Feeds

Experts say White House protocol upgrade advice is serious

Cost and red tape get in the way

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

ComputerWire: IT Industry Intelligence

Internet infrastructure experts yesterday lent their support to White House adviser Richard Clarke's recommendations that companies should make securing ubiquitous internet protocols a priority, but said cost and red tape is slowing down deployment,

writes Kevin Murphy

.

According to these experts, vulnerabilities in these protocols mean it could just be a question of when they are exploited in an attack, not if. And the target would not be a sole wired entity, but the entire internet, or large portions of it.

In his draft report "National Strategy to Secure Cyberspace", Bush-appointed adviser Clarke wrote: "A public-private partnership should refine and accelerate the adoption of improved security" for IP, BGP and DNS, arguably the most important internet protocols.

The language of the recommendation, numbered 1 in the National Priorities section of the report, sounds somewhat vague, but compared to the rest of the report, which often couches recommendations with "suggest" and "consider", it's fairly urgent language.

When Clarke recommends Federal funds should be set aside for research and development of internet and software security, he again names BGP (border gateway protocol) and DNS (domain name system) as priorities.

Mike Lloyd, CTO of BGP routing software specialist RouteScience Inc, told ComputerWire: "The internet is a network of trust, so if someone introduces malicious data somewhere it can replicate from one autonomous system to another."

"If you attack BGP you attack the entire internet, but nobody has done it yet because nobody has had the motivation," Lloyd said. "The root problem is that BGP is how people announce to the world where they are. I can announce to the world I'm you, and all your traffic would come to me."

BGP handles which way to route data when two networks interconnect. Currently, the only thing stopping bad routes being propagated around the internet is the best practices policies of the ISPs, which do manual authentication of permitted IP space before allowing their customers to announce BGP routes to their routers.

Regardless, bad BGP data has been introduced accidentally at least twice in the last few years, causing major problems, Ken Silva, head of networks and security at VeriSign Inc, told ComputerWire. While brief, these incidents caused major portions of the network to become inaccessible, while others were flooded with traffic.

"It's not easy to do, but it's not impossible," said Silva. Fortunately, you can't just download a tool from a warez site and start messing with international routing tables. You would probably need to be in control (by fair means or foul) of a network of some significance, requiring autonomous system designation by the appropriate body.

Secure-BGP (S-BGP) is at the Internet Draft stage in the Internet Engineering Task Force, designed by BBN Technologies. S-BGP would mandate the use of IPSec and public key infrastructure to have BGP announcements digitally signed, so that routers know when they receive a BGP update that it came from a trusted source.

"S-BGP is being used, but it could be used more extensively," said RouteScience's Lloyd. "We need to look at how reliable our PKI infrastructure is if we make our entire routing system reliant on it. But today PKI is in a lot better shape than the routing infrastructure."

An additional concern in the Clarke document is DNS, the method by which internet domain names are converted into IP addresses. DNS is used by virtually every network-enabled application, but is inherently insecure as applications doing DNS lookups have no way of knowing the reply came from the authoritative server for the correct domain.

Again, a standard way of securing DNS, called DNSSec, has been developed within the IETF, but it has yet to be widely deployed. Like S-BGP, DNSSec calls for some method of digitally signing a DNS message to show the requesting application that the reply is authoritative and has not been tampered with.

The specification is undergoing some work aimed at making it simpler and cheaper to upgrade name servers to support it, according to Paul Mockapetris, who is chief scientist of Nominum Inc (which develops DNS security software) and credited as the creator of the DNS spec.

"Right now we can deploy DNSSec, it would just be very expensive," said Mockapetris, estimating large namespaces would require two to five times the memory footprint on their servers just to upgrade. "I suspect the day a big DNS exploit is used [in an attack], that's the day people will say 'this is cheap enough.'"

© ComputerWire

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.