Network Security – A Service Provider View

Chapter
First Online:
Part of the Computer Communications and Networks book series (CCN)

Abstract

In this chapter we consider a service provider-centric view of network security. We primarily focus on network security given the current Internet architecture, protocols and business relationships. Within this context we first examine the underlying security threats and causes, before articulating the need for a comprehensive security framework to drive provider network security practices. We emphasize the need of wide-ranging network monitoring to provide intelligence concerning security events. We describe several network security systems and the importance of considering network security operations as an integral part of ongoing network operations. Finally, we identify important future network security concerns and directions.

Keywords

Transmission Control Protocol Network Security Network Element Provider Network Domain Name System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Notes

Acknowledgments

We would like to acknowledge the contributions of many of our colleagues in AT&T Labs and the AT&T Chief Security Office (CSO) organization. To a large extent we are simply reporting on their efforts over many years. We especially want to thank Steve Wood for explaining to us his work on the AT&T email platform, Adrian Cepleanu and Tom Scholl for expounding details of network security configuration, Joseph Blanda Jr. for sharing details about network based security services, Dave Gross who pioneered much of the security analysis work and Ed Amoroso, AT&T’s Chief Security Officer whose technical leadership provides the structure in which much of this work takes place. We would also like to thank the editors as well as Bill Beckett, Dave Gross, Patrick McDaniel, Subhabrata Sen and Tom Scholl for providing insightful comments on earlier versions of this chapter.

