ICANN & Internet Security (DNS) Security Albert Daniels - - PowerPoint PPT Presentation

| 1

ICANN & Internet Security (DNS) Security

11th October 2017 Internet Week Guyana Albert Daniels Albert.daniels@icann.og

| 2

What Does ICANN Mean for the End User?

The Domain Name System allows you to easily navigate the Internet. ICANN monitors for compliance with contracts, including review of complaints. Generic Top-Level Domains provide choice in the domain name space. Country Code Top-Level Domains allow countries to host their own websites Protocol Parameters allow computers to talk to each other Internet Protocol Addresses are the numbers that identify devices Root Zone Management keeps the DNS running smoothly Policy Development is an inclusive, open and transparent process for the Community to create effective rules for the Internet L-Root is one of the root servers that helps keeps the DNS stable around the globe Supporting and Growing the Community ensures diverse participants contribute to bottom-up, multistakeholder, consensus-driven policy POLIC Y

IANA functions

| 3

How Internet Protocol (IP) Addresses are Distributed

Regional Internet Registries

Distributes IP address to Regional Internet Registries Distributes IP address to ISP providers in your region End users connect their personal and professional devices to the Internet Distributes IP address by providing connectivity to homes and businesses

IP

IANA functions

Internet Service Providers Homes and Businesses

| 4

The Digital Universe is Growing Exponentially

“According to IDC, the digital universe is doubling in size every two years, and by 2020, the digital universe – the data we create and copy annually – will reach 44 zettabytes, or 44 trillion gigabytes.”

Source: http://www.emc.com/leadership/digital-universe/2014iview/executive-summary.htm * iPad Air - 0.29” thick, 128 GB

If the Digital Universe were represented by the memory in a stack

• f tablets, in 2013 it

would have stretched two-thirds the way to the Moon*. By 2020 there would be 6.6 stacks from the Earth to the Moon*

4.4 ZB

2013

44 ZB

2020

| 5

Most of the economic value the Internet creates falls

• utside of the technology

sector: companies in more traditional industries capture 75 percent of the benefits

75%

Grows

business

By 2019, there will be about 3.9 billion Internet users, or 51 percent of the world's projected population of 7.6 billion

Internet Penetration

51%

Reaches

billions

Source: Cisco, 2015

30%

Today world trade represents about 30%

• f global GDP, up

from 20% in the early days of the Internet

Why is the Internet Important to my Business?

Global GDP Internet Benefits

Source: BCG, 2014 Source: McKinsey, 2011

E x p a n d s trade

Businesses of any size, in any sector, depend on a global, interoperable Internet

| 6

The Internet in 60 Seconds…

According to CIO Media and The Independent: every minute:

350,000

Tweets tweeted

31.5M

Facebook messages posted

300

hours of video uploaded to YouTube

70

Domains Registered

48,611

Instagram pictures posted

| 7

Unique Names and Numbers

Anything connected to the Internet – including computers, mobile phones and other devices – has a unique number called its IP address. IP stands for Internet Protocol. This address is like a postal address. It allows messages, videos and other packets of data to be sent from anywhere

• n the Internet to the device that has been uniquely

identified by its IP address. IP addresses can be difficult to remember, so instead of numbers, the Internet’s domain name system uses letters, numbers and hyphens, to form a name that is easier to remember.

| 8 | 8

DNSSEC

| 9

What is DNSSEC?

DNSSEC = “DNS Security

Extensions”

DNSSEC is a protocol that is currently

being deployed to secure the Domain Name System (DNS)

DNSSEC adds security to the DNS by

incorporating public key cryptography into the DNS hierarchy, resulting in a single, open, global Public Key Infrastructure (PKI) for domain names

Result of over a decade of community

based, open standards development

| 10

DNS Basics

• DNS converts names (www.republicguyana.com) to

numbers (64.49.225.191)

