Feeds

Experts say White House protocol upgrade advice is serious

Cost and red tape get in the way

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

ComputerWire: IT Industry Intelligence

Internet infrastructure experts yesterday lent their support to White House adviser Richard Clarke's recommendations that companies should make securing ubiquitous internet protocols a priority, but said cost and red tape is slowing down deployment,

writes Kevin Murphy

.

According to these experts, vulnerabilities in these protocols mean it could just be a question of when they are exploited in an attack, not if. And the target would not be a sole wired entity, but the entire internet, or large portions of it.

In his draft report "National Strategy to Secure Cyberspace", Bush-appointed adviser Clarke wrote: "A public-private partnership should refine and accelerate the adoption of improved security" for IP, BGP and DNS, arguably the most important internet protocols.

The language of the recommendation, numbered 1 in the National Priorities section of the report, sounds somewhat vague, but compared to the rest of the report, which often couches recommendations with "suggest" and "consider", it's fairly urgent language.

When Clarke recommends Federal funds should be set aside for research and development of internet and software security, he again names BGP (border gateway protocol) and DNS (domain name system) as priorities.

Mike Lloyd, CTO of BGP routing software specialist RouteScience Inc, told ComputerWire: "The internet is a network of trust, so if someone introduces malicious data somewhere it can replicate from one autonomous system to another."

"If you attack BGP you attack the entire internet, but nobody has done it yet because nobody has had the motivation," Lloyd said. "The root problem is that BGP is how people announce to the world where they are. I can announce to the world I'm you, and all your traffic would come to me."

BGP handles which way to route data when two networks interconnect. Currently, the only thing stopping bad routes being propagated around the internet is the best practices policies of the ISPs, which do manual authentication of permitted IP space before allowing their customers to announce BGP routes to their routers.

Regardless, bad BGP data has been introduced accidentally at least twice in the last few years, causing major problems, Ken Silva, head of networks and security at VeriSign Inc, told ComputerWire. While brief, these incidents caused major portions of the network to become inaccessible, while others were flooded with traffic.

"It's not easy to do, but it's not impossible," said Silva. Fortunately, you can't just download a tool from a warez site and start messing with international routing tables. You would probably need to be in control (by fair means or foul) of a network of some significance, requiring autonomous system designation by the appropriate body.

Secure-BGP (S-BGP) is at the Internet Draft stage in the Internet Engineering Task Force, designed by BBN Technologies. S-BGP would mandate the use of IPSec and public key infrastructure to have BGP announcements digitally signed, so that routers know when they receive a BGP update that it came from a trusted source.

"S-BGP is being used, but it could be used more extensively," said RouteScience's Lloyd. "We need to look at how reliable our PKI infrastructure is if we make our entire routing system reliant on it. But today PKI is in a lot better shape than the routing infrastructure."

An additional concern in the Clarke document is DNS, the method by which internet domain names are converted into IP addresses. DNS is used by virtually every network-enabled application, but is inherently insecure as applications doing DNS lookups have no way of knowing the reply came from the authoritative server for the correct domain.

Again, a standard way of securing DNS, called DNSSec, has been developed within the IETF, but it has yet to be widely deployed. Like S-BGP, DNSSec calls for some method of digitally signing a DNS message to show the requesting application that the reply is authoritative and has not been tampered with.

The specification is undergoing some work aimed at making it simpler and cheaper to upgrade name servers to support it, according to Paul Mockapetris, who is chief scientist of Nominum Inc (which develops DNS security software) and credited as the creator of the DNS spec.

"Right now we can deploy DNSSec, it would just be very expensive," said Mockapetris, estimating large namespaces would require two to five times the memory footprint on their servers just to upgrade. "I suspect the day a big DNS exploit is used [in an attack], that's the day people will say 'this is cheap enough.'"

© ComputerWire

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.