Obviating the Tragedy of the Commons: Operational Security Implications of a National Broadband Network

Roland Dobbins <rdobbins@arbor.net>Solutions Architect+66-83-266-6344 BKK mobile+65-8396-3230 SIN mobileArbor Public

Page - Arbor Public

The Tragedy of the Commons

• Phrase originated by ecologist Garrett Hardin in a (largely flawed, wrongheaded, IMHO) article published in Science magazine in 1968.

• Hardin was expostulating his theories about human overpopulation.

• He used the analogy of the ‘commons’ - i.e., communal land in agricultural communities intended to be shared by all inhabitants for grazing livestock, etc. Except that they would overgraze it.

• His main point was that human nature generally leads people to pursue selfish strategies to the point of self-destruction.

2

Page - Arbor Public

What do we mean when we invoke the ‘Tragedy of the Commons’ in this context?

• There are highly desirable - indeed, necessary - attributes of existence which do not translate directly into short-term economic cost/benefit analytical frameworks.

• Enlightened self-interest is largely honored in the breach, rather than in the observance.

• There are no purely technical solutions to social ills.

3

Page - Arbor Public

What Does the Commons Theory Tell Us About the Internet?

We see behavior on the Internet today which strongly correlates with Hardin’s observations about human nature:

• Deliberate route-table de-aggregation for selfish traffic engineering purposes

• Neglect of architectural and operational Best Current Practices (BCPs) in order to shave operational expense (opex) margins

• SP toleration of - and even active solicitation of/connivance with - criminal customers.

• Governmental indifference to/collusion with online criminal elements.• Security researchers selling vulnerability information to the highest

bidder, including criminals.• Seemingly willful ignorance on the part of vendors with regards to

vital and necessary security functionality.• Seemingly willful ignorance on the part of users with regards to their

own personal and organizational security postures.

4

Page - Arbor Public

What Do We Mean by ‘Operational Security’?

• Information security, or Infosec, is largely concerned with the formulation of policies/procedures, forensic investigations, and audits.

• Operational security, or Opsec, is largely concerned with the actualization of policies/procedures in the form of architecture, operational methodologies, etc.

• Opsec is also focused on real-time reaction to ongoing security events.

• Infosec teams are the constables and the detectives.

• Opsec teams are the riot police.5

Page - Arbor Public

Hyperconnected - Republic of Korea

6

Page - Arbor Public

Republic of Korea (RoK/South Korea) - Opsec Experiences

• The RoK is (and has been for a while) the most hyperconnected society on the planet.

• Historically focused on building capacity, little or no attention paid to security.• Little or no participation in/engagement with the global opsec community.• SQL Slammer, the first Internet-wide (inadvertent) DDoS, originated in the RoK -

worldwide disruption, RoK knocked off the Internet for a week, persistent reports of physical violence associated with Internet cafe outages, ‘protection’.

• Nothing much changed.• Credible second-hand reports of 70gb/sec - 80gb/sec intra-RoK DDoS attacks in

the last year (looking for supporting data for this in Arbor 2010 WWISR).• Prevalence and growth of service-impacting service events has begun to effect

an attitude change amongst RoK operators, taking concrete steps to improve.• High-profile RoK/USA DDoS attacks of July 2009 (known as ‘7/7 Attacks’ in the

RoK) a strong impetus for positive change.• Strong, progressive security leadership by example & largely sensible

regulations via elements of the RoK government making real inroads in the last 18-24 months.

• More work to do, but definitely making progress.

7

Page - Arbor Public

Hyperconnected - Japan

8

Page - Arbor Public

Japan - Opsec Experiences

• Second-most hyperconnected society on the planet.• Strong (perhaps overly so) telco regulatory frameworks

ensured a basic level of sound architectural and operational BCPs.

• Little or no engagement with the global opsec community.

• Strong move towards monetization of ‘Clean Pipes’ DDoS mitigation services, ensures revenue stream to fund continued security improvements.

• Botnets still a problem in terms of outbound DDoS, identity theft, fraud, espionage, spam, et. al.

• Growing awareness on the part of SPs that more proactive measures are justified.

• More work to do, but showing definite progress.9

Page - Arbor Public

Megaconnected - China

10

Page - Arbor Public

China - Opsec Experiences

• Not yet a hyperconnected society, but a megaconnected society.• Dominated by state-owned enterprises with broad theoretical powers - in reality,

extremely fragmented along regional lines, bureaucratic turf wars, etc.• Little or no engagement with the global opsec community.• DDoS attacks a normal, everyday element of commercial dispute resolution.• Non-resilient architectures, little/no implementation of architectural or

operational BCPs.• Some monetization of ‘Clean Pipes’ DDoS mitigation services - revenues largely not

used to fund security improvements. Status quo viewed by some as desirable in order to drive more demand for ‘Clean Pipes’ services!

• Botnets a huge problem - end-customers demanding antibotnet capabilities/services, but SPs are slow to develop, deploy, monetize (COTS tech available).

• May 2009 cascading DNS failure due to business dispute between online gaming companies resulted in 9-hour-plus Internet outage for 475M people, single largest Internet outage to date.

• Broad discussion of DNS resiliency after May 2009 attacks, little real progress since then.

• Toxic security environment an increasing drag on the economy, net exporter of insecurity and disorder.

• Collusion with criminals a significant, growing challenge.11

Page - Arbor Public

What Inferences Should Be Drawn from the Experiences of Other Societies?

• Just about everyone to date has started at or near the bottom in terms of proactive security measures.

• Serious social and economic disruption caused by a toxic Internet security environment isn’t theoretical - we can see its effects every day!

• While it’s a constant, never-ending battle, actualization of existing technologies/BCPs/tools/techniques results in significant improvements in resiliency and overall security posture.

• Governmental leadership by example and sensible regulation are net positives and are catalysts for substantive, highly beneficial change.

12

Page - Arbor Public

Is the Internet a Failed State?

When compared to the non-profit Fund for Peace’s definition, the Internet exhibits 9 of the 12 defining characteristics of a failed state:

• Demographic pressures• Massive movement of refugees and internally-displaced

peoples• Legacy of vengeance-seeking group grievance• Uneven economic development along group lines• Sharp and/or severe economic decline• Criminalization and/or delegitimization of the state• Progressive deterioration of public services• Rise of factionalized elites• Intervention of other states or external political actors• Sounds familiar, doesn’t it?!

13

Page - Arbor Public

What Do People Want from Government?

• A reasonable modicum of security and stability in one’s person and possessions.

• Provision for positive public goods and services which can’t be readily supplied by individual or private collective effort.

• Amelioration of social ills which can’t be readily accomplished by individual or private collective effort.

14

Page - Arbor Public

What are the Opsec Priorities for a National Broadband Network?

• Given its status as a Government-Owned Enterprise, public perception of the National Broadband Network is, for all practical purposes, that it is an arm of government - wholesale vs. retail doesnʼt register.

• Realistically or otherwise, people are more demanding of government than they are of the private sector.

• Just as with government in the physical world, providing basic security and stability must be the primary imperative of a National Broadband Network

• The National Broadband Network operator can and must set security-related policies (AUPs) and standards, and take the necessary measures to enforce those policies and standards

• The National Broadband Network operator must have the remit, the ability and the resources to coordinate and marshal effective defenses against threats to its continuity and functionality

• The National Broadband Network operator must have the remit, the ability and the resources to meet the reasonable expectations of stakeholders (i.e., the citizenry) with regards to security of the network infrastructure itself and of the portion of their network traffic which traverses the National Broadband Network.

• Otherwise, it will fail.15

Page - Arbor Public

Fortunately, on the Internet, it’s possible to create new ‘territory’ and learn from the mistakes of the past!

• One can in effect create one's own, brand-new Terra Australis Incognita, maintaining connectivity with the rest of the world whilst working to improve the part of it directly within one's span of control.

• One can work to exert positive control over one's own borders and enforce an acceptable use policy (AUP) - i.e., the rule of law - within them.

• One can work to ensure that one's own corner of the Internet doesn't actively aid and abet criminality and disorder within its borders.

• One can work to ensure that one's own corner of the Internet doesn't end up exporting criminality & disorder elsewhere.

16

Page - Arbor Public

From Unmanaged to Unsecurable in Three Easy Steps!

• Unmanaged networks rapidly become unmanageable networks.

• Unmanageable networks rapidly become insecure networks.

• Insecure networks rapidly become unsecureable networks

• Laissez-faire is not the answer!17

Page - Arbor Public

Nobody enjoys a free-for-all!

