MANRS Mutually Agreed Norms for Routing Security

Similar documents
Mutually Agreed Norms for Routing Security NAME

MANRS Mutually Agreed Norms for Routing Security

MANRS Mutually Agreed Norms for Routing Security

Routing Security We can do better!

MANRS. Mutually Agreed Norms for Routing Security. Aftab Siddiqui

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

MANRS. Mutually Agreed Norms for Routing Security. Jan Žorž

Collective responsibility for security and resilience of the global routing system

Routing Is At Risk. Let's Secure It Together. Andrei Robachevsky 1

IXP Partnership: Improving Global Routing Security and Resilience

Collective responsibility for security and resilience of the global routing system

Working together to improve routing security for all

MANRS: Mutually Agreed Norms for Routing Security Routing is at Risk Let s secure it together!

Working together to improve routing security for all

Security)Track) NANOG)65)

BGP Route Hijacking - What Can Be Done Today?

The Honest Advantage

MANRS How to behave on the internet

An introduction to BGP security

The Internet Ecosystem

THE INTERNET IS FOR EVERYONE. Join us to keep the Internet open, thriving, and benefitting people around the globe.

CaribNOG13. Presentation title Client name. Shernon Osepa, Manager Regional Affairs Latin America & the Caribbean

Help Keep the Internet Strong and Open

Security in inter-domain routing

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Village Software. Security Assessment Report

APNIC s role in stability and security. Adam Gosling Senior Policy Specialist, APNIC 4th APT Cybersecurity Forum, 3-5 December 2013

An ARIN Update. Susan Hamlin Director of Communications and Member Services

Secure Development Lifecycle

Some Thoughts on Integrity in Routing

Internet Interconnection An Internet Society Public Policy Briefing

RPKI and Internet Routing Security ~ The regional ISP operator view ~

Accelerate Your Enterprise Private Cloud Initiative

The SOC 2 Compliance Handbook:

21ST CENTURY CYBER SECURITY FOR MEDIA AND BROADCASTING

Internet Exchange Points An Internet Society Public Policy Briefing

About KBC KNOW YOUR NETWORK

APNIC input to the Vietnam Ministry of Information and Communications ICT Journal on IPv6

Orchestrating Network Performance CASE STUDY

We are also organizational home of the Internet Engineering Task Force (IETF), the premier Internet standards-setting body.

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NRENs and IoT Security: Challenges and Opportunities. Karen O Donoghue TICAL 2018 Cartagena 4 September 2018

Cybersecurity. Securely enabling transformation and change

White Paper. How to Write an MSSP RFP

The UNISDR Private Sector Alliance for Disaster Resilient Societies

DDoS MITIGATION BEST PRACTICES

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

SOLUTION BRIEF Virtual CISO

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

A Measurement Study of BGP Misconfiguration

CYBERSECURITY HOW IT IS TRANSFORMING THE IT ASSURANCE FIELD

On the State of the Inter-domain and Intra-domain Routing Security

Link State Routing & Inter-Domain Routing

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

TDC 375 Network Protocols TDC 563 P&T for Data Networks

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

Securing Routing Information

Driving Global Resilience

What is ISO/IEC 20000?

Why is Office 365 the right choice?

Global Security Consulting Services, compliancy and risk asessment services

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

Nebraska CERT Conference

ARCHIVE ESSENTIALS: Key Considerations When Moving to Office 365 DISCUSSION PAPER

align security instill confidence

INTELLIGENCE DRIVEN GRC FOR SECURITY

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Security. Made Smarter.

Building UAE s cyber security resilience through effective use of technology, processes and the local people.

THE POWER OF TECH-SAVVY BOARDS:

Canada Life Cyber Security Statement 2018

ITIL and IT Service Management

What is ISO/IEC 27001?

