ICANN & Internet Security (DNS) Security Albert Daniels - PowerPoint PPT Presentation

ICANN & Internet Security (DNS) Security Albert Daniels Albert.daniels@icann.og Internet Week Guyana 11 th October 2017 | 1

What Does ICANN Mean for the End User? POLIC Y The Domain Name System Policy Development is an L-Root is one of the Supporting and Growing allows you to easily inclusive, open and root servers that helps the Community ensures navigate the Internet. ICANN transparent process for the keeps the DNS stable diverse participants monitors for compliance Community to create around the globe contribute to bottom-up, with contracts, including effective rules for the multistakeholder, review of complaints. Internet consensus-driven policy Generic Top-Level Country Code Protocol Parameters Internet Protocol Root Zone Domains provide Top-Level Domains allow computers to Addresses are the Management keeps choice in the domain allow countries to talk to each other numbers that identify the DNS running name space. host their own devices smoothly websites IANA functions | 2

How Internet Protocol (IP) Addresses are Distributed Internet Service IANA Providers functions Distributes IP address to ISP Distributes IP providers in your address by providing IP region connectivity to homes and businesses Distributes IP address to Regional Internet Homes and Businesses Regional Internet Registries Registries End users connect their personal and professional devices to the Internet | 3

The Digital Universe is Growing Exponentially “According to IDC, the digital universe is doubling in size every two years , and by 2020, the digital universe – the data we create and copy annually – will reach 44 zettabytes, or 44 trillion gigabytes.” 2013 If the Digital Universe 4.4 ZB were represented by the memory in a stack of tablets, in 2013 it would have stretched 44 ZB 2020 two-thirds the way to the Moon*. By 2020 there would be 6.6 stacks from the Earth to the Moon* Source: http://www.emc.com/leadership/digital-universe/2014iview/executive-summary.htm * iPad Air - 0.29” thick, 128 GB | 4

Why is the Internet Important to my Business? Businesses of any size, in any sector, depend on a global, interoperable Internet Grows Reaches E x p a n d s trade business billions 30% 75% 51% Global GDP Internet Benefits Internet Penetration Today world trade Most of the economic value By 2019, there will be represents about 30% the Internet creates falls about 3.9 billion Internet of global GDP, up outside of the technology users , or 51 percent of from 20% in the early sector : companies in more the world's projected days of the Internet traditional industries capture population of 7.6 billion 75 percent of the benefits Source: BCG, 2014 Source: Cisco, 2015 Source: McKinsey, 2011 | 5

The Internet in 60 Seconds… According to CIO Media and The Independent: every minute: 31.5M Facebook 70 messages Domains Registered posted 300 350,000 hours of video Tweets tweeted uploaded to YouTube 48,611 Instagram pictures posted | 6

Unique Names and Numbers Anything connected to the Internet – including computers, mobile phones and other devices – has a unique number called its IP address. IP stands for Internet Protocol. This address is like a postal address. It allows messages, videos and other packets of data to be sent from anywhere on the Internet to the device that has been uniquely identified by its IP address. IP addresses can be difficult to remember, so instead of numbers, the Internet’s domain name system uses letters, numbers and hyphens, to form a name that is easier to remember. | 7

DNSSEC | 8 | 8

What is DNSSEC? � DNSSEC = “DNS Security Extensions” � DNSSEC is a protocol that is currently being deployed to secure the Domain Name System (DNS) � DNSSEC adds security to the DNS by incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names � Result of over a decade of community based, open standards development | 9

DNS Basics • DNS converts names (www.republicguyana.com) to numbers (64.49.225.191) • ..to identify services such as www and e-mail • ..that identify and link customers to business and visa versa | 10

+1-202-709-5262 US-NSTIC effort VoIP DNS is a part of all IT ecosystems OECS ID effort lamb@xtcn.co Smart Electrical Grid m | 11 mydomainname.co m

Where DNSSEC fits in • ..but CPU and bandwidth advances make legacy DNS vulnerable to MITM attacks • DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents • With DNSSEC fully deployed a business can be sure a customer gets un-modified data (and visa versa) | 12

The Bad: DNSChanger - ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in- | 13 estonia/ End-2-end DNSSEC validation would have avoided the problems

