Message Encrypt Message

Telex: Anticensorship in the Network Infrastructure

This message must be encrypted using the freshly negotiated key (or else the TLS server will hang up), so it cannot simply be replayed. Second, the key exchange parameter in use

Encrypted Connections

Once the EMu client has verified the server's public digital certificate it sends a random number to the server encrypted using the public key in the server's digital certificate..

Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important

Using the public key received from the network camera, a unique common key is generated and encrypted on the user’s computer6. The encrypted common key is sent to the

Electronic Payment Systems

1 Purchaser sends purchase order and payment advice signed with his private key to vendor.He also sends his public key certificate encrypted with vendor's public key to vendor. 2

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

• Using RSA, the HTTPS session key is encrypted by the client using the server’s public key and sent to the server across the network.. • The server decrypts the session key

Properties of Secure Network Communication

The browser sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted)