The iLab Experience a blended learning hands-on course concept you set the focus WWW Security / Your Exercise Topic Pitch 2018-05-8
10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP 24.4. 3 Minilab 2 Advanced WL (1.5.) 4 WWW Security 8.5. 5 Your Exercise Topic Pitch SEC 15.5. IoT Smart Space SW & measr 6 (22.5.) IoT1 Prepare Your Exercise 7 IoT DIY HW IoT2 29.5. 8 YE Topic Outline 5.6. YE Didactics, Tools & i Advise 9 (12.6.) Prepare Your Exercise 10 Your Exercise 19.6. YE 1st Lecture 11 summer term 2018 26.6. Giving good Feedback 12 3.7. YE Review Presentation 13 10.7. YE Final Presentation, Wrap-Up 14
Agenda • Reminder: Please do not forget to give short feedback. • Interactive: Collaborative Memory. • Info: Oral Attestation. • Lecture: WWW Security. • Interactive: Your Exercise Topic Pitch.
We want your Feedback! Individual Feedback goo.gl/YuGj74
Collaborative Memory what are the most important things to remember from the last lab?
oral 10h00-15h00 IPv6 Internet Routing with a focus on BGP (intra-AS attestation and inter-AS) Advanced Wireless LAN ~12min each Mon 28.5. Tue 29.5.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 IPv6 BGP Advanced WL SEC IoT1 IoT2 Your Exercise 2 mini labs Johannes Naab Black Box
The iLab Experience a blended learning hands-on course concept you set the focus Your Exercise Topic Pitch — the topics make sense round… May 8, 2018
create YOUR own LAB
upside-down classroom
Security
DNS BGP Bulgarian Internet in 2011, Niau33, https://commons.wikimedia.org/wiki/File:Bg_internet_2011.png
Common Ground for all Topics • DNS Basics • GO Basics • Jupiter Notebook Basics
Introductory Tutorial DNS & GO • Students understand DNS delegation via NS • Students understand semantics and format of the following DNS records: A, NS, PTR, SOA • Students can use the Linux tool dig to query resolvers such as 8.8.8.8 (i.e. recursively) • Students can use the Linux tool dig with the +trace option to understand the process of lookup • Students can interpret on-the-wire data (pcap) to understand DNS resolution • Students can use the Linux tool dig to query NS iteratively, i.e. they can simulate the lookup process that a resolver would carry out (respectively: what dig +trace does) • Students can spot inconsistencies in the setup of NS <-> SOA and A <-> PTR • Students understand programming in Go on a fundamental level • Students can use the Go DNS library competently • Students understand go routines
What next? • You get 10 minutes to prepare a short pitch of a topic. • What is it about? • Why is it interesting? • You find today’s topic in the envelope. • After the session you will have time to vote for a topic until Monday 12pm (noon). Now open the envelope.
You make it • What is it about? • Why is it interesting? interesting… • What cool stuff do you want to communicate to those doing your planned lab? • What concrete theoretical background will one get? • What could you imagine as interesting work done during the hands-on? • Now: 10 minutes time for the preparation Each team prepares its topic from the envelope • Afterwards: You have 1 minute per topic to tell why a topic is cool Flickr:nist6dh
Available Topics 1. DNS delegations to other zones & querying DNS with GO. 2. MassDNS. 3. DNSSec with Linux Tools and GO. 4. Scanning DNS and DNSSec and mapping results to ASN/ Geolocations. 5. RPKI Validation. 6. DANE-TLSA. 7. CAA. 8. Certificate Transparency and OCSP revocation. 9. go-tlsscanner, BGPStream, and AS dynamics.
