1 Next-Generation Secure Internet: Security Overview and Context
Download
Report
Transcript 1 Next-Generation Secure Internet: Security Overview and Context
Next-Generation Secure Internet:
Security Overview and Context
Adrian Perrig
in collaboration with Steven Bellovin,
David Clark, Dawn Song
1
Everybody Understands Need for NGSI
Webby award
• Annual award for achievement in Web creation
• Recipients get five words only for their acceptance
speech
Vint Cerf: “We all invented the Internet”
•
Al Gore received Webby award this year
• Responsible for spearheading critical legislation and
providing much-needed political support
• Speech: “Please don’t recount this vote”
• “It is time to reinvent the Internet for all of us to make
it more robust and much more accessible and use it to
reinvigorate our democracy”
2
Background
Internet designed for trustworthy environments
• Goal was to provide efficiency, scalability, robustness
•
assuming a benign environment
Fact: Internet protocols vulnerable to attacks, e.g.,
BGP, DNS, TCP/IP, …
Hosts are even worse
•
Today: businesses, government, society rely on
Internet
As of January 2005: 317,646,084 hosts (isc.org)
• Not all of them are benign!
3
Attacker/Trust Model
Any network node may be compromised
• Endhosts
– Including network management and operations
machines
• Routers and other network elements
• Different impact when a network infrastructure
element is compromised
Compromised nodes may collude
4
NGSI Security Requirements
A desired outcome of this workshop is to
establish list of desired NGSI security properties
Main security requirement is availability
• Need availability of forwarding service, configuration
and management services, etc., even in face of DDoS
attacks
• Fast recovery/convergence after perturbations
Other security properties can usually be
implemented end-to-end
• Confidentiality (data, topology, identity, …)
• Integrity (data, routing info, forwarding path, …)
5
Networking Functional Planes
Control plane
• Function: route set up and signaling
• Requirement: accuracy, consistency,
convergence
Data plane
• Function: packet forwarding
• Requirement: availability, resilience to control
plane vulnerabilities
Management plane
• Function: configuration and monitoring
• Requirement: availability
6
Security Approaches
Prevention
• Harden protocol itself
• Eliminate attacks at design time
Detection and recovery
• Monitor behavior of participants
• Upon detection of misbehavior: eliminate
malicious nodes, restore functionality
Resilience
• Graceful performance degradation in the
presence of compromised nodes and hosts
Deterrence
• Provide legal disincentives
7
Sample Control Plane Design Points
[prevention] Cryptographic primitives to
prevent routing information falsification
[prevention] Leveraging trusted computing
technology
• Example: help implement secure routing
[detection] Lightweight intrusion detection
[resilience] Various redundancy mechanisms
for survivability
[deterrence] Trace intrusions
8
Sample Data Plane Design Points
[prevention] Infrastructure-enforced flow
regulation
[prevention] Network firewalls / network filter
infrastructure
[detection] Data plane intrusion detection
[resilience] Secure source-controlled routing
[deterrence] Persistent network identity to
assist forensic inquiries
[deterrence] Trace and/or identify data origin
9
Sample Management Plane Design Points
[prevention] Isolated configuration channels
provide resistance to flooding and packet
injection attacks
[detection] Detect password-guessing
attacks on network devices (hopefully we
won’t base authentication on passwords
only!)
[resilience] Tolerate misconfigurations
10
Design Considerations
What design considerations should we
recommend to community?
Sample guidelines
• Minimal trust?
• Small router state?
• Minimal network layer functionality?
• Favoring prevention over detection/recovery
•
over resilience over deterrence?
Facilities for deterrence, while protecting
privacy?
11
Conclusion
For next-generation secure Internet, build
security into every component at every
level
• Redesign protocols with security as a central
•
•
design requirement
Utilize comprehensive security approach,
leveraging prevention, detection/recovery,
resilience, and deterrence
Consider social aspects: ease-of-use, privacy
12
Workshop Report Format
Workshop goals
• Build community consensus for need of a
next-generation secure Internet (NGSI)
Establish requirements for NGSI
Explore problem space
Identify promising research directions
Recommendations to NSF and community
•
•
•
•
Structure of each report section on topic X
• Properties NGSI should provide for X
• Challenges and design considerations
• Potential approaches and methods
13