Report on 2nd Operator Roundtable on Routing Security

Building a Resilient Security Posture for Effective Breach Prevention

A Framework for Managing Crime and Fraud

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

An Overview of ISO/IEC family of Information Security Management System Standards

A PKI For IDR Public Key Infrastructure and Number Resource Certification

Data Sheet The PCI DSS

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

building a security culture to counter emerging cybersecurity threats

Six Sigma in the datacenter drives a zero-defects culture

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

COBIT 5 With COSO 2013

How Secure is Blockchain? June 6 th, 2017

Misdirection / Hijacking Incidents

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Teradata and Protegrity High-Value Protection for High-Value Data

Grow Your Services Business

ARCHIVE ESSENTIALS

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

Roadmap to the Efficient Cloud: 3 Checkpoints for the Modern Enterprise

Deploying RPKI An Intro to the RPKI Infrastructure

Secure Routing with RPKI. APNIC44 Security Workshop

Transcription:

December 2017 MANRS Mutually Agreed Norms for Routing Security Andrei Robachevsky robachevsky@isoc.org Presentation title Client name 1 Internet Society 1992 2016

The Problem A Routing Security Primer 2

Routing Basics ~60,000 networks (Autonomous Systems) across the Internet Routers use Border Gateway Protocol (BGP) to exchange reachability information - networks they know how to reach Routers build a routing table and pick the best route when sending a packet, typically based on the shortest path Routers use unique Autonomous System Numbers (ASNs) to identify themselves to all other routers 3

The Problem Caption 10/12pt Caption body copy Border Gateway Protocol (BGP) is based entirely on trust No built-in validation of the legitimacy of updates The chain of trust spans continents Lack of reliable resource data 4

Which leads to https://bgpstream.com /

No Day Without an Incident http://bgpstream.com/ 6

What s Happening? IP prefix hijack AS announces prefix it doesn t originate and wins the best route selection AS announces more specific prefix than what may be announced by originating AS AS announces it can route traffic through shorter route, whether it exists or not Packets end up being forwarded to wrong part of Internet Denial-of-Service (DoS), traffic interception, or impersonating network or service Route leaks Violation of valley-free routing (e.g. re-announcing transit provider routes to another provider) Usually due to misconfigurations, but can be used for traffic inspection and reconnaissance Can be equally devastating IP address spoofing Creation of IP packets with false source address The root cause of reflection DDoS attacks 7

Three months in Brazil 129 126 Incidents with bogon ASNs HJ 732 LK OT 8

Drag picture to placeholder or click icon to add Are There Solutions? Tools - Yes! Prefix and AS-PATH filtering, RPKI, IRR, BGPSEC under development at the IETF Whois, Routing Registries and Peering databases But Lack of deployment Lack of reliable data 9

A Tragedy of the Commons From a routing perspective, securing your own network does not necessarily make it more secure. Network security is in someone else s hands. The more hands the better the security Is there a clear, visible, and industry-supported line between good and bad? A cultural norm? 10

MANRS A vital part of the security solution 11

MANRS was founded with the ambitious goal of improving the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for Internet infrastructure. 12

Mutually Agreed Norms for Routing Security MANRS defines four concrete actions that network operators should implement Technology-neutral baseline for global adoption A minimum set of requirements MANRS builds a visible community of security-minded operators Promotes culture of collaborative responsibility 13

MANRS Actions Filtering Prevent propagation of incorrect routing information Ensure the correctness of your own announcements and announcements from your customers to adjacent networks with prefix and AS-path granularity Anti-spoofing Prevent traffic with spoofed source IP addresses Enable source address validation for at least single-homed stub customer networks, their own end-users, and infrastructure Coordination Facilitate global operational communication and coordination between network operators Maintain globally accessible up-to-date contact information Global Validation Facilitate validation of routing information on a global scale Publish your data, so others can validate 14

A Note on MANRS Limitations MANRS is an absolute minimum an operator should consider, with low risk and cost-effective Actions The more operators implement MANRS, the fewer routing incidents we will see, and the smaller will be their scope MANRS is not a one-stop solution to all of the internet s routing woes, but it is an important step toward a globally robust and secure routing infrastructure 15

Why join? 16

So, what is the business case for MANRS? (and routing security) Engaged 451 Research to better understand the attitudes and perceptions of Internet service providers and the broader enterprise community around the project 17

Comprehensive Research Study Questionnaire-based study Assessment against existing 451 Research data Common perception elements Service providers Initial targeting interviews Global demographic 25 telephone interviews Enterprise Demographics Manufacturing 19% Professional Services 14% Retail Telecommunications 14% 6% Financial Insurance 8% Enterprise Internet teams 250 web questionnaires 1,000 employee minimum Primarily North America Health 11% 8% 10% Construction Other 10% 18