DNS delegations to other zones & querying DNS with GO We introduce the complexity of the DNS by demonstrating how often zones have nameservers in other zones. Students learn that this can lead to problems and they are introduced to security aspects. • Students understand how delegations of authority work between zones • Students understand the rules (in/out-of-bailiwick) that are applied • Students understand how misconfigurations (circular delegation) can happen, and why most of the DNS still works • Students understand the risks associated with delegating authority • Students understand the meaning of registrant, registrar, registry • Students learn how to find out the registrant, registrar, and registry of a given domain • Students can write a simple program that concurrently queries the DNS of Alexa Top 1M domains for A, NS, SOA records
MassDNS Querying the DNS at scale is a difficult task. Tools exist that address this, e.g. massdns. Students learn what scanning at scale means and what it can reveal, e.g. NS responsibility for many domains by big companies such as GoDaddy or outsourcing to CloudFlare. • Students understand the challenges of raising measurement data at Internet scale • Students understand how tools such as zmap or massdns solve this • Students understand operations of the DNS by external providers • Students understand how to raise empirical data with massdns and analyse it with Python
DNSSec with Linux Tools and GO DNSSEC is an advocated technology to make the integrity of DNSSEC records verifiable. It suffers from low deployment and high complexity, however. Students learn how DNSSEC is meant to be deployed and how it is deployed in practice. • Students understand how DNSSEC security is built around the concept of delegation • Students understand privacy implications of DNSSEC zone walking • Students understand the use of DS, DNSKEY, RRSIG, NSEC, and NSEC3 • Students can write a Go program that queries DNSSEC records (input: list of domains) • Students can use miekg/dns to verify signatures of RRSIG • Students can extend Go program to verify complete DNSSEC chain
Scanning DNS and DNSSec and mapping results to ASN/ Geolocations Students bring together what they have learned in previous tasks. They are now asked to carry out an empirical study of 10,000 domains for DNS and DNSSEC records and analyze the results. They map IP addresses to ASN and geographic location. • Students carry out a large-scale scan of DNS/DNSSEC • Students identify DNS operators (AWS, Google, Cloudflare, Akamai) by common NS names • Students identify common errors when scanning
RPKI Validation Student study RPKI setup and look for problematic practices such as too large prefix definitions. The final step is to run the IP addresses through RPKI Validator, a tool that verifies an RPKI ROA given an IP address. This tells students whether an IP prefix is RPKI protected. • Students understand what RPKI and an RPKI ROA is • Students understand problematic practices in RPKI • Students understand deployment of RPKI and can interpret results of ROA verification
DANE-TLSA DANE-TLSA is an IETF standard that started with huge promise and, so far, has seen little deployment. TLSA allows to define the expected certificate or public key of an HTTPS connection in a DNS record. It is an instructive example of the divergence between cryptography and deployability. In this task, students retrieve DANE-TLSA records and verify them. • Students understand purpose and setup rules of DANE-TLSA • Students can obtain certificates via TLS • Students know how to verify DANE-TLSA records against certificates
CAA CAA is an IETF standard that allows a domain to specify which CAs are allowed to issue a certificate for the domain. It is a simple and successful standard. In this task, students learn how to retrieve, parse, and evaluate CAA records. • Students understand purpose and setup rules of CAA • Students can obtain CAA records and parse them • Students can check if domains actually have TLS configured with CA-issued cert • Students understand that a non-matching cert is not a security issue (contrary to first impression one might have) • Students can use CAA data for a “market” analysis of CAs
Certificate Transparency and OCSP revocation Certificate Transparency is possibly the most influential security technology on the web in the last five years. In this lab, students will understand how CT works and develop code to audit domain setups that use CT. • Students understand CT operation • Students write code to fetch data from CT log • Students write code to compare SCT in TLS connection with logged SCT • Students write a small Auditor for CT that fetches SCTs regularly and compares with what it sees in the TLS connection
go-tlsscanner, BGPStream, and AS dynamics Routing on the Internet is decided using the BGP protocol. Since ca. 2016, CAIDA provides a live stream of BGP announcements, hence considerably extending visibility into Internet routing. In this task, students learn to look for potential anomalies in BGP (i.e. hijacks) and map the prefixes back to potentially affected domains. • Students can run a quick go-tlsscan on the Alexa Top 1M to store certificate hashes (we provide the go-tlsscan tool - or even the data set, because it runs very often) • Students understand BGP and can work competently with BGPStream • Students understand BGP anomalies and odd artefacts. • Students understand one way to rule out that a BGP anomaly is an attack
Focussing Lecture Broad Context Lecture PreLab PreLab PreLab Oral Attestation exam Lab Lab Repetition of main Narrow Details learning outcome
Recommend
More recommend
