Whitehouse Tackels Cybersecurity

Fri Sep 20 22:36:27 UTC 2002

On Wed, 18 Sep 2002, Sean Donelan wrote:

> I would love to see some proposals from different ISPs how they view
> the Internet (or ISP) security architecture.  Cisco, Sun, Lucent and
> Telcordia have vendor architectures.  But what architecture work for
> real ISPs?  What can we point to as a "good" Internet security
> architecture?  Is there a difference between what works for a small,
> medium or large ISP?

What exactly to do mean by "security architecture"?

Many network security efforts seem to be inspired by Descartes. Several
centuries ago, this very smart man sat down in front of the fire several
nights in a row and started doubting everything he could possibly doubt.
Senses, memory, everything. After all, everything that seems real may in
fact be an illusion created by a "malicious demon". (No, he wasn't talking
about a worm or trojan.) I'm not sure what his conclusion which can be
simplified as "I think, therefore I am", would translate to. Maybe "I
encrypt, therefore I am secure"?

Anyway, in our efforts to see security weaknesses everywhere, we might be
going too far. For instance, nearly all our current protocols are
completely vulnerable to a man-in-the-middle attack. If someone digs up a
fiber, intercepts packets and changes the content before letting them
continue to their destination, maybe the layer 1 guys will notice, but not
any of us IP people.

So what should we do? It seems each and every protocol is now trying to
solve the exact same problem. A better solution would be to adopt IPSec
throughout the net. But that doesn't protect you from a denial of service
attack: the man in the middle can just discard your packets. Even worse,
if you have to do crypto for every packet you receive, an attacker can
simply send packets that only turn out invalid after performing expensive
cryptographic operations and have you burn CPU cycles like it's going out
of style.

What we need are realistic expectations. Yes, the internet is vulnerable
to some degree, but the risks are nothing to worry about relative to
eating food that strangers have prepared or driving at high speed between
many bad-tempered people who are all armed with a ton of steel. For
regular day-to-day stuff such as off-topic rants and downloading
copyrighted material, the vulnerabilities that exist aren't really an
issue: the expense and effort to break into a _network_ (rather than just
some box connected to it) is not worth the gain. And for things that are
more sensitive: refer to the end-to-end principle. SSL isn't perfect, but
it's widely available. IPSec is more perfect, but less available. They'll
both run fine over the current network.

However, that doesn't mean we can lean back do nothing. Some protocols are
really too insecure. Please be assured that these problems have the
attention of the IETF. Everyone should feel free to donate time to help
develop newer, more secure protocols or newer, more secure versions of old
ones.

In the mean time, many people are still doing things they shouldn't, and
not doing things they should. If properly implemented, it is very hard to
break BGP. But that means everyone has to use antispoofing packet filters,
have strict filtering on the routes they accept from their customers and
preferably on those they accept from their peers as well, and use TCP MD5
password protection on all BGP sessions. That's something we can all do
before the month is out and it will actually make the net more secure
without breaking anything.

Iljitsch van Beijnum