18

Page - Arbor Public

They want to reach their online destinations in some semblance of order!

19

Page - Arbor Public

Opsec Recommendations for the Wholesale Service Provider (WSP)

• Chief Security Officer tasked with all Infosec and Opsec functions and empowered to accomplish same, reporting to WSP CTO (should be independent of Risk Management)

• Development of a formalized NBN Threat Model, to be updated as a 'living document'

• Formulation of 'Master' AUP to apply to NBN as a whole, must be a 'rider' to RSP AUPs

• Quarterly detailed reporting of all NBN-related security incidents to the relevant Minister(s), with analysis, outcomes, and remedial actions documented and posted publicly on the WSP public Web site

• Dedicated information security (Infosec) team tasked with creating security policies, standards, procedures, carrying out forensics/investigative actions, and performing audits

• Dedicated or virtual operational security (Opsec team) tasked with actualizing policies, standards, procedures, and reacting to security incidents in real time, in coordination with RSP Opsec teams as needed - must be independent of Infosec team in order to avoid conflicts of interest

• Active participation in relevant closed, vetted global opsec communities

• Network visibility at layer-2 - layer-7 via instrumentation and standards-based telemetry (i.e., IPFIX/PSAMP) exported from all WSP-owned network elements to collection/analysis systems

20

Page - Arbor Public

Opsec Recommendations for the Wholesale Service Provider (WSP) - Continued

• Nonrepudiation of network traffic (i.e., antispoofing) at layer-2 and layer-3 - RFC2827/BCP38/BCP84/IP Source Guard by all WSP-owned network elements

• Layer-2 - layer-4 quarantine of connected endpoint nodes (i.e., CPE) - must be 'leaky', allow dialing emergency services via VoIP, support subscriber awareness

• Ability to filter traffic down to and including minimum-sized packets at 'line-rate' based upon layer-4 classification criteria for all WSP-owned network elements

• Ability to mitigate layer-3 - layer-7 attacks against WSP-owned DNS infrastructure, portals, and other layer-3-accessible elements/applications/services

• Implementation of all relevant layer-2/layer-3 security-related Best Current Practices (BCPs) for all WSP-owned network elements

• Bulkheaded, logically-separated authoritative and/or recursive DNS infrastructure for any layer-3-accessible nodes

• DNSSEC support for any WSP-owned DNS infrastructure

• Out-of-band (OOB) management network for all WSP-owned network elements (i.e., DCN)

21

Page - Arbor Public

Opsec Recommendations for the Wholesale Service Provider (WSP) - Continued

• Protection of control and management planes of all WSP-owned network elements

• DNSSEC support for all WSP-owned network elements

• SNMPv3 support for all WSP-owned network elements

• sshv2 or higher support for all WSP-owned network elements

• AAA support for all WSP-owned network elements

• ntp support for all WSP-owned network elements

• NETCONF support for all WSP-owned network elements

• IPv4/IPv6 feature parity support for all WSP-owned network elements

22

Page - Arbor Public

Opsec Recommendations for the Retail Service Provider (RSP)• Adherence to and enforcement of 'Master' NBN AUP, must be a 'rider' to RSP AUPs

• Quarterly detailed reporting of all NBN-related security incidents to the WSP CSO, with analysis, outcomes, and remedial actions documented and posted publicly on the RSP public Web site

• Dedicated or virtual information security (Infosec) team tasked with creating security policies, standards, procedures, carrying out forensics/investigative actions, and performing audits

• Dedicated or virtual operational security (Opsec team) tasked with actualizing policies, standards, procedures, and reacting to security incidents in real time, in coordination with WSP Opsec teams as needed - should be independent of Infosec team in order to avoid conflicts of interest

• Active participation in relevant closed, vetted global opsec communities

• Network visibility at layer-2 - layer-7 via instrumentation and standards-based telemetry (i.e., IPFIX/PSAMP) exported from all NBN-connected network elements to collection/analysis systems, including WSP collection/analysis systems

• Ability to mitigate layer-3 - layer-7 attacks against RSP-owned DNS infrastructure, portals, and other layer-3-accessible elements/applications/services

23

Page - Arbor Public

Opsec Recommendations for the Retail Service Provider (RSP) - Continued• Implementation of all relevant layer-2/layer-3 security-related Best Current Practices