References

  1. 1.
    Daytona Data Management System. Retrieved from http://www.research.att.com/\~daytona/.
  2. 2.
    DNS Threats & DNS Weaknesses. Retrieved from http://www.dnssec.net/dns-threats.php.
  3. 3.
    North American Operator’s Group. Retrieved from www.nanog.org.
  4. 4.
    US-CERT United States Computer Emergency Readiness Team. Retrieved from www.us-cert.gov.
  5. 5.
    The continuing denial of service threat posed by DNS recursion (v2.0). (2006). Retrieved from http://www.us%2Dcert.gov/reading%5C%5Froom/DNS%2Drecursion033006.pdf Google Scholar
  6. 6.
    Allman, M., Blanton, E., Paxson, V., & Shenker, S. (2006). Fighting coordinated attackers with cross-organizational information sharing. In Workshop on Hot Topics in Networks (HotNets), Irvine, CA.Google Scholar
  7. 7.
    Andert, D., Wakefield, R., & Weise, J. (2002). Trust modeling for security architecture development. Retrieved from Sun BluePrints OnLine. Retrieved from http://www.sun.com/blueprints.
  8. 8.
    Arbor Networks. ATLAS initiative services & requirements – A service provider’s guide to participating in the ATLAS initiative. Retrieved from www.arbornetworks.com.
  9. 9.
    Arbor Networks. Fingerprint sharing alliance – A community for coordinated, rapid attack resolution. Retrieved from www.arbornetworks.com.
  10. 10.
    Arbor Networks. (2009). Arbor peakflow SP pervasive network visibility, security and profitable managed services. Retrieved from http://www.arbornetworks.com/peakflowsp.
  11. 11.
    Arends, R., Austein, R., Larson, M., Massey, D., & Rose, S. (2005). Protocol modifications for the DNS security extensions. IETF RFC 4035.Google Scholar
  12. 12.
    Argyraki, K., & Cheriton, D. (2005). Network capabilities: The good, the bad and the ugly. In Workshop on Hot Topics in Networks (HotNets), November 2005.Google Scholar
  13. 13.
    Atkins, D., & Austein, R. (2004). Threat analysis of the Domain Name System (DNS). IETF RFC 3833.Google Scholar
  14. 14.
    AT&T Laboratories, Information Security Center of Excellence. Seven pillars of carrier-grade security in the AT&T MPLS network.Google Scholar
  15. 15.
    Claise, B. (Ed.). (2004). Cisco systems NetFlow services export version 9. IETF RFC 3954. Retrieved from http://www.ietf.org/rfc/rfc3954.txt.
  16. 16.
    Baran, P. (1964). On distributed communications: I. Introduction to distributed communications networks. In RAND Memorandum, RM-3420-PR.Google Scholar
  17. 17.
    Barbir, A., Murphy, S., & Yang, Y. (2006). Generic threats to routing protocols. In IETF RFC 4593, October 2006.Google Scholar
  18. 18.
    Bellovin, S., Clark, D., Perrig, A., & D. S. (Eds.). (2005). A clean-slate design for the next-generation secure Internet. www.geni.net/documents.html. In Community Workshop Report (GDD-05-02).
  19. 19.
    Bouchard, M., & Mangum, F. Beyond UTM – The value of a purpose-built network security platform. Available from http://www.fortinet.com.
  20. 20.
    Butler, K., Farley, T., McDaniel, P., & Rexford, J. (2007). A survey of BGP security issues and solutions. Retrieved from http://www.cs.princeton.edu/\~{}jrex/papers/bgp-security08.pdf.
  21. 21.
    Carrel, D., & Grant, L. (1997). The TACACS+ Protocol. IETF draft: draft-grant-tacacs-02.txt, January 1997.Google Scholar
  22. 22.
    Cisco Systems. Defeating DDOS attacks. Retrieved from http://www.cisco.com/en/US/products/ps5888/prod\_white\_papers\_list.html.
  23. 23.
    Cisco Systems. (2009). Cisco security advisory: Cisco IOS software multiple features crafted UDP packet vulnerability. Retrieved from http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml.
  24. 24.
    Clark, D. (1988). The design philosophy of the DARPA internet protocols. In SIGCOMM ’88: Symposium Proceedings on Communications Architectures and protocols (pp. 106–114).Google Scholar
  25. 25.
    Computer Crime Research Center. (2005). Hackers: Companies encounter rise of cyber extortion. Retrieved from http://www.crime-research.org/news/24.05.2005/Hackers-companies-encounter-rise-cyber-extortion/ .
  26. 26.