• ..to identify services such as www and e-mail
• ..that identify and link customers to business and visa

versa

| 11

lamb@xtcn.co m +1-202-709-5262 VoIP mydomainname.co m

DNS is a part of all IT ecosystems

US-NSTIC effort Smart Electrical Grid

OECS ID effort

| 12

Where DNSSEC fits in

• ..but CPU and bandwidth advances make

legacy DNS vulnerable to MITM attacks

• DNS Security Extensions (DNSSEC)

introduces digital signatures into DNS to cryptographically protect contents

• With DNSSEC fully deployed a business

can be sure a customer gets un-modified data (and visa versa)

| 13

The Bad: DNSChanger - ‘Biggest Cybercriminal Takedown in History’ – 4M machines, 100 countries, $14M

Nov 2011 http://krebsonsecurity.com/2011/11/malware-click-fraud-kingpins-arrested-in- estonia/ End-2-end DNSSEC validation would have avoided the problems

| 14

The Internet’s Phone Book - Domain Name System (DNS)

www.majorbank. k.gy gy=? Ge Get page webser erver ver www www @ 1.2.3.4 1.2.3.4 Username e / P Passw sword rd Account t Data DNS Hierarc rarchy

gy com root majorbank.vg www.majorbank.gy DN DNS Resolver ver

www.majorbank. k.gy gy = 1 1.2.3.4

DN DNS Server ver

1.2.3.4 1.2.3.4 Login n page

ISP Majorba rbank nk (Regis gistrant) rant)

| 15

Caching Responses for Efficiency

www.majorbank. k.gy gy=? Ge Get page we webser erver ver www www @ 1.2.3.4 1.2.3.4 Username e / P Passw sword rd Account t Data

DN DNS Resolver ver

ww www. w.majorbank. k.gy gy = 1 1.2.3.4

DN DNS Server ver

1.2.3.4 1.2.3.4 Login n page

| 16

The Problem: DNS Cache Poisoning Attack

www.majorbank. k.gy gy=?

DN DNS Resolver ver

www.majorbank. k.gy gy = 1 1.2.3.4

DN DNS Server ver

5.6.7.8 5.6.7.8 Ge Get page Attacker cker webser erver ver ww www w @ 5.6.7.8 5.6.7.8 Userna name e / P Passwo sword Error

• r

Attacker cker ww www. w.majorbank. k.gy gy = 5 5.6.7.8 Lo Logi gin page ge Passw sword rd database se

| 17

Now all ISP customers get sent to attacker. Caching Responses for Efficiency

www.majorbank. k.gy gy=?

DN DNS Resolver ver

www.majorbank. k.gy gy = 1 1.2.3.4

DN DNS Server ver

5.6.7.8 5.6.7.8 Ge Get page Attacker cker webser erver ver ww www w @ 5.6.7.8 5.6.7.8 Userna name e / P Passwo sword Error

• r

Lo Logi gin page ge Passw sword rd database se

| 18

Securing The Phone Book – DNSSEC

www.majorbank. k.gy gy=?

DN DNS Resolver ver with h DNSSE SEC

www.majorbank. k.gy gy = 1 1.2.3.4

DN DNS Server ver with h DNSSE SEC

1.2.3.4 1.2.3.4 Ge Get page webser erver ver ww www w @ 1.2.3.4 1.2.3.4 Userna name e / P Passwo sword Account t Data Lo Logi gin page ge Attacker cker www.majorbank. k.gy gy = 5 5.6.7.8 Attacker’s record does not validate te – dr drop

• p it

| 19

Resolver only caches validated records

www.majorbank. k.gy gy=?

DN DNS Resolver ver with h DNSSE SEC

www.majorbank. k.gy gy = 1 1.2.3.4

DN DNS Server ver with h DNSSE SEC

1.2.3.4 1.2.3.4 Ge Get page webser erver ver ww www w @ 1.2.3.4 1.2.3.4 Userna name e / P Passwo sword Account t Data Lo Logi gin page ge

| 20

The Business Case for DNSSEC

• Cyber security is becoming a greater concern

to enterprises, government, and end users. DNSSEC is a key tool and differentiator.

• DNSSEC is the biggest security upgrade to

Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity).

• DNSSEC infrastructure deployment has been

brisk but requires expertise. Getting ahead of the curve is a competitive advantage.

| 21

DNSSEC: So what’s the problem?

• Not enough IT departments know about it or are

too busy putting out other security fires.

