330 likes | 449 Views
Security & Privacy. A Global Issue. Current Situation. Today’s security challenges are unprecedented • 911 • Increase in viruses from 1 (19 8 9) to 60,000 (2002) • Today’s viruses are more powerful, sophisticated, and pervasive: - Code Red infected over 250,000 systems
E N D
Security & Privacy A Global Issue
Current Situation Today’s security challenges are unprecedented • 911 • Increase in viruses from 1 (1989) to 60,000 (2002) • Today’s viruses are more powerful, sophisticated, and pervasive: - Code Red infected over 250,000systems in just 9 hours - SQL Slammerinfected 75,000 systems within 29 minutes
Known Viruses Source: McAfee
Global Electronic Attack Incidence of Severe (Critical, Malicious, Focused) Electronic Attacks by Organization Type between January 1st 2002 and June 30th 2002 % % Health 9 Other 12 E-Commerce 13 Media 17 Manufacturing 19 Business 21 High Tech 27 Government&Non-Profit 31 Finance 47 Energy 70 Source: Riptech, Inc. 2002 - Attack estimates do not include worms (eg. Code Red) or Denial- of- Service attacks (eg. Smurf))
Cost of Security Vulnerabilities The economic impact of security vulnerabilitiesis significant: • • Code Red: $2.62 Billion US • • Nimda : $63 Million • • Worldwide losses from security breaches, viruses, etc. for 1999: 1.6 US Trillion US($ 1,600,000,000,000.00) Source: U. S. President’s Commission on Critical Infrastructure Protection
Use & Build A Worldwide Initiative to define an end-2-end integrated security & Privacy platform As mother organization D4: Trust & Security SEINIT Plus all 75 projects and TFs ( Cybersecurity TF) As cooperation Partners As cooperation Partners Japan Europe Korea North America India Europe
Policies in Focus National Security Homeland Security Economic Security More Issues En Español News Current News Video Press Briefings Proclamations Executive Orders Radio Addresses News by Date April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 June 2002 May 2002 April 2002 March 2002 February 2002 January 2002 December 2001 November 2001 October 2001 September 2001 August 2001 July 2001 June 2001 May 2001 April 2001 March 2001 February 2001 January 2001 Appointments Nominations Application Photos Photo Essays Federal Facts Federal Statistics West Wing History (Click here to download entire Strategy) The National Strategy to Secure CyberspaceThe National Strategy to Secure Cyberspace is part of our overall effort to protect the Nation. It is an implementing component of the National Strategy for Homeland Security and is complemented by a National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. The purpose of this document is to engage and empower Americans to secure the portions of cyberspace that they own, operate, control, or with which they interact. Securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society, the federal government, state and local governments, the private sector, and the American people. DOD DOD Net-Centricto Mr. John L. Osterholz President | Vice President | First Lady | Mrs. Cheney | News & Policies | History & Tours | Kids | Your Government | Appointments | Contact | Text only Accessibility | Search | Privacy Policy | Help
Comprehensive Global Security Strategy Global-SEC
The Internet‘s Serious Enemies They are called Security,,,, and! SW Bugs: OS,.. Governments Privacy Hackers Viruses
’’Unpredictable World” ’’Taming the World”
Security History (Network) • None (we are all friends) • Early Internet users were researchers • Personal Computing revolution had yet to start • 1988: Uh Oh! • Internet Worm, first time Internet made television... in a bad way • Today • Security threats abound, but security technology is an add-on
Security is not Deployed • Internet is “edge” centric • Hard to add security in the middle • Firewalls attempt to add security “quasi” edge • Security is Hard • It is a “negative deliverable” • You don’t know when you have it, only when you have lost it! • Users don’t ask for it, so the market doesn’t demand it
Keep (Last Building in Castle to Fall) Moat / Main Gate Outer Perimeter Controlling Castle Access Inner Perimeter Stronghold, Higher Walls produce containment area Between Inner / Outer Perimeters Internet Security Analogy
Keep Outer Perimeter Inner Perimeter Stronghold Internet Security Analogy Crown Jewels Internal Firewall Internet Internal Network Mission Critical Systems
Internet Attacks Denial of Service Eavesdropping (secrecy) Brute Force, Hidden,... Wiretapping, Trojan Horse Modification (Integrity) Fabrication (Authentication) Man-in-the M., Viruses, ... Masquerading,...