    Cranor, C., Johnson, T., Spatscheck, O., & Shkapenyuk, V. (2003). Gigascope: A stream database for network applications. In Proc. ACM SIGMOD, San Diego, CA (pp. 647–651).Google Scholar
  27. 27.
    Department of Homeland Security. (2003). The national strategy to secure cyberspace. Retrieved from http://www.dhs.gov/xlibrary/assets/National\_Cyberspace\_Strategy.pdf.
  28. 28.
    Ellison, C., & Schneier, B. (2000). Ten risks of PKI: What you’re not being told about public key infrastructure. Computer Security Journal, 16(1), 17.Google Scholar
  29. 29.
    Espiner, T. (2008). Georgia accuses Russia of coordinated cyberattack. Retrieved from http://news.cnet.com/83011009\_31001415083.html.
  30. 30.
    Evers, J. (2005). Is latest can of worms a cyber-crime turf war? Retrieved from http://software.silicon.com/malware/0,3800003100,39151483,00.htm.
  31. 31.
    Feamster, N., Mao, Z. M., & Rexford, J. (2004). BorderGuard: Detecting cold potatoes from peers. In IMC ’04: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, New York, NY (pp. 213–218).Google Scholar
  32. 32.
    Goodell, G., Aiello, W., Griffin, T., Ioannidis, J., McDaniel, P., & Rubin, A. (2003). Working around BGP: An incremental approach to improving security and accuracy in interdomain routing. In Proceedings of the NDSS, San Diego, CA.Google Scholar
  33. 33.
    Guenther, P., & Showalter, T. (2008). Sieve: An email filtering language. IETF RFC 5228, January 2008.Google Scholar
  34. 34.
    Gupta, M. Single PAss Inspection Engine: The architecture for profitable MSSP services. Available from: http://www.ipolicynetworks.com/.
  35. 35.
    Handley, M., & Greenhalgh, A. (2004). Steps towards a DoS-resistant internet architecture. In FDNA ’04: Proceedings of the ACM SIGCOMM Workshop on Future Directions in Network Architecture, Portland, OR.Google Scholar
  36. 36.
    Hellweg, E. (2004). When bot nets attack. Retrieved from http://www.technologyreview.com/Infotech/13771/.
  37. 37.
    Honeynet Project. (2006). Know your enemy: Honeynets. Retrieved from http://www.honeynet.org/papers.
  38. 38.
    Huston, G. (2007). The ISP Column – Trust. Retrieved from http://www.isoc.org/pubs/isp/.
  39. 39.
    IANA. IANA IPv4 Address Space Registry. Available from http://www.iana.org/assignments/ipv4-address-space/.
  40. 40.
    Iannaccone, G., Chuah, C.-N., Mortier, R., Bhattacharyya, S., & Diot, C. (2002). Analysis of link failures in an IP backbone. In IMW ’02: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, New York, NY (pp. 237–242).Google Scholar
  41. 41.
    ICANN Security and Stability Advisory Committee. (2008). SSAC advisory on fast flux hosting and DNS. Retrieved from http://www.icann.org/en/committees/security/sac025.pdf.
  42. 42.
    ISACCOUNCIL.ORG. (2009). The role of information sharing and analysis centers (ISACs) in private/public sector critical infrastructure protection. Available from http://www.isaccouncil.org.
  43. 43.
    ITU-T telecommunication standardization sector of ITU. Series X: Data networks, open system communications and security. Information technology – Open systems interconnection – The directory: Public-key and attribute certificate frameworks. ITU-T Recommendation X.509, 2008.Google Scholar
  44. 44.
    John, J. P., Moshchuk, A., Gribble, S. D., & Krishnamurthy, A. (2009). Studying spamming botnets using botlab. In Proceedings of the Second Symposium on Networked Systems Design and Implementation (NSDI).Google Scholar
  45. 45.
    Juels, A., & Brainard, J. (1999). Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proceedings of the 1999 Network and Distributed System Security Symposium.Google Scholar
  46. 46.
    Jung, J., Krishnamurthy, B., & Rabinovich, M. (2002). Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites. In Proceedings of the 11th International Conference on World Wide Web, ACM Press, Honolulu, Hawaii (pp. 252–262).Google Scholar
  47. 47.
    Kalafut, A. J., Van der Merwe, J., & Gupta, M. (2009). Communities of interest for Internet traffic prioritization. In Proceedings of IEEE Global Internet Symposium.Google Scholar
  48. 48.
    Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., & Savage, S. (2008). Spamalytics: An empirical analysis of spam marketing conversion. In 15th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA.Google Scholar
  49. 49.
    Karasaridis, A., Rexroad, B., & Hoeflin, D. (2007). Wide-scale botnet detection and characterization. In Conference on Hot Topics in Understanding Botnets (HotBots), Cambridge, MA.Google Scholar
  50. 50.
    Kent, S., Lynn, C., & Seo, K. (2000). Secure border gateway protocol (S-BGP). IEEE JSAC, 18(4), 582–592.Google Scholar
  51. 51.
    Krishnamurthy, B., & Blackmond, E. (2004). SHRED: Spam harassment reduction via economic disincentives. Retrieved from http://www.research.att.com/\~bala/papers/shred-ext.ps.
  52. 52.
    Kuerbis, B., & Mueller, M. (2007). Securing the root: A proposal for distributed signing authority. Retrieved from http://internetgovernance.org/pdf/SecuringTheRoot.pdf.
  53. 53.
    Lau, B., & Svajcer, V. (2008). Measuring virtual machine detection in malware using DSD tracer. Journal in Computer Virology. Retrieved from http://www.springerlink.com/content/d71854121143m5j5/ and http://www.citeulike.org/article/3614541.
  54. 54.
    Leiner, B. M., Cerf, V. G., Clark, D. D., Kahn, R. E., Kleinrock, L., Lynch, D. C., Postel, J., Roberts, L. G., & Wolff, S. (2003). A Brief History of the Internet, version 3.32. Available from:www.isoc.org.
  55. 55.
    Lemos, R. (2009). Cyber attacks disrupt Kyrgyzstan’s networks. Retrieved from http://www.securityfocus.com/brief/896.
  56. 56.
    Leyden, J. (2004). The illicit trade in compromised PCs. Retrieved from http://www.theregister.co.uk/2004/04/30/spam\_biz/.
  57. 57.
    Mao, Z. M., Sekar, V., Spatscheck, O., van der Merwe, J., & Vasudevan, R. (2006). Analyzing large DDoS attacks using multiple data sources. In SIGCOMM Workshop on Large Scale Attack Defense (LSAD).Google Scholar
  58. 58.
    Marshall8e6. TRACElabs. Retrieved from http://www.marshal8e6.com/TRACE/.
  59. 59.
    McDaniel, P., Sen, S., Spatscheck, O., Van der Merwe, J., Aiello, B., & Kalmanek, C. (2006). Enterprise security: A community of Interest based approach. In Proceedings of Network and Distributed Systems Security 2006 (NDSS).Google Scholar
  60. 60.
    Moore, D., Voelker, G., & Savage, S. (2001). Inferring Internet denial-of-service activity. In Proceedings of the USENIX Security Symposium (pp. 9–22).Google Scholar
  61. 61.
    Ng, J. (2004). Extensions to BGP to Support Secure Origin BGP (soBGP). Internet Draft: draft-ng-sobgp-bgp-extensions-02.txt.Google Scholar
  62. 62.
    Ohm, P., Sicket, D., & Grunwald, D. (2007). Legal issues surrounding monitoring during network research. In Internet Measurement Conference (IMC).Google Scholar
  63. 63.
    Patrick, N., Scholl, T., Shaikh, A., & Steenbergen, R. (2006). Peering dragnet: Examining BGP routes received from peers. North American Network Operators’ Group (NANOG) presentation.Google Scholar
  64. 64.
    Poulsen, K. (2003). Slammer worm crashed Ohio nuke plant network. Retrieved from SecurityFocus, http://www.securityfocus.com/news/6767.
  65. 65.
    Provos, N. (2004). A virtual honeypot framework. 13th USENIX Security Symposium.Google Scholar
  66. 66.
    Ramachandran, A., & Feamster, N. (2006). Understanding the network-level behavior of spammers. In Proceedings of the ACM SIGCOMM, Pisa, Italy.Google Scholar
  67. 67.
    Rescorla, E., & Korver, B. (2003). Guidelines for writing RFC text on security considerations. IETF RFC 3552.Google Scholar
  68. 68.
    RIPE NCC. (2008). YouTube Hijacking: A RIPE NCC RIS case study. Retrieved from http://www.ripe.net/news/study-youtube-hijacking.html.
  69. 69.
    Rohde, D., & Gittlen, S. (1998). AT&T frame relay net goes down for the count. Retrieved from http://www.networkworld.com/news/0414frame2.html.
  70. 70.
    Security and Prosperity Steering Group APEC Telecommunications and Information Working Group. (2008). Best Practice for cooperative response based on public and private partnership. Available from http://www.apec.org/.
  71. 71.
