1 / 16

Secure Internet Solutions

Secure Internet Solutions. Geoff Huston Chief Scientist, Internet Telstra. User Beware. I am not a security expert I am a simple consumer of security solutions as a user of Internet-based secure services and applications. User Beware. No security system is absolute

oprah-bass
Download Presentation

Secure Internet Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra

  2. User Beware • I am not a security expert • I am a simple consumer of security solutions as a user of Internet-based secure services and applications

  3. User Beware • No security system is absolute • All security measures mitigate risk, not eliminate it • Security measures obey the law of diminishing return • Determine what level of risk is acceptable • Constantly review risk assumptions

  4. The Issues • Risks and vulnerabilities • DNS hijacking • Cache hijacking • Routing hijacking • Identity hijacking • Session hijacking • Session monitoring • The Internet’s base trust model is very basic • Security is an overlay, not an intrinsic property of the network itself

  5. Secure Solutions • What are the problems to be addressed? • Identity authentication • Application authentication • Third party intervention • monitoring • awareness • alteration • disruption or denial • hijacking

  6. Security has many dimensions • Secure end-to-end IP conversations • Secure application-to-application conversations • Authenticated communications • Secure transport systems • Secure VPNs

  7. Security Building Blocks • IPSEC + IKE • End-to-End transport • Gateway-to-Gateway transport • Includes header and payload checksum • Includes payload encryption • Compute load is high • IKE is not absolutely robust (evidently) • Cannot tolerate NATs in the transport path • Used in CPE devices for overlay VPNs

  8. Security Building Blocks • TLS (HTTPS) • Application-level payload encryption • Weak key exchange model • Prevents interception monitoring of the application traffic • No authentication

  9. Security Building Blocks • SSH • Secure telnet tunnels • Secure encrypted conversation between a roaming satellite and a SSH server • Supports tunnels for application access (using NAT at the server) • Used to support extensions of corporate access into public Internet environments • Road Warrior tools

  10. Security Building Blocks • Public Key Infrastructure (PKI) • Public / Private key infrastructure • Allows for third party validation of identity of the end systems • Allows for use of keys to perform encryption • Keys normally associated with the host system, not the user of the host

  11. Security Building Blocks • Secure Transport Systems • Data-link layer encryption • e.g. WEP for Wi-FI • Caveat regarding potential regulatory requirements for clear payload interception • Not end-to-end • No authentication

  12. Secure VPNs • Overlay VPNs with CPE-to-CPE IPSEC tunnels • Issues with TCP MTU negotiation • Issues with performance • Issues with key management • Vendor equipment available • Common VPN solution

  13. Secure VPNs • 2547bis MPLS VPNS • Use MPLS to switch from PE to PE across the provider core • Further encryption of payload not strictly necessary (VC-style functionality) • Requires explicit provider support • Inter-provider interoperability limited

  14. Secure Roaming • IPSEC tunnel as overlay on dial PPP access • SSH tunnel as overlay on access

  15. Secure Application Services • Certificates are excellent • Requires initial overhead on certificate exchange • Good browser support • But not portable across hosts • User/password + TLS is more flexible, but at a cost of higher vulnerability

  16. Discussion • Security is an overlay across the Internet, not an intrinsic part of the network itself • Many security incidents are evidently the outcome of social rather than technical engineering

More Related