You are here Some Internet Security Protocols Political Application - e-mail + PGP, S/MIME Transport - Primarily Web + SSL/TLS + Secure Shell (SSH) Network+ IPsec –MIPv6 Routing Security Infrastructure+ DNSsec - PKI + SNMPv3 security Economic Application Presentation Session Transport Network Link Physical
Internet Security and Privacy with IPv6 -Analogy Folks, Just Surfing with Random Address for Privacy Steel Pipe IPsec-o-IPv6
Large-Scale End-to-End Security Easy to setup IP-VPN between end-to-end terminals with IPv6 Global Address Private Address Private Address NAT NAT Secure Transmission IPv4-NAT The Internet IPsec Terminal IPsec terminal R R Office A Office B Site-to-Site Secure Communication Low security on the LAN Low interoperability between different vendors Global Address Secure Transmission IPv6 The Internet R R Office A Office B R End-to-End Secure Communications Secure Transmission Business Partner End-to-end secure communication Easy to partner with new customer
IPsec • Protects all upper-layer protocols. • Requires no modifications to applications. • But smart applications can take advantage of it. • Useful for host-to-host, host to gateway, and gateway-to-gateway. • Latter two used to build VPNs.
Doesn’t IPsec work with IPv4? • Yes, but… • It isn’t standard with v4. • Few implementations support host-to-host mode. • Even fewer applications can take advantage of it.
No NATs • NATs break IPsec, especially in host-to-host (P2P) mode. • With no NATs needed, fewer obstacles to use of IPsec. • Note carefully: NATs provide no more security than an application-level firewall.
Can you do 3 things in ONE GO? It‘s Acrobatic! e2e Communication The Road Warrior is a Clown! e2e Security Mobility
Link-Local Global Site-Local IPv4-NAT PRIVACY: Addressing Model NAT LAN DHCP Server Network Fire wall The Internet R R PC Application Gateway Global Address Private Address IPv6
Link-Local Global Site-Local Configuring Interface IDs Several choices for configuring the interface ID of an address: • manual configuration (of interface ID or whole addr) • DHCPv6 (configures whole address) • automatic derivation from 48-bit IEEE 802 addressor 64-bit IEEE EUI-64 address • pseudo-random generation (for client privacy) the latter two choices enable “serverless” or “stateless” autoconfiguration, when combined with high-order part of the address learned via Router Advertisements
Link-Local Global Site-Local Non-Global Addresses • IPv6 includes non-global addresses, similar to IPv4 private addresses (“net 10”, etc.) • a topological region within which such non-global addresses are used is called a zone • zones come in different sizes, called scopes(e.g., link-local, site-local,…) • unlike in IPv4, a non-global address zone is also part of the global addressable region (the “global zone”) => an interface may have both global and non-global addresses
• • • Site Link Link R Link • • • Site Link Link Link • • • Site Link Link R Link • • • Each oval is a different zone; different colors indicate different scopes Address Zones and Scopes The Global Internet
v6 - IPsec Roadmap Scenaria IPv6 Deployment Address Transparency IPsec FOG Issues Scenario 1 Scenario 2 Successful Restored e-2-e e-2-e works Clears! Intranet, Proxies & Firewalls may remain Complete Failure Recycling IP Addresses Limited Noticeable Fog Generalised use of NAPT, RSIP? Exhaustion NAT-over-NAT Broken Permanet Thick Fog NATs between even ISPs
Authentication Challenges • There is username/password • And then there is everything else • SecurID • Smart Card • ATM Card • Biometrics • The “password” you cannot change... • There are also “safety” hazards...
Richard Clarke Recommendations of ISOC/IAB/IETFINET 2002 June 19 • - while export controls have loosened, Cisco and others are still forcedtodistinguish between US and non-US versions of code, around crypto. • It was suggestedthat USG simply drop all export restrictions on crypto code using thenewAdvanced Encryption Standard • - we still don't know how to deploy a global Public Key Infrastructure,makingglobal IPSEC privacy/authentication difficult (research funding) • - ditto secure/scalable/quickly-converging global and local routing • - ditto on intrusion detection as a service provider service (detectingandmitigating attacks of various kinds)
Richard Clarke Recommendations of ISOC/IAB/IETFINET 2002 June 19 • - ditto secure/scalable/quickly-converging global and local routing • - ditto on intrusion detection as a service provider service (detectingandmitigating attacks of various kinds)
Societal Challenges • Shift from ISP to .. Personal ISP • Bring Trust to Internet • Banking • Government ( evoting ) • E-commerce • Security-aware Society • Security Divide! (Security Haves and Have-Nots ) • Security for EveryOne & Everything
Conclusions • IPv6 mandates and enables an important improvement in security. • Much of the improvement comes from standard, usable, IPsec. • The very large address space may provide for other, innovative security mechanisms.