    Senie, D., & Sullivan, A. (2008). Considerations for the use of DNS reverse mapping. Internet draft: draft-ietf-dnsop-reverse-mapping-considerations-06.Google Scholar
  72. 72.
    Shaikh, A., & Greenberg, A. (2004). OSPF monitoring: Architecture, design, and deployment experience. In Proceedings of the First Symposium on Networked Systems Design and Implementation (NSDI).Google Scholar
  73. 73.
    Simon, D. R., Agarwal, S., & Maltz, D. A. (2007). AS-based accountability as a cost-effective DDoS defense. In Conference on Hot Topics in Understanding Botnets (HotBots).Google Scholar
  74. 74.
    Snoeren, A. C., Partridge, C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Kent, S. T., & Strayer, W. T. (2001). Hash-based IP traceback. In Special Interest Group on Data Communication (SIGCOMM) Conference.Google Scholar
  75. 75.
    Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D. A., & de Weger, B. (2008). MD5 considered harmful today – Creating a rogue CA certificate. Retrieved from http://www.win.tue.nl/hashclash/rogue-ca/.
  76. 76.
    Spiekermann, S., & Faith Cranor, L. (2009). Engineering privacy. IEEE Transactions on Software Engineering, 35(1), 67–82.CrossRefGoogle Scholar
  77. 77.
    Spitzner, L. (2003). Honeypots: Definitions and value of honeypots. Retrieved from http://www.tracking-hackers.com/papers/honeypots.html.
  78. 78.
    TEAM CYMRU. BGP/ASN Analysis Report. Retrieved from http://www.cymru.com/BGP/summary.html.
  79. 79.
    United States Government Accountability Office. (2005). Prevalence of false contact information for registered domain names. Retrieved from http://www.gao.gov/new.items/d06165.pdf.
  80. 80.
    U.S.-Canada Power System Outage Task Force. (2004). Final report on the August 14, 2003 blackout in the united states and Canada: Causes and recommendations. Available from https://reports.energy.gov/.
  81. 81.
    US-CERT. Vulnerability note VU#800113 – Multiple DNS implementations vulnerable to cache poisoning. Retrieved from http://www.kb.cert.org/vuls/id/800113.
  82. 82.
    Vamosi, R. (2007). Cyberattack in Estonia – What it really means. Retrieved from http://news.cnet.com/Cyberattack-in-Estonia-what-it-really-means/2008-7349\_3-6186751.html.
  83. 83.
    Van der Merwe, J., Cepleanu, A., D’Souza, K., Freeman, B., Greenberg, A., Knight, D., McMillan, R., Moloney, D., Mulligan, J., Nguyen, H., Nguyen, M., Ramarajan, A., Saad, S., Satterlee, M., Spencer, T., Toll, D., & Zelingher, S. (2006). Dynamic connectivity management with an intelligent route service control point. SIGCOMM Workshop on Internet Network Management (INM).Google Scholar
  84. 84.
    Vasudevan, R., Mao, Z. M., Spatscheck, O., & Van der Merwe, J. (2007). MIDAS: An impact scale for DDoS attacks. In 15th IEEE Workshop on Local and Metropolitan Area Networks (LANMAN).Google Scholar
  85. 85.
    VeriSign. (2008). Root zone signing proposal. www.ntia.doc.gov/DNS/VeriSignDNSSECProposal.pdf.
  86. 86.
    Verkaik, P., Spatscheck, O., van der Merwe, J., & Snoeren, A. (2006). PRIMED: A community-of-interest-based DDoS mitigation system. In Proceedings of SIGCOMM Workshop on Large Scale Attack Defense (LSAD).Google Scholar
  87. 87.
    Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A., Voelker, G., & Savage, S. (2005). Scalability, fidelity and containment in the Potemkin virtual honeyfarm. In Proceedings of ACM Symposium on Operating Systems Principles (SOSP).Google Scholar
  88. 88.
    Wright, C. (2008). Understanding Kaminsky’s DNS Bug. Retrieved from http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug.
  89. 89.
    Yu, W., Fu, X., Graham, S., Xuan, D., & Zhao, W. (2007). DSSS-based flow marking technique for invisible traceback. In IEEE Symposium on Security and Privacy.Google Scholar
  90. 90.
    Zheng, C., Ji, L., Pei, D., Wang, J., & Francis, P. (2007). A light-weight distributed scheme for detecting ip prefix hijacks in real-time. SIGCOMM Computer Communication Review, 37(4), 277–288.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag London 2010

Authors and Affiliations

  1. 1.AT&T LabsFlorham ParkUSA

Personalised recommendations