An Emerging Global Ecosystem for Infrastructure Protection and Network Forensics Anthony M Rutkowski VP for Regulatory Affairs and Standards, VeriSign mailto:[email protected]Visiting Prof., Georgia Tech Nunn School President, Global LI Industry Association Fostering International Collaboration in Information Security Research Symposium #727 AAAS, St. Louis, USA 16-17 Jan 2006 V1.0
21
Embed
Emerging Global Ecosystem for Infrastructure Protection and ...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
An Emerging Global Ecosystemfor Infrastructure Protection andNetwork Forensics
Anthony M Rutkowski
VP for Regulatory Affairs and Standards, VeriSignmailto:[email protected]
Visiting Prof., Georgia Tech Nunn School
President, Global LI Industry Association
Fostering International Collaboration in Information Security
Research Symposium #727
AAAS, St. Louis, USA
16-17 Jan 2006
V1.0
Outline
+ The emerging global ecosystem▪ Paradigm shifts and what they produce▪ Public infrastructures and what we expect of them▪ Next Generation Network public infrastructures▪ Ecosystem forums and major developments▪ Network forensics and why they are necessary
+ Fostering collaboration on needed capabilities▪ Nudging▪ Just do it
Paradigm Shifts
+ Fundamental points of inflection▪ Digital networks▪ Morris Worm of 1988▪ Intelligent Network failure of 1991▪ Nomadicity (wireless, IP, smart objects)▪ Rapidly scaling SPAM, cybercrime and cyberterrorism▪ 9/11▪ Katrina, Rita, …
+ Produce significant changes to infrastructures and their ecosystems
+ Drive changes to policies and practices
Public infrastructures – definition and treatment
+ Capabilities “generally available to the public”
+ Characteristics and expectations▪ Substantial availability, especially during and after
emergencies▪ Protection for users▪ Quid pro quos established in law, regulations, and
standards
Typical public network infrastructure requirements
+ Availability, Security and Protection▪ High availability
– analysis network metrics and outages
▪ Network attack mitigation▪ Priority access and notices during
emergencies▪ Restoration▪ Personal emergency services▪ Prevent unwanted intrusions
– Filters (DoNotCAll)– Aids (CallerID)
▪ Nomadicity – Number portability– Roaming– Payment method flexibility
▪ Cybercrime mitigation– Forensics capability– Law enforcement/national security
assistance – Fraud detection and management– Prevent cyberstalking– Digital rights management
+ Competition Requirements▪ Unbundling▪ Service interoperability▪ User/subscriber access by service
+ Pragmatically meeting real needs today▪ IP-enabled public product standards▪ Global interoperability and markets▪ Secure, stable infrastructure▪ Compatibility with existing network infrastructures▪ Common regulatory requirements
+ Engaging all relevant standards bodies▪ Identifying existing useable standards▪ New standards and administrative practices adopted only as necessary
+ Focused on “open” unbundled service modules and capability sets▪ Staged in multiple “releases” over time
+ Standards participants primarily other industry players – worldwide, regionally, and nationally
+ Significant consensus focus (but no agreement on specifics)▪ Infrastructure protection▪ Security▪ Authentication▪ Directories▪ Resource access controls
Unification of communities and requirements
+ Legal▪ FCC rules under both CALEA and
Title I authority▪ ITU and Cybercrime Treaties form
basis of international cooperation
+ Institutional▪ FCC Homeland Security Bureau
formed▪ EC Joint IS – JHA joint staff group
formed▪ New DHS policy chief appointed▪ New NSC Cybersecurity Director
+ Pragmatically meeting real needs today▪ National public infrastructures have special properties – the public and the nation depend on
these infrastructures▪ Responsibility for national public infrastructure rests with designated governmental
authorities and coordinated through intergovernmental treaties▪ Shift from common carrier models to capability requirements on public infrastructures▪ Interest in service innovation and marketplace competition
+ Tripartite ensemble emerging almost everywhere▪ Telecom regulators and consumer protection agencies (infrastructure capabilities)▪ Homeland security and national security agencies (real-time analysis and response)▪ Justice agencies (analysis and enforcement)
+ Pervasive vulnerabilities not well understood▪ Rapid introduction of new technologies, especially platforms not designed for public
infrastructure use▪ Open complex public communication network infrastructures▪ Nomadic users and providers▪ Uncontrolled access devices and capabilities▪ Growing appreciation of cybercrime and potential terrorism actions ▪ Lack of real-time response mechanisms made apparent with Tsunami + Katrina-Rita
