Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deploying DNSSEC without Losing Your Mind Summer ESNET Conference July 2009.

Published byDoris Andrews Modified over 8 years ago

Similar presentations

Presentation on theme: "Deploying DNSSEC without Losing Your Mind Summer ESNET Conference July 2009."— Presentation transcript:

1 Deploying DNSSEC without Losing Your Mind Summer ESNET Conference July 2009

2 2 DNS Infrastructure Challenges Performance Demands Conventional DNS solutions can’t keep up with today’s performance and security demands BotnetsMalwareCache Poisoning DNS Security Demands Web 2.0More Devices Hidden Computing

3 3 Security Concerns Source: Arbor Networks Botnets, DNS and cache poisoning among the top concerns

4 4 The DDoS Threat Trends Attack volume is increasing Recent victims Time Warner Cable UltraDNS Register.com The Planet Results Outages and slowdowns Customer support issues Negative publicity Source: Arbor Networks Attacks on service providers are becoming bigger and more common

5 5 The Cache Poisoning Threat Attacks are real 1-3% of monitored unpatched nameservers have had a poisoning event detected Confirmed phishing attacks have been found Brazilian Bank poisoned April 23, 2009 Patches are short term fix Patched systems have been compromised in <10 hours Use of botnets can greatly reduce time to compromise DNSSEC is permanent solution Source: IO Active, Dagon et. al.

6 6 What Is DNSSEC? What does it do? Validates the source of the DNS response Ensures the response has not been altered in transit Authenticates replies of non- existence How does it work? Adds digital signatures to DNS responses Uses chains of trust to validate responses Identifies bogus responses With DNSSEC, we are certain that a response is correct Caching Server Authoritative Server Client www.robbers-r-us.com Digitally Signed Response Bogus Response Digitally Signed Response Bogus Response

7 7 Why You Must Act Now Because you have to … OMB mandate M-08-23 requires all agencies to sign all external zones (low, medium and high impact) by December 2009 Publication of NIST SP 800-53 rev 3 specifies deployment of DNSSEC with internal zones (low, medium and high impact) FISMA requires compliance 1 year from 800-53 publication date, which is June 2010 Because you should … Real attacks have escalated. The Kaminsky exploit alone has captured the attention of the entire planet. Your user base is at risk right now with any web, email, or other Internet transaction http://www.whitehouse.gov/omb/memoranda/fy2008/m08-23.pdf

8 8 DNSSEC Deployment Challenges Complexity Education, development, QA required Security General purpose OS cannot protect keys Crypto cards are complicated Offline keys labor intensive Failover How to handle a hardware or network failure? Scalability Signing speed for large or numerous zones Offline key management Dynamic Updates to DNS zone data Auditability What zones are signed? What keys are about to expire? Early adopters invest 4-6+ man-months to deploy, ½ full time person to maintain

9 9 DNSSEC Complexity Initially Generate public/private key pairs (one pair per zone, ideally) Insert keys into zone files Sign the zones Whenever data changes or before signatures expire Retrieve keys from secure storage Re-sign the zones Roll the ZSKs Generate new key pairs per zone Add the new keys to the zone Re-sign the zone using the old key Wait for one TTL period Re-sign the zone using the new key Wait for one TTL period Remove the old ZSK from the zone file Re-sign the zone Roll the KSKs Generate new key pairs (ideally one per zone) Sign the DNSKEY RRset with both KSKs Wait one TTL period Update the DS record at the parent and verify Remove the old KSK from the zone and re-sign Complexity must be managed with good process discipline or automated tools Once At least weekly, or whenever data changes Monthly Once or twice a year

10 10 DNSSEC Solution Matrix Provisioning Systems Secure Key Management (Risk driver) DNSSEC Automation (Cost driver) Low High 1 st Gen Manual Tools 2nd Gen Manual Tools Secure, Automated Appliances

11 11 Do-It-Yourself Method BIND programs DNSSEC-Keygen & DNSSEC-Signzone Visit www.nlnetlabs.nlwww.nlnetlabs.nl LDNS library  Examples include a zone-walker (follows NSEC records) and DNSSEC validation tools to check signatures, etc.  Also contain programs to manually sign zones and generate keys (alternative to BIND tools) DRILL (an interesting version of DIG) Visit www.dnssec-tools.orgwww.dnssec-tools.org Tools and programs from SPARTA labs created with DHS funding assistance to validate, error-check, sign zones, rollkeys Key signer and roller Donuts (LINT-like error checking tool) Validation tools to check signatures, etc.

