The ISP`s Role in Improving Internet Security
Download
Report
Transcript The ISP`s Role in Improving Internet Security
The ISP’s Role in Improving
Internet Security
Exploring the value and
incentives for Internet Service
Providers implementing
security mechanisms on their
residential networks.
The Internet MATTERS
To state the obvious:
We are increasingly reliant on “Internet
Assets”, which are online infrastructure that
supports services essential to our economy
or government related services.
What are we defending?
Because they do not hold critical data or provide an
essential services, the security of computers on
residential networks is often ignored in favor of
focusing on defending high-profile Internet Assets.
However, the highly interconnected nature of the
Internet means all connected machines have an
non-trivial degree of interdependence.
Why do residential networks matter? (1)
Base of Worm/Virus Propagation:
Actively propagating worms and viruses generate loads of
traffic, overloading critical networks and servers and
sometimes causing large-scale Internet instability.
Computers on high-speed residential networks contribute
significantly to critical mass needed for these attacks to
spread.
Distributed Denial of Service (DDOS) Attacks:
High bandwidth DSL or Cable connections give DDOS
attacks from many residential computers the ability to deny
world-wide availability of Internet assets. The wide-spread
nature of these sources make the attack extremely difficult
to deflect.
Why do residential networks matter? (2)
“Noise” of Scanning and Attacks:
Researchers have detected that a significant portion of all
Internet traffic is malicious attacks or scans caused either by
active attackers or scanning worms from personal
computers. This “noise” makes detecting real intrusions
significantly more difficult.
Residential “Stepping Stones” for Intrusions:
Compromised and hijacked residential computers allow
malicious users to scan and launch attacks without fear of
revealing their identity. Even if an attack is traced to a host,
no real attribution or prosecution is possible.
The Problem?
“The average user is not, does not want to be, and
should not need to be a computer security expert
any more than an airplane passenger wants to or
should need to be an expert in aerodynamics or
piloting. This very lack of sophisticated end users
renders our society at risk to a threat that is
becoming more prevalent and more sophisticated”.
- Dan Geer, et al *
*CyberInsecurity: The Cost of Monopoly
Why are we looking at ISPs?
The current model of individual users being
responsible for their own computer security in a
“fend for yourself” environment has left the Internet
in a precarious state.
Its time to explore new possibilities. As the “gatekeepers” of the Internet, ISP’s are positioned to
potentially play a significant role in securing the
Internet.
What is the goal?
Explore how the incentives of service providers
impact what security mechanisms are implemented.
In the end we want be able to answer:
For security mechanism X, what are the incentives of
Internet service providers?
How to do this?
With a myriad of potential security
enhancements, we need a structured
approach to thinking about them.
This framework needs to get at the key
factors that impact how service providers
view the security enhancements.
ISP Security “Actors”
Asks the
question:
ISP
Network
Traffic
Consumer
End-Host
Actors
Who implements
the security
mechanism?
Inter-Organizational
Security Mechanisms:
Consumer End-Host
These are security mechanisms that are provided to
and operated by individual end-users on their
personal computers.
They often represent common “good care”
mechanisms already used by security savvy users or
mandated by corporate IT staffs. These mechanisms
leverage the ISP’s role as trusted source of network
security knowledge and software for the consumer.
Example: Personal Firewall Software
Security Mechanisms:
ISP Network Traffic
Security mechanisms that monitor record and
potentially alter the rate/type/content of Internet
traffic sent to and from end-hosts on the network.
These mechanisms are often more powerful than
end-host mechanisms and are operated by the ISP
behind the scenes. These leverage the ISP’s role as
the gatekeeper of all Internet traffic to and from
customers
Example: Blocking traffic on incoming ports known to
be malicious.
Security Mechanisms:
Inter-Organizational
Other security mechanisms are not contained within
a single ISP network, but instead focus on how ISPs
interact with each other or other organizations such
as law enforcement.
These mechanism leverage the common need of the
ISP community as a whole to improve the security of
their networks.
Example: Coordination to shutdown DDOS attacks
originating in another ISP.
Is this enough?
Knowing who is implementing a security
mechanism is a helpful tool in identifying
incentives, but is it enough?
No. Since we are considering mechanisms
that impact overall Internet security, we
cannot look at ISP security enhancements as
a monolithic group.
ISP Security “Methods”
Asks the question:
Protect
Customers
From Attacks
Detect and Stop
Malicious Outgoing
Attacks
Methods
What is the goal of this
security mechanism?
This is independent
of the actors involved.
Improve Network
Transparency
Security Mechanisms:
Protecting Customers from Attacks
Attempts by ISPs to recognize and drop threatening
incoming traffic or block common avenues of attack
for hackers, viruses and worms in order to decrease
the likelihood of an computer on their networks being
successfully compromised.
This “customer protection” is the most common
notion of ISP based security.