NGN Security and Infrastructure Protection Capabilities
+ PSTN/ISDN Emulation services+ PSTN/ISDN Simulation services+ Internet access+ Other services+ Media resource management+ QoS-based Resource and Traffic Management+ QoS service level support+ Classes and Priority Management+ Processing/traffic overload management+ Accounting, Charging and Billing+ Identification+ Authentication+ Authorization+ Security and Privacy+ Mobility management (personal and terminal)+ Critical Infrastructure Protection+ Inter-provider and universal service compensation+ Service unbundling+ Exchange of user information among providers+ Services Coordination+ Application Service Interworking+ Service discovery
+ Service Registration+ Profile Management+ User Profile+ Device Profile+ Policy Management+ Personal information support+ Group management+ Personal information support/management+ Presence+ Location management+ Push-based support+ Device management+ Session handling+ Digital Rights Management+ Fraud Detection and Management+ Number portability+ Users with disabilities+ Lawful interception+ Malicious user identification+ Emergency communications+ Presentation of identities+ Network/Service provider selection
The network forensics Rosetta Stone
IdentityIdentityStoredTrafficStoredTraffic
AnalysisAnalysis
Provider Subscriber
NetworkIdentifiers ContentData
Necessary for+ Law Enforcement+ Homeland Security+ Infrastructure Protection+ Network Management
Real-TimeTraffic
Real-TimeTraffic
ContentData
Additionally necessary for a broad array of operational, public interest and commercial needs
Public network forensic components
+ Identity▪ Ability to authoritatively identify the service provider, obtain contact
information and get to authoritative user/subscriber/object directories and network identifier bindings
▪ Key requirements established by law and regulation; and may be maintained in part by government agencies
+ Stored Traffic▪ Any information generated by network processes that is relevant to a
user/subscriber/object communication and has significant latency (i.e., is not real-time)
▪ Requirements and access controlled by law and regulation, and may include ad hoc requests (e.g., subpoena), preservation orders, and general data retention
+ Real-time Traffic▪ Any information generated by network processes that is obtained in
real-time▪ Requirements and access controlled by law and regulation (lawful
interception capabilities and execution of orders)
+ Analysis▪ Network Operations, Administration, and Maintenance▪ Fraud detection and prevention▪ Infrastructure protection▪ Law enforcement, public safety, and national security needs
Identity
Provider Subscriber
NetworkIdentifiers
StoredTraffic
ContentData
Real-TimeTraffic
ContentData
EU Data Retention Directive effect on network forensics
+ Harmonizes data retention and access across Europe
+ Applies to▪ Fixed network telephony▪ Mobile telephony▪ Internet access, messaging and telephony
+ Provides data necessary to▪ trace and identify the source of a communication▪ trace and identify the destination of a communication▪ identify the date, time and duration of a communication▪ identify the type of communication▪ identify the communication device or purported device▪ identify the location of mobile communication equipment
+ Does not include content
+ Includes privacy enhancement features
+ Adopted by European Parliament on 14 Dec 2005
+ Likely to be the subject of considerable implementation collaboration activities in 2006-2007
IdentityIdentity
StoredTrafficStoredTraffic
Provider Subscriber
NetworkIdentifiers
ContentData
Specific network forensic “enablers” needed now
+ Provider information▪ All providers of services on Next Generation public communication
infrastructures must be– Registered with appropriate authority– Authenticated– Provided a unique global identifier which is automatically “resolvable” into provider
identity information, subscriber directory URI, and used in all network communications
+ User/subscriber information▪ All users or subscribers of public communication services and the “bindings” with
their communication identifiers must be– Capable of common global discovery– Automatically “resolvable” through the provider into trusted contact and reference
information using a common global directory standard (E.115v2)
+ Ability to exchange and analyze information related to protection and
security▪ Common global protocols and arrangements for rapidly discovering and
exchanging forensic data for protection and security
Collaboration
+ Nudging▪ Analyzing▪ Evangelizing▪ Breaking down stovepipes▪ Filing
– Statutory and regulatory proceedings– Standards activities
+ Just do it▪ Forums▪ Specifications▪ Products and services