Re: [nanog-offtopic] Re: Whitehouse Tackels Cybersecurity

[Nathan J. Mehl]

In the immortal words of Gregory Hicks ([EMAIL PROTECTED]):
> There IS another list that goes to about the same group of people...
> 
> NANOG-OT  [EMAIL PROTECTED]

Indeed.  It's rather underutilized these days -- there was a spasm of
activity right after 9/11, when I created it -- but it's still there,
and I should probably advertise it a bit more often.

So, a friendly reminder: help keep NANOG's signal-to-noise ratio high!
Please subscribe to [EMAIL PROTECTED], and migrate
digressive conversations there.  Only you can prevent nonoperational
nattering, etc.

To subscribe, send mail to [EMAIL PROTECTED]
and reply to the confirm message it will generate.

-n

<[EMAIL PROTECTED]>
Transported to a surreal landscape, a young girl kills the first woman she 
meets and then teams up with three complete stangers to kill again.
  (-- TV listing for the movie, The Wizard of Oz, in the Marin Paper.)

Re: Whitehouse Tackels Cybersecurity

[Iljitsch van Beijnum]

On Wed, 18 Sep 2002, Sean Donelan wrote:

> I would love to see some proposals from different ISPs how they view
> the Internet (or ISP) security architecture.  Cisco, Sun, Lucent and
> Telcordia have vendor architectures.  But what architecture work for
> real ISPs?  What can we point to as a "good" Internet security
> architecture?  Is there a difference between what works for a small,
> medium or large ISP?

What exactly to do mean by "security architecture"?

Many network security efforts seem to be inspired by Descartes. Several
centuries ago, this very smart man sat down in front of the fire several
nights in a row and started doubting everything he could possibly doubt.
Senses, memory, everything. After all, everything that seems real may in
fact be an illusion created by a "malicious demon". (No, he wasn't talking
about a worm or trojan.) I'm not sure what his conclusion which can be
simplified as "I think, therefore I am", would translate to. Maybe "I
encrypt, therefore I am secure"?

Anyway, in our efforts to see security weaknesses everywhere, we might be
going too far. For instance, nearly all our current protocols are
completely vulnerable to a man-in-the-middle attack. If someone digs up a
fiber, intercepts packets and changes the content before letting them
continue to their destination, maybe the layer 1 guys will notice, but not
any of us IP people.

So what should we do? It seems each and every protocol is now trying to
solve the exact same problem. A better solution would be to adopt IPSec
throughout the net. But that doesn't protect you from a denial of service
attack: the man in the middle can just discard your packets. Even worse,
if you have to do crypto for every packet you receive, an attacker can
simply send packets that only turn out invalid after performing expensive
cryptographic operations and have you burn CPU cycles like it's going out
of style.

What we need are realistic expectations. Yes, the internet is vulnerable
to some degree, but the risks are nothing to worry about relative to
eating food that strangers have prepared or driving at high speed between
many bad-tempered people who are all armed with a ton of steel. For
regular day-to-day stuff such as off-topic rants and downloading
copyrighted material, the vulnerabilities that exist aren't really an
issue: the expense and effort to break into a _network_ (rather than just
some box connected to it) is not worth the gain. And for things that are
more sensitive: refer to the end-to-end principle. SSL isn't perfect, but
it's widely available. IPSec is more perfect, but less available. They'll
both run fine over the current network.

However, that doesn't mean we can lean back do nothing. Some protocols are
really too insecure. Please be assured that these problems have the
attention of the IETF. Everyone should feel free to donate time to help
develop newer, more secure protocols or newer, more secure versions of old
ones.

In the mean time, many people are still doing things they shouldn't, and
not doing things they should. If properly implemented, it is very hard to
break BGP. But that means everyone has to use antispoofing packet filters,
have strict filtering on the routes they accept from their customers and
preferably on those they accept from their peers as well, and use TCP MD5
password protection on all BGP sessions. That's something we can all do
before the month is out and it will actually make the net more secure
without breaking anything.

Iljitsch van Beijnum

Re: Whitehouse Tackels Cybersecurity

[Gregory Hicks]

There IS another list that goes to about the same group of people...

NANOG-OT  [EMAIL PROTECTED]

Just a thought...

Regards,
Gregory Hicks

> Date: Fri, 20 Sep 2002 14:39:08 +0200
> From: Brad Knowles <[EMAIL PROTECTED]>
> 
> At 8:05 AM -0400 2002/09/20, Susan Harris wrote:
> 
> >  Brad, this message contains no technical content.  Please keep political
> >  commentary in private email. Refer to the NANOG list AUP:
> >
> > http://www.nanog.org/aup.html
> >
> >  Upon your next AUP violation, we'll need to remove your posting priveleges
> >  from the list.
> >
> >  Susan Harris, Ph.D.
> >  Merit Network/Univ. of Mich.
> 
>   If I'm going to get one of these messages every time I submit 
> something to the list, then you might as well go ahead and 
> unsubscribe me now.
> 
>   If the list isn't about discussion, and other people continue to 
> post on the same subjects but don't get treated the same way, then 
> you have some very serious personal issues that you need to resolve.
> 
> -- 
> Brad Knowles, <[EMAIL PROTECTED]>
> 
> "They that can give up essential liberty to obtain a little temporary
> safety deserve neither liberty nor safety."
>  -Benjamin Franklin, Historical Review of Pennsylvania.
> 
> GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
> O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
> tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

---
Gregory Hicks| Principal Systems Engineer
Cadence Design Systems   | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1  | Fax:  408.894.3400
San Jose, CA 95134   | Internet: [EMAIL PROTECTED]

"The trouble with doing anything right the first time is that nobody
appreciates how difficult it was."

When a team of dedicated individuals makes a commitment to act as
one...  the sky's the limit.

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

You can have it done good, fast, or cheap -- pick any two.

Re: Whitehouse Tackels Cybersecurity

[Brad Knowles]

At 8:05 AM -0400 2002/09/20, Susan Harris wrote:

>  Brad, this message contains no technical content.  Please keep political
>  commentary in private email. Refer to the NANOG list AUP:
>
>   http://www.nanog.org/aup.html
>
>  Upon your next AUP violation, we'll need to remove your posting priveleges
>  from the list.
>
>  Susan Harris, Ph.D.
>  Merit Network/Univ. of Mich.

If I'm going to get one of these messages every time I submit 
something to the list, then you might as well go ahead and 
unsubscribe me now.

If the list isn't about discussion, and other people continue to 
post on the same subjects but don't get treated the same way, then 
you have some very serious personal issues that you need to resolve.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Whitehouse Tackels Cybersecurity

[Sean Donelan]

On Thu, 19 Sep 2002, batz wrote:
> From a security perspective, the recommendations in this report are
> the same things that have been advocated for the last decade. In fact
> it looks like many of these recommendations could have been culled from the
> various vulnerability assessment report templates I have seen and even
> used over the years.  I don't mean to undermine the importance of the
> strategy, but I think its impact will be through adding weight to us
> Cassandras in the security industry.

People expecting the government to wave a magic wand and make us all safe
will be disappointed.  Security consulting firms probably aren't going to
get a windfall from the publication of the national strategy. But if you
had more modest goals, the strategy did accomplish some things.

Despite the daily drumbeat of vulnerability announcements, there really
aren't any new fundamental causes of security problems.  The National
Academies of Sciences published a report last year recapping 10 years of
computer and network security studies.  http://www.nap.edu/catalog/10274.html
The particular instance may change, but the classes of security problems
are unchanging.

Although the security problems are the same, the solutions can change. In
the 1980's I had a Multics/Dockmaster account.  Multics may have been
secure, but the system sucked.  Perimeter firewalls may not be the
security solution for the next decade.  Would anti-virus software
become obsolete with a better kernel? Are the same password  rules
we had for our one mainframe account applicable in today's web with
dozens of "logons"?

I think we need to re-evaluate our best solutions for our security
problems.

That National Cybersecurity Strategy did a nice job of collecting the
problems from all groups into one document, and showing an interdependence
between the groups.  Simply securing one industry, company or home user
isn't enough to solve the problem.  I especially pleased that at least
part of the US government now seems to recognize that security is more
than just secrecy.

Could the government move faster?

It took over 15 years from the introduction of seat belts on an American
car until they became "standard" items in American cars.  The government
only "mandated" seat belts after most car makers were already offering
them.  There were a lot of studies along the way.  A democratic government
can't get too far out in front of the public.

American Seat Belt History (http://www.lemurzone.com/airbag/belts.htm)

1947 The first time seat belts were offered in a American car was the
 Tucker. The state of the art then were Lap belts.
1956 Ford introduces seat belts in American cars
1964 Seatbelts became a "standard" feature in American cars
1966 Rear Seatbelts became Standard
1967 Front Seatbelts became Mandatory
1968 Shoulder Belts became Mandatory

Nevertheless, seat belts won't help unless the driver buckles up.