12 12 Manual DNSSEC Deployment Steps Generate keys and Insert them into zone files Sign and publish the zones generate NSECs generate RRSIGs Do process over and over again when data changes or when keys need to be replaced OK for small deployments, but begs for automation

13 13 What could go wrong…will go wRornG Wrong keys Expired Keys Stolen Keys Lose the Recipe Solution doesn’t scale

14 14 Manual Deployment Example: Swedbank

15 15 Secure Key Management Offline Keys Pros Keys can be secured with proper procedures in place Cons Labor intensive for zones that change Introduces higher potential for errors Possible risk of insider attack Online Keys Pros Can sign dynamic zones Reduces operational costs Eliminates manual errors Eliminates insider attacks Cons Crypto module should be certified to FIPS 140-2 level 2 or above OS must be hardened DNS data must be secured Trust in signed responses is only as good as your key and data security

16 16 DNSSEC Solution Matrix Provisioning Systems Secure Key Management (Risk driver) DNSSEC Automation (Cost driver) Low High 1 st Gen Manual Tools 2nd Gen Manual Tools Secure, Automated Appliances

17 17 Questions To Ask Your Vendors CategoryQuestion Secure Key Management Is the product FIPS certified? If so, to what level (1-4)? Can the product use an HSM (crypto card) for key management? AutomationCan the product be used to manage key material? Does the product automatically sign and re-sign zones without user intervention? Does the product automatically roll the keys without user intervention? ComplianceDoes the product generate and use keys of the appropriate size (1024, 2048 bits)? Does the product meet the most current DNSSEC specs? Does the product meet the NIST guidelines in SP 800-81? ScalabilityCan the product sign/serve/manage multiple zones? FunctionalityCan the product generate NSEC and NSEC3 signed zones? FailoverDoes the product have a failover mechanism to ensure continuous signing? CompatibilityDoes the product integrate with Content Management Systems? Which ones? Does it work with your agency’s network infrastructure? Does it work with Microsoft AD/DHCP? How do you update zone data with the product? AuditabilityWhat logging/debugging tools are provided? How do I know if something goes wrong? Sources: http://1105govinfoevents.com/GovSec/FreeEducation/GSL09_DN_06_Rose.pdf http://www.zytrax.com/books/dns/info/choosing-dnssec-solution.pdf

18 18 Secure64 Software Corporation Privately funded, Colorado-based corporation, founded in 2002 Focused on making the DNS trustworthy and secure Secure64 products: ‘DNS Authority’ & ‘DNS Signer’ Partially funded by the US Department of Homeland Security

19 19 Automation: the Secure64 DNS Signer Simple Deployment Automated key management, rollover, signing, re-signing Secure Key Repository Malware-immune OS FIPS 140-2 compliant (pending) Scalable High performance signing algorithms Incremental zone signing Secure64 DNS Signer makes it easy to deploy DNSSEC correctly and securely

20 20 Simple to Configure SERVER: # Default signing policy Dnssec-automate: ON Dnssec-notify: admin@mydomain.com Dnssec-ksk: 1024 RSASHA1 Dnssec-ksk-rollover: 0 2 1 2,8 * Dnssec-ksk-siglife 7D Dnssec-zsk: 2048 RSASHA1 Dnssec:zsk-rollover: 0 1 1 * * Dnssec-zsk-siglife 7D Dnssec-nsec-type: nsec3 Dnssec-nsec-settings: OPT-OUT 12 aabbccdd ZONE: Name: myzone. File: myzonefile Dnssec-nsec-type: nsec … DNSSEC can be deployed in days, not months Configuration file 1-line automation Optional parameters to override defaults Can be applied system-wide or zone by zone

21 21 Compatible With Current Infrastructure “Signer-in-the-middle” Provisioning System (IPAM, Registry, Hidden Master, Etc.) Secure64 DNS Slave BIND Slave NSD Slave Unsigned Zone Data Signed Zone Data Secure64 DNS Signer Just plug it into your existing provisioning system

22 22 Automation from: Large-to-Small, Static-to-Dynamic Design for the extremes and the small cases will take care of themselves