(BCPs) for NBN-connected network elements

• Nonrepudiation of network traffic (i.e., antispoofing) at layer-2 and layer-3 - RFC2827/BCP38/BCP84/IP Source Guard/et. al. by all NBN-connected network elements

• Layer-2 - layer-4 quarantine of connected endpoint nodes (i.e., CPE) - must be 'leaky', allow dialing emergency services via VoIP, support subscriber awareness

• Ability to filter traffic down to and including minimum-sized packets at 'line-rate' based upon layer-4 classification criteria for all NBN-connected network elements

• Bulkheaded, logically-separated authoritative and/or recursive DNS infrastructure for RSP end-customer name resolution services

• DNSSEC support for any RSP-owned DNS infrastructure

• Out-of-band (OOB) management network for all NBN-connected network elements (i.e., DCN)

• Protection of control and management planes of all NBN-connected network elements

24

Page - Arbor Public

Opsec Recommendations for the Retail Service Provider (RSP) - Continued

• DNSSEC support for all NBN-connected network elements

• SNMPv3 support for all NBN-connected network elements

• sshv2 or higher support for all NBN-connected network elements

• AAA support for all NBN-connected network elements

• ntp support for all NBN-connected network elements

• IPv4/IPv6 feature parity support for NBN-connected network elements

25

Page - Arbor Public

Opsec Recommendations for NBN-Connected Customer Premise Equipment (CPE)

• Network visibility at layer-2 - layer-7 via instrumentation and standards-based telemetry (i.e., IPFIX/PSAMP) exported from all NBN-connected network elements to RSP/WSP collection/analysis systems

• Nonrepudiation of network traffic (i.e., antispoofing) at layer-2 and layer-3 - RFC2827/BCP38/BCP84/IP Source Guard/et. al. by all NBN-connected network elements

• Layer-2 - layer-4 quarantine of NBN-connected endpoint nodes (i.e., CPE) - must be 'leaky', allow dialing emergency services via VoIP, support subscriber awareness

• Ability to filter traffic based upon layer-4 classification criteria for all NBN-connected network elements

• DNSSEC support for NBN-connected elements

• Out-of-band (OOB) management network support for all NBN-connected network elements, connectivity to RSP and WSP DCNs

• Protection of control and management planes of all NBN-connected network elements

• SNMPv3 support for all NBN-connected network elements

26

Page - Arbor Public

Opsec Recommendations for NBN-Connected Customer Premise Equipment (CPE) - Continued

• sshv2 or higher support for all NBN-connected network elements

• AAA support for all NBN-connected network elements - i.e., subscriber awareness

• ntp support for all NBN-connected network elements

• NETCONF support for all WSP-owned network elements

• IPv4/IPv6 feature parity support for NBN-connected network elements

• Provide management access and provisioning by RSP and WSP OSS systems

27

Page - Arbor Public

Additional Opsec Recommendations/Observations

• Transparency & Global Opsec Community consultation/engagement in the formulation of NBN policy/architectural/operational templates, designs, & methodologies.

• Awareness and implementation of BCPs specific to wireless access networks.

• Endpoint security posture assessment is a nonstarter - doesn't scale, can't trust compromised end-nodes to self-report, doesn't apply to iDevices and spimes, et. al. - don't do it!

• Mandatory wedging of stateful 'security' devices in the middle of WSP/RSP/CPE networks is iatrogenic in nature, negatively affects security posture - don't do it!

28

Page - Arbor Public

Conclusions

• Today’s Internet as a whole is a highly toxic security environment - that we simply can’t do without.

• Existing Best Current Practices (BCPs), technologies, tools, methodologies, and organizational measures are highly effective in securing and exerting positive control over Internet-connected infrastructure - if they are actualized.

• Starting from scratch, with no legacy impediments, provides a golden opportunity to build a world-class, secure, reliable, and resilient National Broadband Network.

• Public expectations regarding security and stability must be met in order for the NBN to succeed.

29

Page - Arbor Public

Fat Pipes are a Good Thing!

30

Page - Arbor Public

But they must be instrumented & controlled . . .

31

Page - Arbor Public

. . . in order to provide a palatable flow!

32

Page - Arbor Public

Q&A

Thank You!

Roland Dobbins <rdobbins@arbor.net>Solutions Architect+66-83-266-6344 BKK mobile+65-8396-3230 SIN mobileArbor Public