Re: Whitehouse Tackels Cybersecurity

[Brad Knowles]

At 6:03 PM -0400 2002/09/19, batz wrote:

>  Well, I think the consensus was just handed to you in the form of a national
>  mandate. In fact, I think this looks like an excellent premise for
>  a business plan for a security consulting and managed services firm.

Can you say "Counterpane Systems"?  I knew you could.


Thing is, if this does turn out to be a big win for them, I 
figure they'll actually do what is right and not what the government 
says.

Maybe that's why they probably won't be the real "winners" out of this.



Anyone want to make any guesses as to who's going to be the 
Microsoft of US Government-mandated computer security?  Hmmm 
Maybe Microsoft?  Why not?  They bought the government to begin with 
and the top computer security guy in the administration used to work 
for them, so it only makes sense that they would reap the windfall.

-- 
Brad Knowles, <[EMAIL PROTECTED]>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
 -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+() DI+() D+(++) G+() e++> h--- r---(+++)* z(+++)

Re: Whitehouse Tackels Cybersecurity

[batz]

On Wed, 18 Sep 2002, Sean Donelan wrote:

:Is the telephone security model better than the Internet security model?
:It depends on who you ask.  They both have interesting security issues.
:Unfortunately, a lot of it is based on perception on both sides, and only
:a little on fact.

Indeed, I am currently trying to retrofit security features onto a routed
network designed by people who evidently have a better understanding of
switching. It is no coincidence that they just happen to be telco network 
architects.  (I can't believe I am still describing the importance of 
DNS to people in 2002, but I digress..) 

IMHO, the telco model is based on the notion of delivering services
from a set of tiered providers instead of the facilitating the 
interconnection of relatively autonomous networks. It's pretty
much a difference of philisophical worldviews. While there is 
some conceptual overlap between them, they are not particularly 
isometric.  

>From a security perspective, the recommendations in this report are 
the same things that have been advocated for the last decade. In fact
it looks like many of these recommendations could have been culled from the
various vulnerability assessment report templates I have seen and even
used over the years.  I don't mean to undermine the importance of the
strategy, but I think its impact will be through adding weight to us
Cassandras in the security industry. 

Maybe they'll legislate Cisco's SAFE architecture on us all? ;) 

:I can draw Internet security architectures until my fingers fall off, but
:they won't have the impact of industry consensus.

Well, I think the consensus was just handed to you in the form of a national
mandate. In fact, I think this looks like an excellent premise for
a business plan for a security consulting and managed services firm. 

Got Capital? 

Cheers, 


--
batz

Re: Whitehouse Tackels Cybersecurity

[Sean Donelan]

On Wed, 18 Sep 2002, Iljitsch van Beijnum wrote:
> Wow, we should all start using out of band management. Anyone think it is
> feasible to do management of an IP network exclusively out of band?

Welcome to my nightmare.

Getting ISPs to participate is always difficult. I encourage ISPs to read
the draft and send in their comments to the White House.  Otherwise,
because they are the ones particpating, the future Internet security
architecture will probably look like what a big telco thinks is a good
security model. Why separate the circuit into 2B+D, just give me all the
bandwidth.

Is the telephone security model better than the Internet security model?
It depends on who you ask.  They both have interesting security issues.
Unfortunately, a lot of it is based on perception on both sides, and only
a little on fact.

I would love to see some proposals from different ISPs how they view
the Internet (or ISP) security architecture.  Cisco, Sun, Lucent and
Telcordia have vendor architectures.  But what architecture work for
real ISPs?  What can we point to as a "good" Internet security
architecture?  Is there a difference between what works for a small,
medium or large ISP?

I can draw Internet security architectures until my fingers fall off, but
they won't have the impact of industry consensus.

Re: Whitehouse Tackels Cybersecurity

[Iljitsch van Beijnum]

On Wed, 18 Sep 2002, Jared Mauch wrote:

> > And BGP should be more secure. What is the problem we should be trying to
> > fix here? There is a "Secure BGP" draft:
> > http://www.ir.bbn.com/projects/sbgp/draft-clynn-s-bgp-protocol-00a.txt

>   I think the problem that people are attempting to address is
> the fact that most interprovider bgp sessions are unfiltered and
> this can cause significant problems if someone starts leaking
> improper routes or decides to do something malicious.

>   Authentication of routing announcements is seen as better than
> "just letting it all slosh around".

It does. But the problem is that what you can know to be good is very
likely to be a lot less than what is actually good. So if you simply start
requiring authentication, you're going to break reachability in some
places.

> > I read solutions (well, avenues for possible solutions) without a good
> > indication of what the problem is. (That goes for both the Secure
> > Cyberspace and S-BGP drafts.)

>   Well, there are significant problems today with router
> architecture that prevent s-bgp and other things from being deployed.
> Namely start looking at those still using 2500/4500/4700 for bgp in
> their networks (yes people still do this) and then ask it to do some
> major cryptograhic authentication...  The hardware is not designed
> for this.

The protocols aren't designed for it either. This is a good thing, because
every router can run the necessary protocols autonomously. But it also
means a huge duplication of effort. It seems pretty ridiculous to me to
have each and every router do strong crypto on each and every BGP update.
This kind of stuff should run on centralized servers with adequate disk
capacity to cache results.

The hard part is integrating such a solution into what we have now. I'm
thinking of a protocol that enables BGP routers to consult "policy
servers" about the updates they receive. When very strict security is
required, the router waits for the PS to clear the update before allowing
it, but in a less strict setup the router could process updates and remove
the routes later if the PS doesn't like them. In this case, loss of the PS
doesn't break the network. So we still have autonomy and implementing new
security features becomes much easier because only the policy servers have
to know about them.

>   When "W" goes surfing the net at night to shop for things
> on ebay and can't get there because someone is improperly announcing
> a /24 to hijack/DoS them,

Announcing a /24 you have no business announcing is a VERY hard thing to
do. The overwheling majority of all ISPs has strict filtering on BGP
announcements from customers. Now if the same were true for source address
filtering for IP packets, it would be possible to adequately filter DoS
traffic (unless massively distributed in nature).

> these are the things that they will suggest
> down that there needs to be authentication and centralized routing
> data created.

Actually this particular BGP weakness isn't that hard to address: you only
need to verify the first few AS numbers in the path and the prefix using a
routing registry. You don't even need any crypto (in BGP, at least) for
that. And if you want to make it really secure you can add a signature
attribute at the source. That costs extra memory in routers, but it's
doable.

My problems are with the assumption in the S-BGP draft that information in
BGP must be protected against modification by routers it passes
legitimately. I think some reasonable level of trust is necessary. After
all, we trust others to prepare our food, stop for a red light when we
cross the road and so on.

Or maybe we can all promise to password protect our BGP sessions?

Re: Whitehouse Tackels Cybersecurity

[Jared Mauch]

On Wed, Sep 18, 2002 at 07:31:41PM +0200, Iljitsch van Beijnum wrote:
> 
> On Wed, 18 Sep 2002, Steven M. Bellovin wrote:
> 
> > See http://www.whitehouse.gov/pcipb/
> 
> Wow, we should all start using out of band management. Anyone think it is
> feasible to do management of an IP network exclusively out of band?
> 
> And BGP should be more secure. What is the problem we should be trying to
> fix here? There is a "Secure BGP" draft:
> http://www.ir.bbn.com/projects/sbgp/draft-clynn-s-bgp-protocol-00a.txt

I think the problem that people are attempting to address is
the fact that most interprovider bgp sessions are unfiltered and
this can cause significant problems if someone starts leaking
improper routes or decides to do something malicious.

Authentication of routing announcements is seen as better than
"just letting it all slosh around".

> Implementing this may make BGP very secure, but it will make the internet
> as a whole much less reliable because routing will no longer be a function
> that can be performed autonomously by routers, but something that's tied
> into a global (public key) infrastructure. An infrastructure that depends
> on routing to work... Hello circularity.

Well, you need to have graded levels of trust.  You will trust
your upstream more than your customers obviously.  But yeah, there
do become some issues if people aren't doing local mirroring of
the dataset and they break their configs badly and need to
reconfigure.  This does increase the barrier to entry significantly
in getting your announcements out there.

> I read solutions (well, avenues for possible solutions) without a good
> indication of what the problem is. (That goes for both the Secure
> Cyberspace and S-BGP drafts.)

Well, there are significant problems today with router
architecture that prevent s-bgp and other things from being deployed.
Namely start looking at those still using 2500/4500/4700 for bgp in
their networks (yes people still do this) and then ask it to do some
major cryptograhic authentication...  The hardware is not designed
for this.  Even a reasonable amount of todays 'modern' hardware may not
be able to handle this due to the centralized architecture.  (take the
above router types as example as well as any others that don't have
distributed forwarding).

When "W" goes surfing the net at night to shop for things
on ebay and can't get there because someone is improperly announcing
a /24 to hijack/DoS them, these are the things that they will suggest
down that there needs to be authentication and centralized routing
data created.  Take a look at the LERG sometime if you have the
ability to see it.  Lists the CLLI for each NPA-NXX that you are required
to deliver the call to.  There are those that understand that
there are more complicated lookups involved but without people
from the industry providing feedback and playing hawk on the gov't,
we may not like what they come up with if we don't get people involved.

