Feeds

Experts say White House protocol upgrade advice is serious

Cost and red tape get in the way

  • alert
  • submit to reddit

Internet Security Threat Report 2014

ComputerWire: IT Industry Intelligence

Internet infrastructure experts yesterday lent their support to White House adviser Richard Clarke's recommendations that companies should make securing ubiquitous internet protocols a priority, but said cost and red tape is slowing down deployment,

writes Kevin Murphy

.

According to these experts, vulnerabilities in these protocols mean it could just be a question of when they are exploited in an attack, not if. And the target would not be a sole wired entity, but the entire internet, or large portions of it.

In his draft report "National Strategy to Secure Cyberspace", Bush-appointed adviser Clarke wrote: "A public-private partnership should refine and accelerate the adoption of improved security" for IP, BGP and DNS, arguably the most important internet protocols.

The language of the recommendation, numbered 1 in the National Priorities section of the report, sounds somewhat vague, but compared to the rest of the report, which often couches recommendations with "suggest" and "consider", it's fairly urgent language.

When Clarke recommends Federal funds should be set aside for research and development of internet and software security, he again names BGP (border gateway protocol) and DNS (domain name system) as priorities.

Mike Lloyd, CTO of BGP routing software specialist RouteScience Inc, told ComputerWire: "The internet is a network of trust, so if someone introduces malicious data somewhere it can replicate from one autonomous system to another."

"If you attack BGP you attack the entire internet, but nobody has done it yet because nobody has had the motivation," Lloyd said. "The root problem is that BGP is how people announce to the world where they are. I can announce to the world I'm you, and all your traffic would come to me."

BGP handles which way to route data when two networks interconnect. Currently, the only thing stopping bad routes being propagated around the internet is the best practices policies of the ISPs, which do manual authentication of permitted IP space before allowing their customers to announce BGP routes to their routers.

Regardless, bad BGP data has been introduced accidentally at least twice in the last few years, causing major problems, Ken Silva, head of networks and security at VeriSign Inc, told ComputerWire. While brief, these incidents caused major portions of the network to become inaccessible, while others were flooded with traffic.

"It's not easy to do, but it's not impossible," said Silva. Fortunately, you can't just download a tool from a warez site and start messing with international routing tables. You would probably need to be in control (by fair means or foul) of a network of some significance, requiring autonomous system designation by the appropriate body.

Secure-BGP (S-BGP) is at the Internet Draft stage in the Internet Engineering Task Force, designed by BBN Technologies. S-BGP would mandate the use of IPSec and public key infrastructure to have BGP announcements digitally signed, so that routers know when they receive a BGP update that it came from a trusted source.

"S-BGP is being used, but it could be used more extensively," said RouteScience's Lloyd. "We need to look at how reliable our PKI infrastructure is if we make our entire routing system reliant on it. But today PKI is in a lot better shape than the routing infrastructure."

An additional concern in the Clarke document is DNS, the method by which internet domain names are converted into IP addresses. DNS is used by virtually every network-enabled application, but is inherently insecure as applications doing DNS lookups have no way of knowing the reply came from the authoritative server for the correct domain.

Again, a standard way of securing DNS, called DNSSec, has been developed within the IETF, but it has yet to be widely deployed. Like S-BGP, DNSSec calls for some method of digitally signing a DNS message to show the requesting application that the reply is authoritative and has not been tampered with.

The specification is undergoing some work aimed at making it simpler and cheaper to upgrade name servers to support it, according to Paul Mockapetris, who is chief scientist of Nominum Inc (which develops DNS security software) and credited as the creator of the DNS spec.

"Right now we can deploy DNSSec, it would just be very expensive," said Mockapetris, estimating large namespaces would require two to five times the memory footprint on their servers just to upgrade. "I suspect the day a big DNS exploit is used [in an attack], that's the day people will say 'this is cheap enough.'"

© ComputerWire

Remote control for virtualized desktops

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED
Classified systems 'not affected' - but, is this reconnaissance?
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.