• When they do look into it they hear old stories of

FUD and lack of turnkey solutions and CDN support.

• Registrars*/CDNs/DNS providers see no demand

leading to “chicken-and-egg” problems.

*but required by new ICANN registrar agreement

| 22

Who Can Implement DNSSEC

• Enterprises – Sign their zones and validate lookups
• TLD Operators – Sign the TLD
• Domain Name holders – Sign their zones
• Internet Service Providers – validate DNS lookups
• Hosting Provider – offer signing services to customers
• Registrars – accept DNSSEC records (e.g., DS)

| 23 | 23

KSK Roll Over

| 24

KSK Rollover: An Overview

ICANN is in the process of performing a Root Zone DNS Security Extensions (DNSSEC) Key Signing Key (KSK) rollover

The Root Zone DNSSEC Key Signing Key

“KSK” is the top most cryptographic key in the DNSSEC hierarchy

The KSK is a cryptographic public-private

key pair:

• Public part: trusted starting point for

DNSSEC validation

• Private part: signs the Zone Signing

Key (ZSK)

Builds a “chain of trust” of successive keys

and signatures to validate the authenticity of any DNSSEC signed data

DATA

KS K

| 25

Why is ICANN Rolling the KSK?

Because it’s not good for a cryptographic key to live forever. The

cryptographic keys used in DNSSEC-signing DNS data should be changed periodically

• Ensures infrastructure can support key change in case of

emergency

This type of change has never before occurred at the root level

• There has been one functional, operational Root Zone DNSSEC

KSK since 2010

Because it’s better to make proactive changes during normal

• perations when things are running smoothly, rather than be reactive in

an emergency. The KSK rollover must be widely and carefully coordinated to ensure that it does not interfere with normal operations

| 26

When Does the Rollover Take Place?

The changing or "rolling" of the KSK Key was originally scheduled to

• ccur on 11 October 2017, but it is being delayed because some

recently obtained data shows that a significant number of resolvers used by Internet Service Providers (ISPs) and Network Operators are not yet ready for the Key Rollover.

There may be multiple reasons why operators do not have the new

key installed in their systems: some may not have their resolver software properly configured and a recently discovered issue in one widely used resolver program appears to not be automatically updating the key as it should, for reasons that are still being explored.

ICANN is tentatively hoping to reschedule the Key Rollover for the

first quarter of 2018 and is encouraging ISPs and Network operators to use this additional time period to be certain that their systems are ready for the Key Rollover.

| 27

Who Will Be Impacted?

DNS Software Developers & Distributors System Integrators Network Operators Root Server Operators Internet Service Providers End Users

(if no action taken by resolver operators)

| 28

Why You Need to Prepare

If you have enabled DNSSEC validation, you must update your systems with the new KSK to help ensure trouble-free Internet access for users

Currently, 25 percent of global Internet users, or 750 million people,

use DNSSEC-validating resolvers that could be affected by the KSK rollover

If these validating resolvers do not have the new key when the KSK

is rolled, end users relying on those resolvers will encounter errors and be unable to access the Internet

| 29

What Do Operators Need to Do?

Be aware whether DNSSEC is enabled in your servers Be aware of how trust is evaluated in your operations Test/verify your set ups Inspect configuration files, are they (also) up to date? If DNSSEC validation is enabled or planned in your system

• Have a plan for participating in the KSK rollover
• Know the dates, know the symptoms, solutions

| 30

Check to See If Your Systems Are Ready

ICANN is offering a test bed for operators or any interested parties to confirm that their systems handle the automated update process correctly. Check to make sure your systems are ready by visiting: go.icann.org/KSKtest

| 31

For More Information

Visit https://icann.org/kskroll Join the conversation online

• Use the hashtag #KeyRoll
• Sign up to the mailing list

https://mm.icann.org/listinfo/ksk-rollover Ask a question to globalsupport@icann.org

• Subject line: “KSK Rollover”

Attend an event

• Visit https://features.icann.org/calendar to find

upcoming KSK rollover presentations in your region

1 2 3 4

| 32

ICANN & Internet Security (DNS) Security

11th October 2017 Intrnet Week Guyana Albert Daniels Albert.daniels@icann.og