ICANN & Internet Security (DNS) Securityslides.lacnic.net/.../IWG_Day_3_ICANN_and_Internet... ·...
Transcript of ICANN & Internet Security (DNS) Securityslides.lacnic.net/.../IWG_Day_3_ICANN_and_Internet... ·...
| 1
ICANN & Internet Security (DNS) Security
11th October 2017Internet Week Guyana
Albert [email protected]
| 2
What Does ICANN Mean for the End User?
The Domain Name System allows you to easily
navigate the Internet. ICANN monitors for compliance with contracts, including
review of complaints.
Generic Top-Level Domains provide
choice in the domain name space.
Country Code Top-Level Domains allow countries to
host their own websites
Protocol Parameters allow computers to talk to each other
Internet Protocol Addresses are the
numbers that identify devices
Root Zone Management keeps
the DNS running smoothly
Policy Development is an inclusive, open and
transparent process for the Community to create effective rules for the
Internet
L-Root is one of the root servers that helps keeps the DNS stable
around the globe
Supporting and Growing the Community ensures
diverse participants contribute to bottom-up,
multistakeholder, consensus-driven policy
POLICY
IANA functions
| 3
How Internet Protocol (IP) Addresses are Distributed
Regional Internet Registries
Distributes IP address to Regional Internet Registries
DistributesIP address to ISP providers in your
region
End users connect their personal and
professional devices to the Internet
Distributes IP address by providing connectivity to homes
and businesses
IP
IANA functions
Internet Service Providers
Homes and Businesses
| 4
The Digital Universe is Growing Exponentially
“According to IDC, the digital universe is doubling in size every two years, and by 2020, the digital universe – the data we create and copy annually – will reach 44 zettabytes, or 44 trillion gigabytes.”
Source: http://www.emc.com/leadership/digital-universe/2014iview/executive-summary.htm* iPad Air - 0.29” thick, 128 GB
If the Digital Universe were represented by the memory in a stack of tablets, in 2013 it would have stretched two-thirds the way to the Moon*. By 2020there would be 6.6 stacks from the Earth to the Moon*
4.4 ZB2013
44 ZB2020
| 5
Most of the economic value the Internet creates falls
outside of the technology sector: companies in more traditional industries capture
75 percent of the benefits
75%
Growsbusiness
By 2019, there will be about 3.9 billion Internet users, or 51 percent of the world's projected
population of 7.6 billion
Internet Penetration51%
Reachesbillions
Source: Cisco, 2015
30%Today world trade
represents about 30% of global GDP, up
from 20% in the early days of the Internet
Why is the Internet Important to my Business?
Global GDP Internet Benefits
Source: BCG, 2014
Source: McKinsey, 2011
E x p a n d s trade
Businesses of any size, in any sector, depend on a global, interoperable Internet
| 6
The Internet in 60 Seconds…
According to CIO Media and The Independent: every minute:
350,000Tweets tweeted
31.5MFacebookmessagesposted
300hours of videouploaded to YouTube
70Domains Registered
48,611Instagram pictures posted
| 7
Unique Names and Numbers
Anything connected to the Internet – including computers, mobile phones and other devices – has a unique number called its IP address. IP stands for Internet Protocol.
This address is like a postal address. It allows messages, videos and other packets of data to be sent from anywhere on the Internet to the device that has been uniquely identified by its IP address.
IP addresses can be difficult to remember, so instead of numbers, the Internet’s domain name system uses letters, numbers and hyphens, to form a name that is easier to remember.
| 8| 8
DNSSEC
| 9
What is DNSSEC?
~ DNSSEC = “DNS Security Extensions”
~ DNSSEC is a protocol that is currently being deployed to secure the Domain Name System (DNS)
~ DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names
~ Result of over a decade of community based, open standards development
| 10
DNS Basics• DNS converts names (www.republicguyana.com) to
numbers (64.49.225.191)• ..to identify services such as www and e-mail• ..that identify and link customers to business and visa
versa
| 11lam
b@xt
cn.c
om
+1-202-709-5262VoIP
mydomainname.com
DNS is a part of all IT ecosystems US-NSTIC effort
Smart Electrical Grid
OECS ID effort
| 12
Where DNSSEC fits in
• ..but CPU and bandwidth advances make legacy DNS vulnerable to MITM attacks
• DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents
• With DNSSEC fully deployed a business can be sure a customer gets un-modified data (and visa versa)
| 13
The Bad: DNSChanger - ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M
Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in-estonia/
End-2-end DNSSEC validation would have avoided the problems
| 14
The Internet’s Phone Book - Domain Name System (DNS)
www.majorbank.gy=?
Get pagewebserverwww @ 1.2.3.4
Username / PasswordAccount Data
DNS Hierarchy
gy com
root
majorbank.vg
www.majorbank.gy
DNS Resolver
www.majorbank.gy = 1.2.3.4DNSServer1.2.3.4
Login page
ISP Majorbank (Registrant)
| 15
Caching Responses for Efficiency
www.majorbank.gy=?
Get pagewebserverwww @ 1.2.3.4
Username / PasswordAccount Data
DNS Resolver
www.majorbank.gy = 1.2.3.4DNSServer1.2.3.4
Login page
| 16
The Problem: DNS Cache Poisoning Attack
www.majorbank.gy=? DNS Resolver
www.majorbank.gy = 1.2.3.4DNSServer5.6.7.8
Get page Attackerwebserverwww @ 5.6.7.8
Username / PasswordError
Attackerwww.majorbank.gy = 5.6.7.8
Login page
Password database
| 17
Now all ISP customers get sent to attacker.Caching Responses for Efficiency
www.majorbank.gy=? DNS Resolver
www.majorbank.gy = 1.2.3.4DNSServer5.6.7.8
Get page Attackerwebserverwww @ 5.6.7.8
Username / PasswordError
Login page
Password database
| 18
Securing The Phone Book – DNSSEC
www.majorbank.gy=? DNS Resolverwith DNSSEC
www.majorbank.gy = 1.2.3.4DNSServer with DNSSEC
1.2.3.4
Get pagewebserverwww @ 1.2.3.4
Username / PasswordAccount Data
Login page
Attackerwww.majorbank.gy = 5.6.7.8
Attacker’s record does not validate – drop it
| 19
Resolver only caches validated records
www.majorbank.gy=? DNS Resolverwith DNSSEC
www.majorbank.gy = 1.2.3.4DNSServer with DNSSEC
1.2.3.4
Get pagewebserverwww @ 1.2.3.4
Username / PasswordAccount Data
Login page
| 20
The Business Case for DNSSEC
• Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differentiator.
• DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity).
• DNSSEC infrastructure deployment has been brisk but requires expertise. Getting ahead of the curve is a competitive advantage.
| 21
DNSSEC: So what’s the problem?
• Not enough IT departments know about it or are too busy putting out other security fires.
• When they do look into it they hear old stories of FUD and lack of turnkey solutions and CDN support.
• Registrars*/CDNs/DNS providers see no demand leading to “chicken-and-egg” problems.
*but required by new ICANN registrar agreement
| 22
Who Can Implement DNSSEC
• Enterprises – Sign their zones and validate lookups• TLD Operators – Sign the TLD• Domain Name holders – Sign their zones• Internet Service Providers – validate DNS lookups• Hosting Provider – offer signing services to customers• Registrars – accept DNSSEC records (e.g., DS)
| 23| 23
KSK Roll Over
| 24
KSK Rollover: An Overview
ICANN is in the process of performing a Root Zone DNSSecurity Extensions (DNSSEC) Key Signing Key (KSK) rollover
~The Root Zone DNSSEC Key Signing Key “KSK” is the top most cryptographic key in the DNSSEC hierarchy
~The KSK is a cryptographic public-private key pair: o Public part: trusted starting point for
DNSSEC validationo Private part: signs the Zone Signing
Key (ZSK)
~Builds a “chain of trust” of successive keys and signatures to validate the authenticity of any DNSSEC signed data
DATA
KSK
| 25
Why is ICANN Rolling the KSK?
~ Because it’s not good for a cryptographic key to live forever. The cryptographic keys used in DNSSEC-signing DNS data should be changed periodicallyo Ensures infrastructure can support key change in case of
emergency
~ This type of change has never before occurred at the root levelo There has been one functional, operational Root Zone DNSSEC
KSK since 2010
~ Because it’s better to make proactive changes during normal operations when things are running smoothly, rather than be reactive in an emergency. The KSK rollover must be widely and carefully coordinated to ensure that it does not interfere with normal operations
| 26
When Does the Rollover Take Place?
~ The changing or "rolling" of the KSK Key was originally scheduled to occur on 11 October 2017, but it is being delayed because some recently obtained data shows that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover.
~ There may be multiple reasons why operators do not have the new key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.
~ ICANN is tentatively hoping to reschedule the Key Rollover for the first quarter of 2018 and is encouraging ISPs and Network operators to use this additional time period to be certain that their systems are ready for the Key Rollover.
| 27
Who Will Be Impacted?
DNS Software Developers & Distributors
System Integrators
Network Operators
Root Server Operators
Internet Service
Providers
End Users
(if no action taken by resolver operators)
| 28
Why You Need to Prepare
If you have enabled DNSSEC validation, you must update your systems with the new KSK to help ensure trouble-free Internet access for users
~ Currently, 25 percent of global Internet users, or 750 million people, use DNSSEC-validating resolvers that could be affected by the KSK rollover
~ If these validating resolvers do not have the new key when the KSK is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet
| 29
What Do Operators Need to Do?
Be aware whether DNSSEC is enabled in your servers
Be aware of how trust is evaluated in your operations
Test/verify your set ups
Inspect configuration files, are they (also) up to date?
If DNSSEC validation is enabled or planned in your systemo Have a plan for participating in the KSK rollovero Know the dates, know the symptoms, solutions
| 30
Check to See If Your Systems Are Ready
ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly.
Check to make sure your systems are ready by visiting:
go.icann.org/KSKtest
| 31
For More Information
Visit https://icann.org/kskroll
Join the conversation onlineo Use the hashtag #KeyRollo Sign up to the mailing list
https://mm.icann.org/listinfo/ksk-rollover
Ask a question to [email protected] Subject line: “KSK Rollover”
Attend an evento Visit https://features.icann.org/calendar to find
upcoming KSK rollover presentations in your region
1
2
3
4
| 32
ICANN & Internet Security (DNS) Security
11th October 2017Intrnet Week Guyana
Albert [email protected]