cybersecurity opportunities challenges apnic
DESCRIPTION
Discussion of cybersecurity opportunities and challenges and how APNIC can assist with RPKI, DNSSEC, and BCP 38 implementation to help secure the Internet's infrastructure.TRANSCRIPT
Issue Date:
Revision:
Cyber Security Opportunities and Challenges Adli Wahid Security Specialist, APNIC
5th APT Cyber Security Forum, 27-29 May 2014
27 May 2014
2
Agenda
• Overview of APNIC • Opportunities and challenges
– Source address validation (Best Current Practice (BCP) 38)
– Securing the Internet with Resource Certification – Effective incident response and handling (APNIC Whois
Database) – Awareness and education
• The way forward
2
Overview
3
APNIC’s Vision: “A global, open, stable, and secure Internet that serves the entire Asia Pacific community”
Serving APNIC Members
Supporting Internet development in the Asia Pacific region
Collaborating with the Internet community
4
APNIC’s Mission
• Function as the RIR for the Asia Pacific, in the service of the community of Members and others
• Provide Internet registry services to the highest possible standards of trust, neutrality, and accuracy
• Provide information, training, and supporting services to assist the community in building and managing the Internet
• Support critical Internet infrastructure to assist in creating and maintaining a robust Internet environment
• Provide leadership and advocacy in support of its vision and the community
• Facilitate regional Internet development as needed throughout the APNIC community
5
Strategic Engagement
6
• NOGs, NIR OPMs, I*, CERTs, ISOC Chapters, PACINET, PICISOC, PTC
Technical community
• APEC-TEL 47 and 48, ITU WTPF, APT, WSIS+10, ITU Connect Asia Pacific Summit, ITU Telecom World 2013, APEC TEL 49, NETmundial
Governmental
• National IGFs (Nethui, auIGF), APrIGF • Bali IGF - significant support given for
fundraising and logistics IGF
Opportunities and Challenges
7
Opportunities and Challenges
• Government institutions, CERTs, Law Enforcement Agencies (LEAs) and stakeholders have been collaborating all along
• What else needs to be done? • What are the opportunities and challenges?
BEST CURRENT PRACTICES
Internet Resources Management
Source Address Validation (BCP 38)
• Problem – Network providers allow traffic from IP addresses that they do not hold – As a result it is trivial to spoof IP addresses – This enables attacks such as the DDoS Reflection/Amplification
• Recipe for Amplification attacks – Network that allows source IP spoofing – Network services that respond to non-customer requests
• This is not new – BCP 38 has been around since 2000 (RFC 2827) – Also known as Network Ingress Filtering
• Is your provider allowing source address spoofing? – Source Address Validation Everywhere! (SAVE)
BCP 38 Ingress Packet Filtering
11
Internet ISP
96.0.21.0/24
96.0.20.0/24
96.0.22.0/24
ISP’s Customer Allocation Block: 96.0.0.0/19 BCP 38 Filter = Allow only source addresses from the customer’s 96.0.X.X/24
BCP 38 Applied Here
Credit: http://confluence.senki.org/pages/viewpage.action?pageId=1474569
Resource Certification with RPKI
• Resource Public Key Infrastructure – Security framework to verify the association between specific IP
address blocks or Autonomous System (AS) numbers and the holders of the resources
– Uses digital certificates and Public Key cryptography
• Essential because: – Improves security of inter-domain routing. Currently, it’s based on
mutual trust – Can prove authoritatively who uses an IP address block and what AS
has announced it
• Prevents mis-origination or “Route Hijacking” – When an entity participating in Internet routing announces a prefix
without authorization (either mistake or malicious intention)
12
13
ISP A ISP B
ISP E
My AS number is 1001
My prefix is 198.58.1.0/24
My AS number is 1001
My prefix is 198.58.1.0/24
Resource Certification Benefits
• Routing information corresponds to properly delegated address resources
• Resource certification gives resource holders proof that they hold certain resources
• Resource holders can attest to those resources when distributing them
• Resource certification is a highly robust means of preventing the injection of false information into the Internet’s routing system
14
Resource Certification with RPKI
• Role of APNIC – Acts as Certificate Authority, attests that the
certificate belong to the identified party – Issues RPKI certificates to APNIC Members
15
Whois Database – Improving Incident Response and Handling • Security incidents happen and timely response is
critical • The Incident Response Team (IRT) object requires
resource holders to provide contact information • There are opportunities to:
– Enhance incident response and handling capabilities – Provide additional information for escalation (i.e. National
CSIRT/CERT or relevant agency) – Report invalid contact information
16
17
inetnum: 202.55.176.0 - 202.55.191.255 netname: SKYCC descr: SKYCC, VoIP and ISP, Ulaanbaatar, Mongolia country: MN admin-c: SD635-AP tech-c: TB231-AP status: ALLOCATED PORTABLE remarks: ************************************************************* remarks: This object can only modify by APNIC hostmaster remarks: If you wish to modify this object details please remarks: send email to [email protected] with your organisation remarks: account in the subject line. remarks: ************************************************************* changed: [email protected] 20030708 mnt-by: APNIC-HM mnt-lower: MAINT-MN-SKYCC mnt-routes: MAINT-MN-SKYCC mnt-irt: IRT-SKYCC-MN changed: [email protected] 20081114 changed: [email protected] 20130611 source: APNIC irt: IRT-SKYCC-MN address: Sukhbaatar District-1, address: Chinggis Khan Avenue-9, address: Skytel Plaza building, address: Ulaanbaatar-13, e-mail: [email protected] abuse-mailbox: [email protected] admin-c: SD635-AP tech-c: TB231-AP auth: # Filtered mnt-by: MAINT-MN-SKYCC changed: [email protected] 20101210 source: APNIC
IRT contact
Awareness and Education
• Reaching out to operators (resource holders) and relevant stakeholders is important to create awareness and ability to apply best current practices
• Challenges: – Cost and availability of subject matter experts
• APNIC provides training at events across the region as well as online – training.apnic.net
• Topics include – BGP, IPv6, DNSSEC, Network Security and much more
18
Recent and Upcoming Events
• Bangladesh Network Operators Group 1 Workshop and Conference – 19 – 24 May 2014 in Dhaka, Bangladesh – 3-day Workshops, 1-day tutorial and 2-day
conference – 90 participants for 3 workshops
• Network Security • Routing/BGP • Virtualization
• Internet Investigation Training Day – 9 July 2014, New Zealand – 1-day tutorial on how the Internet works – Focused on LEA engagement – Collaboration with ICANN, APTLD, .nz DNC, New Zealand police
19
The Way Forward
• Infrastructure security issues are part of the bigger picture and must be addressed
• The full impact of security controls may only be realized if everyone implements them – Relevant stakeholders and operators must make things happen
• Awareness and education activities are at the core of all of the above
• Let’s work together!
20
You’re Invited! • APNIC 38: Brisbane, Australia, 9-19 Sep 2014
• APRICOT 2015: Fukuoka, Japan, 24 Feb-6 Mar 2015
21
THANK YOU www.facebook.com/APNIC
www.twitter.com/apnic
www.youtube.com/apnicmultimedia
www.flickr.com/apnic
www.weibo.com/APNICrir