What We Learned from the Study Security is Vital to Enterprises MANRS knowledge is low, but the desire for security is high Enterprises are willing to require MANRS compliance of their service providers MANRS Adds Value for Service Providers Security can help service providers differentiate from their competitors; Identifiable value in a vague market Service providers may be able to add additional revenue streams based on information security feeds and other add-on services 19

Enterprise Security Concerns Widely varying concerns across a range of issues, with traffic hijacking leading the list Security focus is aligned with types of issues MANRS is looking to address Confidence that MANRS can help long-term routing security Internet Security Concerns 74% 57% 57% 46% 28% 20

Enterprises are Willing to Pay for MANRS Significant value on security posture Median premium of 15% 13% would only choose MANRS- compliant providers Q: Would you pay a premium for MANRS compliant services? 21

Service Provider Motivations are Misaligned with Enterprise Perceptions Reasons for Implementation Most providers would implement MANRS to be more secure or for regulatory compliance Some would implement to be a good citizen or to increase efficiency 16% 36% 12% No one mentioned customer demand as a reason 36% Q: Which aspect of MANRS would provide the greatest reason for implementing for your organization? 22

Why ENTERPRISES Should Require MANRS - To improve your organizational security posture - Facilitate risk management for the supply chain. Require MANRS compliance in RFPs, tender, and purchasing processes Can be an additional factor for auditors to consider in assessments (e.g. ISO 27001:2013) - MANRS addresses the problems that enterprises care about - Traffic hijacking and detour Malicious traffic Prompt resolution of routing security incidents - MANRS provides a foundation for security value-added services - E.g. Incident Information sharing/information feeds 23

Why SERVICE PROVIDERS Should Join MANRS - To add competitive value and differentiate in a "flat", price driven market - Growing demand from enterprise customers for managed security services (info feeds) To signal security proficiency and commitment to your customers - To "lock-in" - from a connectivity provider to a security partner - Information feeds and other add-on services may increase revenue and reduce customer churn - Enterprises indicate willingness to pay more for secure services - To help solve global network problems - Lead by example and improve routing security for everyone 24 - Being part of the MANRS community can strengthen enterprise security credentials

Why to join MANRS? Improve your security posture and reduce number and impact of routing incidents Join the community of security minded ioperators Can you stand up publicly and say: I care about routing security I am prepared to spend resources on it I am prepared to be held accountable by the community Use MANRS as a competitive differentiator 25

Join Us Visit https://www.manrs.org Fill out the sign up form with as much detail as possible. We may ask questions and run tests Get Involved in the Community Members support the initiative and implement the actions in their own networks Members maintain and improve the document and promote MANRS objectives 26

MANRS Implementation Guide If you re not ready to join yet, implementation guidance is available to help you. Based on Best Current Operational Practices deployed by network operators around the world http://www.manrs.org/bcop/ 27

What s Next: MANRS Training and Certification Routing security is hard. How can we make it more accessible? The simple MANRS Implementation Guide is a 50-page document that assumes a certain level of expertise. Online training modules Based on the MANRS Implementation Guide Walks a student through the tutorial with a test at the end Working with and looking for partners that are interested in integrating it in their curricula A hands-on lab to achieve MANRS certification Completing the online modules as a first step in MANRS certification Looking for partners 28

What s Next: MANRS IXP Partnership Programme There is synergy between MANRS and IXPs IXPs form a community with a common operational objective MANRS is a reference point with a global presence useful for building a safe neighborhood How can IXPs contribute? Technical measures: Route Server with validation, alerting on unwanted traffic, providing debugging and monitoring tools Social measures: MANRS ambassador role, local audit as part of the on-boarding process A development team is working on a set of useful actions 29

LEARN MORE: https://www.manrs. org 30

Routing security & MANRS: a poll Vote link: http://etc.ch/x86z 31

Thank you. Firstname Lastname Job title surname@isoc.org Visit us at www.internetsociety.org Follow us @internetsociety Galerie Jean-Malbuisson 15, CH-1204 Geneva, Switzerland. +41 22 807 1444 32 1775 Wiehle Avenue, Suite 201, Reston, VA 20190-5108 USA. +1 703 439 2120

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback