Feeds

Experts say White House protocol upgrade advice is serious

Cost and red tape get in the way

  • alert
  • submit to reddit

High performance access to file storage

ComputerWire: IT Industry Intelligence

Internet infrastructure experts yesterday lent their support to White House adviser Richard Clarke's recommendations that companies should make securing ubiquitous internet protocols a priority, but said cost and red tape is slowing down deployment,

writes Kevin Murphy

.

According to these experts, vulnerabilities in these protocols mean it could just be a question of when they are exploited in an attack, not if. And the target would not be a sole wired entity, but the entire internet, or large portions of it.

In his draft report "National Strategy to Secure Cyberspace", Bush-appointed adviser Clarke wrote: "A public-private partnership should refine and accelerate the adoption of improved security" for IP, BGP and DNS, arguably the most important internet protocols.

The language of the recommendation, numbered 1 in the National Priorities section of the report, sounds somewhat vague, but compared to the rest of the report, which often couches recommendations with "suggest" and "consider", it's fairly urgent language.

When Clarke recommends Federal funds should be set aside for research and development of internet and software security, he again names BGP (border gateway protocol) and DNS (domain name system) as priorities.

Mike Lloyd, CTO of BGP routing software specialist RouteScience Inc, told ComputerWire: "The internet is a network of trust, so if someone introduces malicious data somewhere it can replicate from one autonomous system to another."

"If you attack BGP you attack the entire internet, but nobody has done it yet because nobody has had the motivation," Lloyd said. "The root problem is that BGP is how people announce to the world where they are. I can announce to the world I'm you, and all your traffic would come to me."

BGP handles which way to route data when two networks interconnect. Currently, the only thing stopping bad routes being propagated around the internet is the best practices policies of the ISPs, which do manual authentication of permitted IP space before allowing their customers to announce BGP routes to their routers.

Regardless, bad BGP data has been introduced accidentally at least twice in the last few years, causing major problems, Ken Silva, head of networks and security at VeriSign Inc, told ComputerWire. While brief, these incidents caused major portions of the network to become inaccessible, while others were flooded with traffic.

"It's not easy to do, but it's not impossible," said Silva. Fortunately, you can't just download a tool from a warez site and start messing with international routing tables. You would probably need to be in control (by fair means or foul) of a network of some significance, requiring autonomous system designation by the appropriate body.

Secure-BGP (S-BGP) is at the Internet Draft stage in the Internet Engineering Task Force, designed by BBN Technologies. S-BGP would mandate the use of IPSec and public key infrastructure to have BGP announcements digitally signed, so that routers know when they receive a BGP update that it came from a trusted source.

"S-BGP is being used, but it could be used more extensively," said RouteScience's Lloyd. "We need to look at how reliable our PKI infrastructure is if we make our entire routing system reliant on it. But today PKI is in a lot better shape than the routing infrastructure."

An additional concern in the Clarke document is DNS, the method by which internet domain names are converted into IP addresses. DNS is used by virtually every network-enabled application, but is inherently insecure as applications doing DNS lookups have no way of knowing the reply came from the authoritative server for the correct domain.

Again, a standard way of securing DNS, called DNSSec, has been developed within the IETF, but it has yet to be widely deployed. Like S-BGP, DNSSec calls for some method of digitally signing a DNS message to show the requesting application that the reply is authoritative and has not been tampered with.

The specification is undergoing some work aimed at making it simpler and cheaper to upgrade name servers to support it, according to Paul Mockapetris, who is chief scientist of Nominum Inc (which develops DNS security software) and credited as the creator of the DNS spec.

"Right now we can deploy DNSSec, it would just be very expensive," said Mockapetris, estimating large namespaces would require two to five times the memory footprint on their servers just to upgrade. "I suspect the day a big DNS exploit is used [in an attack], that's the day people will say 'this is cheap enough.'"

© ComputerWire

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.