The Internet’s Phone Book - Domain Name System (DNS) www.majorbank. k.gy gy = 1 1.2.3.4 www.majorbank. k.gy gy=? DN DNS DN DNS 1.2.3.4 1.2.3.4 Resolver ver Server ver Ge Get page Login n page webser erver ver www @ www Username e / P Passw sword rd 1.2.3.4 1.2.3.4 Account t Data Majorba rbank nk (Regis gistrant) rant) ISP DNS Hierarc rarchy root gy com majorbank.vg www.majorbank.gy | 14

Caching Responses for Efficiency ww www. w.majorbank. k.gy gy = 1 1.2.3.4 www.majorbank. k.gy gy=? DN DNS DN DNS 1.2.3.4 1.2.3.4 Resolver ver Server ver Get page Ge Login n page webser we erver ver www @ www Username e / P Passw sword rd 1.2.3.4 1.2.3.4 Account t Data | 15

The Problem: DNS Cache Poisoning Attack www.majorbank. k.gy gy = 1 1.2.3.4 www.majorbank. k.gy gy=? DN DNS DNS DN 5.6.7.8 5.6.7.8 Resolver ver Server ver Attacker cker ww www. w.majorbank. k.gy gy = 5 5.6.7.8 Ge Get page Attacker cker Logi Lo gin page ge webser erver ver www ww w @ Userna name e / P Passwo sword 5.6.7.8 5.6.7.8 Error or Passw sword rd database se | 16

Now all ISP customers get sent to attacker. Caching Responses for Efficiency www.majorbank. k.gy gy = 1 1.2.3.4 www.majorbank. k.gy gy=? DN DNS DNS DN 5.6.7.8 5.6.7.8 Resolver ver Server ver Get page Ge Attacker cker Lo Logi gin page ge webser erver ver ww www w @ Userna name e / P Passwo sword 5.6.7.8 5.6.7.8 Error or Passw sword rd database se | 17

Securing The Phone Book – DNSSEC Attacker’s record does not validate te – dr drop op it www.majorbank. k.gy gy = 1 1.2.3.4 DNS DN DN DNS www.majorbank. k.gy gy=? Resolver ver Server ver with h 1.2.3.4 1.2.3.4 with h DNSSE SEC Attacker cker DNSSE SEC www.majorbank. k.gy gy = 5 5.6.7.8 Get page Ge Lo Logi gin page ge webser erver ver www ww w @ Userna name e / P Passwo sword 1.2.3.4 1.2.3.4 Account t Data | 18

Resolver only caches validated records www.majorbank. k.gy gy = 1 1.2.3.4 www.majorbank. k.gy gy=? DN DNS DNS DN Resolver ver Server ver with h 1.2.3.4 1.2.3.4 with h DNSSE SEC DNSSE SEC Ge Get page Lo Logi gin page ge webser erver ver ww www w @ Userna name e / P Passwo sword 1.2.3.4 1.2.3.4 Account t Data | 19

The Business Case for DNSSEC • Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differentiator. • DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity). • DNSSEC infrastructure deployment has been brisk but requires expertise. Getting ahead of the curve is a competitive advantage. | 20

DNSSEC: So what’s the problem? • Not enough IT departments know about it or are too busy putting out other security fires. • When they do look into it they hear old stories of FUD and lack of turnkey solutions and CDN support. • Registrars*/CDNs/DNS providers see no demand leading to “chicken -and- egg” problems. *but required by new ICANN registrar agreement | 21

Who Can Implement DNSSEC • Enterprises – Sign their zones and validate lookups • TLD Operators – Sign the TLD • Domain Name holders – Sign their zones • Internet Service Providers – validate DNS lookups • Hosting Provider – offer signing services to customers • Registrars – accept DNSSEC records (e.g., DS) | 22

KSK Roll Over | 23 | 23

KSK Rollover: An Overview ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover � The Root Zone DNSSEC Key Signing Key “ KSK ” is the top most cryptographic key in KS the DNSSEC hierarchy K � The KSK is a cryptographic public-private key pair: Public part: trusted starting point for o DNSSEC validation Private part: signs the Zone Signing o Key (ZSK) � Builds a “chain of trust” of successive keys DATA and signatures to validate the authenticity of any DNSSEC signed data | 24