1 / 12

Presenter: Mark Elkins Topic: Things not getting done

Presenter: Mark Elkins Topic: Things not getting done. Things not getting done. Mark Elkins AfriNIC-17 mje@posix.co.za. Technical solutions exist and are universally accepted, yet. DNSSEC IPv6 enablement Telnet elimination Egress filtering of routes. DNSSEC.

gshipe
Download Presentation

Presenter: Mark Elkins Topic: Things not getting done

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Presenter: Mark Elkins Topic: Things not getting done

  2. Things not getting done Mark Elkins AfriNIC-17 mje@posix.co.za

  3. Technical solutions exist and are universally accepted, yet... DNSSEC IPv6 enablement Telnet elimination Egress filtering of routes

  4. DNSSEC • The Domain Name System (DNS) set of security extensions which provide some additional levels of security atop DNS • This refers both to: • signing zones • operating validating servers (http://dnssec.co.za) • Using DNSSEC aware applications (dnssec validator) • DNSSEC Training (http://dnstraining.coza.net.za) DANE: DNS-Based Authentication of Named Entities (SSL, SMTP, S/MIME, XMPPetc)

  5. IPv6 Enablement Production implementation of the IPv6 protocol including public accessibility, routing, and availability of all IPv4 public services over IPv6. • Get an allocation from AfriNIC (Its often free) • Dual Stack your core, Peering and Transit • Dual Stack Web, Nameservers and E-Mail • Dual stack your customers

  6. Telnet elimination • Should be eliminated in favour of more secure protocols like SSH • Consider a similar treatment for • POP3/IMAP • E-Mail

  7. Egress Filtering of Routes Implementation of security policies at the router level, restricting traffic between networks which do not meet routing policy (BCP38). • Filter to only allow your networks to leave your network

  8. Technical solutions exist but fair minded people debate the need Route Registry Secure HTTP (HTTPS) Route Aggregation Mail Submission

  9. Route Registry • Database of routing objects, provided by the RIRs and other organizations, for configuring routers and establishing/maintaining routing policy. • Possible starting point for RPKI

  10. HTTPs Hypertext Transfer Protocol Secure is a preferred communication protocol over the Internet when compared to HTTP alone. We need to encourage implementation by applications. • Combine with DNSSEC and DANE

  11. Route aggregation Active management of routes, routing slots, routing policy, and prefixes to structure IP address blocks into a hierarchical manner optimizing Classless Inter-Domain Routing (CIDR).

  12. Mail Submission Securing the origination of e-mails by blocking port 25 (SMTP) and only accepting e-mails on port 587 (submission) which can be both authenticated (user/passwd) and encrypted (SSL/TLS) • Effectively eliminate SPAM generation from mail robots

More Related