secure internet solutions geoff huston chief scientist, internet telstra
TRANSCRIPT
![Page 1: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/1.jpg)
Secure Internet Solutions
Geoff HustonChief Scientist, InternetTelstra
![Page 2: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/2.jpg)
User Beware
I am not a security expertI am a simple consumer of security solutions as a user of Internet-based secure services and applications
![Page 3: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/3.jpg)
User Beware
No security system is absolute All security measures mitigate risk,
not eliminate it Security measures obey the law of
diminishing return Determine what level of risk is
acceptable Constantly review risk assumptions
![Page 4: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/4.jpg)
The Issues
Risks and vulnerabilities DNS hijacking Cache hijacking Routing hijacking Identity hijacking Session hijacking Session monitoring
The Internet’s base trust model is very basic Security is an overlay, not an intrinsic property
of the network itself
![Page 5: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/5.jpg)
Secure Solutions
What are the problems to be addressed? Identity authentication Application authentication Third party intervention
monitoring awareness alteration disruption or denial hijacking
![Page 6: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/6.jpg)
Security has many dimensions
Secure end-to-end IP conversationsSecure application-to-application conversationsAuthenticated communicationsSecure transport systemsSecure VPNs
![Page 7: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/7.jpg)
Security Building Blocks
IPSEC + IKE End-to-End transport Gateway-to-Gateway transport Includes header and payload checksum Includes payload encryption
Compute load is high IKE is not absolutely robust (evidently) Cannot tolerate NATs in the transport path
Used in CPE devices for overlay VPNs
![Page 8: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/8.jpg)
Security Building Blocks
TLS (HTTPS) Application-level payload encryption Weak key exchange model Prevents interception monitoring of
the application traffic No authentication
![Page 9: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/9.jpg)
Security Building Blocks
SSH Secure telnet tunnels Secure encrypted conversation between
a roaming satellite and a SSH server Supports tunnels for application access
(using NAT at the server) Used to support extensions of corporate
access into public Internet environments Road Warrior tools
![Page 10: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/10.jpg)
Security Building Blocks
Public Key Infrastructure (PKI) Public / Private key infrastructure Allows for third party validation of
identity of the end systems Allows for use of keys to perform
encryption Keys normally associated with the
host system, not the user of the host
![Page 11: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/11.jpg)
Security Building Blocks
Secure Transport Systems Data-link layer encryption
e.g. WEP for Wi-FI Caveat regarding potential regulatory
requirements for clear payload interception
Not end-to-end No authentication
![Page 12: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/12.jpg)
Secure VPNs
Overlay VPNs with CPE-to-CPE IPSEC tunnels Issues with TCP MTU negotiation Issues with performance Issues with key management
Vendor equipment available Common VPN solution
![Page 13: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/13.jpg)
Secure VPNs
2547bis MPLS VPNS Use MPLS to switch from PE to PE
across the provider core Further encryption of payload not
strictly necessary (VC-style functionality)
Requires explicit provider support Inter-provider interoperability limited
![Page 14: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/14.jpg)
Secure Roaming
IPSEC tunnel as overlay on dial PPP accessSSH tunnel as overlay on access
![Page 15: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/15.jpg)
Secure Application Services
Certificates are excellent Requires initial overhead on
certificate exchange Good browser support But not portable across hosts
User/password + TLS is more flexible, but at a cost of higher vulnerability
![Page 16: Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra](https://reader036.vdocuments.mx/reader036/viewer/2022082805/55148cc1550346b2598b50c0/html5/thumbnails/16.jpg)
Discussion
Security is an overlay across the Internet, not an intrinsic part of the network itselfMany security incidents are evidently the outcome of social rather than technical engineering