- jared

-- 
Jared Mauch  | pgp key available via finger from [EMAIL PROTECTED]
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: Whitehouse Tackels Cybersecurity

[Iljitsch van Beijnum]

On Wed, 18 Sep 2002, Steven M. Bellovin wrote:

> See http://www.whitehouse.gov/pcipb/

Wow, we should all start using out of band management. Anyone think it is
feasible to do management of an IP network exclusively out of band?

And BGP should be more secure. What is the problem we should be trying to
fix here? There is a "Secure BGP" draft:
http://www.ir.bbn.com/projects/sbgp/draft-clynn-s-bgp-protocol-00a.txt

Implementing this may make BGP very secure, but it will make the internet
as a whole much less reliable because routing will no longer be a function
that can be performed autonomously by routers, but something that's tied
into a global (public key) infrastructure. An infrastructure that depends
on routing to work... Hello circularity.

I read solutions (well, avenues for possible solutions) without a good
indication of what the problem is. (That goes for both the Secure
Cyberspace and S-BGP drafts.)

Re: Whitehouse Tackels Cybersecurity

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, "Eric A. Hall" writes:
>
>
>on 9/18/2002 10:12 AM Sean Donelan wrote:
>> On Wed, 18 Sep 2002 [EMAIL PROTECTED] wrote:
>> 
>>>A little flavor of what I'd alluded to in some of the previous
>>>threads.  Any guesses what the proposal to change both BGP and DNS to
>>>improve security might entail??
>> 
>> The official document should be posted on WhiteHouse.GOV later today.
>
>Is it on again?

See http://www.whitehouse.gov/pcipb/

A news story I saw said that they're treating this as a draft, too, and 
asking for two months of public comment.


--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)

Re: Whitehouse Tackels Cybersecurity

[Eric A. Hall]

on 9/18/2002 10:12 AM Sean Donelan wrote:
> On Wed, 18 Sep 2002 [EMAIL PROTECTED] wrote:
> 
>>A little flavor of what I'd alluded to in some of the previous
>>threads.  Any guesses what the proposal to change both BGP and DNS to
>>improve security might entail??
> 
> The official document should be posted on WhiteHouse.GOV later today.

Is it on again?

  Feds Delay Release of Cyber-Security Plan
  http://www.eweek.com/article2/0,3959,538677,00.asp

  September 17, 2002

  The White House has decided to delay the release of its long-awaited
  cyber-security plan in an effort to gain more input from industry
  executives and government officials.

  Richard Clarke, chairman of the President's Critical Infrastructure
  Protection Board, has been planning for months to release the National
  Strategy to Secure Cyberspace Wednesday at a high-level event in Silicon
  Valley. But the board instead will release a draft of the strategy and
  will go back to private industry and public sector experts to seek more
  suggestions for the final plan, according to sources.

  [...]

-- 
Eric A. Hallhttp://www.ehsco.com/
Internet Core Protocols  http://www.oreilly.com/catalog/coreprot/

Re: Whitehouse Tackels Cybersecurity

[Sean Donelan]

On Wed, 18 Sep 2002 [EMAIL PROTECTED] wrote:
> A little flavor of what I'd alluded to in some of the previous
> threads.  Any guesses what the proposal to change both BGP and DNS to
> improve security might entail??

The official document should be posted on WhiteHouse.GOV later today.  An
almost final draft copy was leaked on the net yesterday.

http://www.infowarrior.org/draftstrategy.pdf

DNSSEC and S-BGP have been mentioned as possible solutions. Technically
some of the proposals are very elegant.  However, we have to be careful
about introducing more complexity into the system than necessary.  Over
the last year we've seen several errors in the implementation several
security protocols. I don't believe security people are any better
programmers than application people. What I worry about more is we are
developing extremely secure, and complex methods for protecting garbage.
Garbage-In, Garbage-Out.

Whitehouse Tackels Cybersecurity

[sgorman1]

A little flavor of what I'd alluded to in some of the previous 
threads.  Any guesses what the proposal to change both BGP and DNS to 
improve security might entail??

White House tackles cybersecurity
By Declan McCullagh Special to ZDNet News September 16, 2002, 6:58 PM 
PT
http://zdnet.com.com/2100-1105-958159.html

The White House's cyberspace security plan, scheduled to be released 
Wednesday, envisions a broad new role for the federal government in 
maintaining Internet security.