23 23 Challenges for Large-Scale Deployments 1. Key Generation for huge numbers of keys 2. Bulk Signing and Re-signing can take lots of time --- and you don’t have enough time 3. Small Changes to Large Zones 4. Disaster Planning: Automatic & Secure Backup of Metadata 5. Chain-of-Trust Coordination

24 24 Fast Signing Performance Optimized code for 1024 bits outperforms many hardware cryptography accelerators Configuration: HP Integrity rx2660 server, 1 dual core Itanium 1.4 Ghz processor, 4 GB RAM 1 zone, 177,005 records, 344,010 signatures, 1024 bit RSA SHA1 algorithm

25 25 Incremental Signing Challenge How fast can zone changes be signed? Can you still meet your target update interval? Solution Accept changes via DDNS or IXFR Only sign changes Update slaves via IXFR Secure64 DNS Signer Signed Zones DDNS, IXFR Keys Even the largest, most dynamic environments can be updated quickly Signing Policy >20 updates/second, regardless of # zones, zone size

26 26 Simplified Key Rollover Currently Manual transmission of DS record to parent Automated DS detection and rollover Next Automated transmission of DS record to parent.gov DS RR example.gov DS RR sub.example.gov DS Offline, secure process DS Public KSK Are you there, yet? Are you there, yet?

27 27 Disaster Recovery DNSSEC MetaData: Signing Keys – private & public Serial # tracking key rollover state Chain-of-trust info Automated backup of encrypted metadata to standard storage devices Secure backup with TPM prevents INSIDER attacks

28 28 “The Secure64 software was subjected to a number of attacks known to be disruptive to servers, and ignored the attacks, delivering information as requested up to the saturation point of the Gigabit connection used.” Read the full report Resistant to Network Attacks DNS Authority Results Independently tested against DDoS attacks - 100% resistant Attack characteristics provided via SNMP and syslog to help set upstream filters Easily anycasted for improved performance & DDoS resiliency

29 29 Benefits Summary For management Quicker implementation Reduced cost For staff Simple. Less to learn Timely. Deploy in days, not months Correct. Eliminates errors that can take you offline Secure. Protects the signing keys For users: Internet is safer to access Secure64 DNS Signer makes it easy to deploy DNSSEC correctly and securely versus

30 30 Secure64: The DNSSEC Leader Agencies trained with NIST: US Department of Commerce National Telecommunication Information Administration Economic and Statistics Administration Bureau of Statistics Bureau of Economic Analysis International Trade Administration US Patent and Trademark Office National Oceanic and Atmospheric Administration US Department of Health and Human Services National Institute of Health Federal Aviation Administration US Department of Housing and Urban Development US Antarctic Program US Department of Energy US Department of Agriculture US Department of the Interior National Park Service US Agency of International Development US Department of State US Nuclear Regulatory Commission US Department of Treasury Court Services and Offender Supervision Agency Federal Maritime Commission US Government Accountability Office US Department of Labor

31 31 Thank You! For More Information Secure64 web site: www.secure64.comwww.secure64.com Sign up to access to an online signing engine to try it out with your own data Contact Adam.Tice@Secure64.com forAdam.Tice@Secure64.com Copies of this presentation Schedule a demo of our automated DNSSEC solution DNSSEC whitepapers, newsletters, case studies Invitation to hands on training workshops (NIST, HP)

Download ppt "Deploying DNSSEC without Losing Your Mind Summer ESNET Conference July 2009."

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai

DNSSEC Sample Implementation MENOG 10 Workshop 22 April 2012, Dubai
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Copyright 2009 FUJITSU TECHNOLOGY SOLUTIONS PRIMERGY Servers and Windows Server® 2008 R2 Benefit from an efficient, high performance and flexible platform.

Copyright 2009 FUJITSU TECHNOLOGY SOLUTIONS PRIMERGY Servers and Windows Server® 2008 R2 Benefit from an efficient, high performance and flexible platform.
1. Failure is when users do not feel they get what they paid for. 2. Failure is when the overall organization fails to adopt the solution.

1. Failure is when users do not feel they get what they paid for. 2. Failure is when the overall organization fails to adopt the solution.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
ITIL: Why Your IT Organization Should Care Service Support

ITIL: Why Your IT Organization Should Care Service Support

Similar presentations

Ads by Google