Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.

Published bySamuel Wright Modified over 10 years ago

Similar presentations

Presentation on theme: "Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra."— Presentation transcript:

1 Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra

2 User Beware I am not a security expert I am a simple consumer of security solutions as a user of Internet-based secure services and applications

3 User Beware No security system is absolute All security measures mitigate risk, not eliminate it Security measures obey the law of diminishing return Determine what level of risk is acceptable Constantly review risk assumptions

4 The Issues Risks and vulnerabilities DNS hijacking Cache hijacking Routing hijacking Identity hijacking Session hijacking Session monitoring The Internets base trust model is very basic Security is an overlay, not an intrinsic property of the network itself

5 Secure Solutions What are the problems to be addressed? Identity authentication Application authentication Third party intervention monitoring awareness alteration disruption or denial hijacking

6 Security has many dimensions Secure end-to-end IP conversations Secure application-to-application conversations Authenticated communications Secure transport systems Secure VPNs

7 Security Building Blocks IPSEC + IKE End-to-End transport Gateway-to-Gateway transport Includes header and payload checksum Includes payload encryption Compute load is high IKE is not absolutely robust (evidently) Cannot tolerate NATs in the transport path Used in CPE devices for overlay VPNs

8 Security Building Blocks TLS (HTTPS) Application-level payload encryption Weak key exchange model Prevents interception monitoring of the application traffic No authentication

9 Security Building Blocks SSH Secure telnet tunnels Secure encrypted conversation between a roaming satellite and a SSH server Supports tunnels for application access (using NAT at the server) Used to support extensions of corporate access into public Internet environments Road Warrior tools

10 Security Building Blocks Public Key Infrastructure (PKI) Public / Private key infrastructure Allows for third party validation of identity of the end systems Allows for use of keys to perform encryption Keys normally associated with the host system, not the user of the host

11 Security Building Blocks Secure Transport Systems Data-link layer encryption e.g. WEP for Wi-FI Caveat regarding potential regulatory requirements for clear payload interception Not end-to-end No authentication

12 Secure VPNs Overlay VPNs with CPE-to-CPE IPSEC tunnels Issues with TCP MTU negotiation Issues with performance Issues with key management Vendor equipment available Common VPN solution

13 Secure VPNs 2547bis MPLS VPNS Use MPLS to switch from PE to PE across the provider core Further encryption of payload not strictly necessary (VC-style functionality) Requires explicit provider support Inter-provider interoperability limited

14 Secure Roaming IPSEC tunnel as overlay on dial PPP access SSH tunnel as overlay on access

15 Secure Application Services Certificates are excellent Requires initial overhead on certificate exchange Good browser support But not portable across hosts User/password + TLS is more flexible, but at a cost of higher vulnerability

16 Discussion Security is an overlay across the Internet, not an intrinsic part of the network itself Many security incidents are evidently the outcome of social rather than technical engineering

Download ppt "Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Network Security.

Network Security.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Internet Security Seminar Class CS591 Presentation Topic: VPN.

Internet Security Seminar Class CS591 Presentation Topic: VPN.

Similar presentations

Ads by Google