Example: Intrusion Detection Software to recognize
and block incoming attacks.
Security Mechanisms:
Blocking Outgoing Attacks
Includes mechanisms to detect computers on the
ISP network that are sending traffic deemed to be
“attacks” either as a result of a malicious user or
because the hosts have been compromised by a
hacker or worm. Once detected this behavior is
either stopped, blocked, or throttled.
Example: Scanning network for likely compromised
hosts and blocking all out-bound traffic from these
hosts until the computers have been cleaned.
Security Mechanisms:
Improving Network-Use Transparency
Improving the transparency of the network to help service
providers monitor, trace and record traffic with greater
ease and accuracy. This will allow easier recognition of
attacks, and increase the chances that an attack can be
traced close to its source, and potentially an individual for
prosecution.
Example: ISPs keep “call records” of IP to IP mapping
each computer a customer has sent/received traffic
to/from, with information describing the type and quantity
of traffic.
Developing a Structure to Analyze ISP
Incentives
We now have two different means of
classifying ISP security mechanisms, the
“Actor” and “Method” schemes.
We want to develop a framework that will
give us a useful tool to cluster security
mechanisms into common groups and use
this to analyze how incentives apply to ISPs
without having to look at each security
enhancement individually.
The Cluster Framework
using a 3x3 Matrix
Method
A
c
t
o
r
The Actor and Method schemes are
independent.
As a result, a 3 x 3 matrix can be used to
combine them into a single system for
grouping and analyzing potential security
enhancements.
This matrix allows us to place each security
mechanism into a CLUSTER with similar
enhancements
The Two Frameworks Together
Customer
End-Host
ISP
Network
Traffic
InterOrganizati
onal
Protect
Computers
and Data
Block malicious
outgoing traffic
Improve
transparency
Personal
Firewall
Software
Detecting infected
end-hosts
Secure login to
ISP account to
prevent account
theft
ISP Network
Intrusion
Detection
Detecting and
throttling/blocking
Worm/Virus
Propagation
IP source address
validation
Information
sharing to
block new
viruses/worms
Block outgoing
traffic deemed
dangerous by
other ISPs.
ISP coordination
on an IP traceback strategy.
Each cluster
contains an
example of a
potential
security
enhancement
which falls
within this
category
Understand ISP Incentives
The task from here:
We will explore the positive and negative incentives
ISPs have relating to security mechanisms and
outline which “clusters” these incentives apply to.
In the end, we will be able to take a security
mechanism, identify its cluster, and then use our
exploration of the incentives to find what
considerations impact the ISP when deciding
whether to implement this enhancement.
Assigning Incentives to Clusters
Transparency
Block
Outgoing
Traffic
Protect
Customers
For example: An ISP may have an
incentive to increase revenue by
charging for security services.
Logically, the main security
enhancements that can be charge for
are in the “Customer end-host” &
“protect Customer” cluster, since these
changes are more visible to and
provide extra value to the customer.
End-host
Network
Traffic
InterOrgan.
This corresponds to the upper-left corner cluster on the matrix. For each
discussed incentive, we visually highlight the clusters that apply. Negative
incentives are in red, positive incentives in green.
Negative Incentives of ISPs
Since few of the discussed security
mechanisms are implemented on a
widespread scale, we begin by outlining the
negative incentives which have given us
today’s ISP security environment.
Negative incentives are forces causing
service providers to be less likely to
implement a given security enhancement
Negative Incentive:
Employee Time
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
Being a business, ISPs
want to minimize the
number of employees it
needs for operation.
The two main employee
areas to consider for this
work are network
operations staff and
customer service staff.
Negative Incentive:
Infrastructure Costs
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
Some network traffic
security enhancements will
require replacing or
improving the ISP's current
infrastructure. Some
changes may simple require
additional capacity for
current infrastructure, but
many security improvements
are themselves new pieces
of the network hardware
sold by network security
companies.
Negative Incentive:
Software Licensing/Development Costs
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
End-host or network based
protection schemes may
require that ISPs either
develop or license
commercial software for
each customer, leading to
significant expenses. This
is particularly difficult for
small providers.
Negative Incentive:
Disrupting Legitimate Customer Use
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
Since network traffic or
behavior is difficult to
classify as “strictly
malicious” well meaning
security mechanisms may
well have unintended
consequences that
prohibit a form of
legitimate network use by
a customer.
Negative Incentive:
Carrier-only Responsibility
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Some operators fear that
providing security for
customers may create
implied liability.
Protect
Customers
Currently ISPs are not
liable either in the case that
a computer on their
network is compromised or
an attack originates from
their network.
Negative Incentive:
Increased Network Complexity
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
Network complexity is
the enemy of network
reliability, which is a top
priority for operators.
Security features can
add complexity, leading
to increased network
problems.
Negative Incentive:
Consumer Complexity
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
A major selling point for
Internet service is the
simplicity with which it
operates. Security
mechanisms often require
additional work on behalf of
the user, increasing
complexity.
Negative Incentive:
Consumer Privacy
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
Many of the mechanisms
described here require a
degree of monitoring and
record-keeping related to an
individual’s computer and
Internet traffic. Users may
object to these techniques
on privacy grounds.
Negative Incentive:
Global Instead of Local Benefit
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
Many enhancements that
improve overall Internet
security provide little actual
value to the ISP
implementing the change. It
is bad business to invest
money and resources for
changes that help your
competition more than they
help you.
Positive Incentives of ISPs
The following section will outline the positive
incentives of ISPs. These are forces causing
service providers to be more likely to
implement a given security enhancement
Positive Incentive:
General Customer Satisfaction
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
While ISPs are not
required to protect
customer machines, the
safety of an end-users
computer may impact
their overall satisfaction
with the ISP, decreasing
time spent with customer
service, and improving
customer retention.
Positive Incentive:
Network Utilization
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
This traffic uses up the finite
amount of bandwidth and ISP has
(or alternatively, is charged for),
decreasing their overall quality of
service or increasing bandwidth
costs.
Protect
Customers
Compromised hosts and incoming
scans/attacks often generate
massive amounts of traffic as a
result of scanning or denial-ofservice (DOS) attacks.
Positive Incentive:
Improved Network Monitoring Ability
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
The sheer volume and
noise associated with
malicious traffic
(incoming and outgoing)
make it difficult for ISPs
to effectively monitor and
control their network.
Positive Incentive:
Legal Requirements
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
While current legal
requirements are limited
sharing customer information
and network access to law
enforcement, the possibility
exists that they could be
required at any cluster in the
matrix.
Positive Incentive:
Service Differentiation / Revenue Sources
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
If security enhancements are
protective and relatively
simple to understand, adding
these mechanisms can be
sold to customers for an
increased monthly fee, or
used to provide a higher
perceived quality of service
than other ISPs
Positive Incentive:
Improving Network clean-up / outages
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
A bad worm/virus outbreak
can lead to service
degradation and large
clean-up costs. Thus,
certain types of
prevention/monitoring may
be valuable to the ISP to
reduce later costs.
Positive Incentive:
Concerns about Image in ISP community
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
Protect
Customers
ISPs that pay no attention to
network security and as a result
host many machines used to
launch attacks draw widespread
criticism from more
conscientious portions of the
ISP community. This is
especially true for large tier 1
providers who often top “worst
offender” lists of ISPs.
Hypothetical – Worm Port Blocking
Let’s say a new worm begins to spread on
TCP port 445. Because we are consider with
overall Internet security, we would like ISP X
to block outgoing traffic on this port to slow
the spread of the worm. What are the
incentives of the ISP in this case?
Hypothetical – Worm Port Blocking
Network
Traffic
InterOrgan.
Transparency
End-host
Block
Outgoing
Traffic
We can look at our incentive
analysis and see which factors
will potentially influence the
ISP’s decision
Protect
Customers
This security mechanism falls
in the “ISP Network Traffic”
and “Block outgoing attacks”
cluster of our framework.
Hypothetical – Worm Port Blocking
-
Examine each potential negative incentive in
this cluster, find those that directly apply:
Employee Time *
Infrastructure Costs
Disruption of Legitimate Use *
Network Complexity *
Consumer Privacy
Hypothetical – Worm Port Blocking
-
Examine each potential positive incentive in
this cluster, find those that directly apply:
Improve network monitoring abilities *
Decrease Network Load *
Concerns about image in ISP community *
Importantly, What’s not here?
Benefit for customers
Final Observation:
ISP Security Incentive Inversion
ISPs have begun implementing more of the security mechanisms
in the “Protect Customers From Attacks” category of the Method
scheme, however, this is the category that has the LEAST overall
impact at protecting key Internet Assets.
Furthermore, ISPs have little incentive to detect and block outgoing
attacks or improve transparency as to help law enforcement to
catch and prosecute Internet criminals. These are the categories
with the greatest potential to help overall Internet security.
Recognizing this “incentive inversion” is central to understanding
the issues surrounding ISP based security mechanisms.
Observations… most of the activity has been in the “protect customers and
data” section, naturally. Note, this is the category with the least value for the
Internet as a whole (the impact is indirect for the real Internet Assets).
Much less of a reason to block outgoing attacks, though this is highly desirable
since attacks are thwarted much more easily near the source.
End-user solutions are inherently weak: Run by users who may not configure
them correctly. Difficult to detect malicious behavior because they can be
circumvented. Finally, the protect stuff that we don’t REALLY care about.
Potential on collaboration to develop + train on ISP security tools is great,
collaboration so far has been minimal. This is especially important for smaller
ISPs.
Fundamental collective action problem stops solid potential enhancements.
Either make it in their best interest, or require it across the board