An RX for IP Network Security
2/24/2004 -- A new report from research firm The Burton Group confirms what most Cisco certified professional already know: The security of todays IP networks leaves much to be desired and exposes many critical services to potential attacks.
Burton analyst Dave Kosiur says that although there are solutions to many of the most vexing security issues associated with IP network services, theyve found little uptake as a result of their cost and complexity. One upshot, then, is that protecting IP network services is still going to take some time.
For example, Kosiur says, theres no shortage of security measures that can help protect against infrastructure attacks, but networking vendors havent yet implemented many of them because they require significant changes to existing infrastructure, or -- in the case of a routing protocol such as Secure Border Gateway Protocol (S-BGP) -- they rely on infrastructure pieces that haven't yet been implemented.
Much of the nuts-and-bolts work is out of the hands of enterprise IT organizations, as well. For example, Kosiur notes, enterprises can tap MD5 message digest hashes to authenticate a variety of different internal routing protocols -- such as Routing Information Protocol version 2 (RIPv2), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS) and Border Gateway Protocol (BGP) -- but MD5 won't pass muster for BGP routers, which are critical infrastructure components of the public Internet.
That's where S-BGP and a sister protocol, Secure Origin BGP, enter the mix. S-BGP, for its part, is designed to use a public key infrastructure (PKI) hierarchy thats patterned after the Internet Assigned Numbers Authority (IANA), Kosiur says, but one key caveat is that this PKI hasn't yet been implemented. Secure Origin BGP, on the other hand, exploits a model in which domains can establish so-called "Webs-of-trust"for exchanging secrets, and so may have a better chance of adoption, Kosier reasons.
S-BGP isnt the only PKI-driven security measure that must clear a hurdle or two before broad it enjoys broad uptake. Many of the latest proposals for securing important IP services like routing, name services and address management are predicated on the use of a PKI, but, Kosier cautions, there's always some deal of complexity involved in deploying and managing a PKI system. More to the point, organizations have been slow to adopt-PKI based solutions in non-traditional areas, such as network management. Kosier cites the example of the DNS Security (DNSSEC) extensions, which were approved almost 10 years ago but aren't expected to start seeing uptick for another year or two. "One reason for the delay in adopting DNSSEC is the reluctance on the part of enterprises to incorporate a PKI with DNS services for server authentication purposes, which will add to the complexity of the service,"he writes.
Similarly, the use of compute- and resource-intensive security measures such as digital certificates and digital signatures for authentication poses performance problems for many devices. "For example, in the case of securing BGP or domain name servers & vendors have not yet implemented the added security protocols in their routers or name servers because of the cost of adding additional processing capacity to those devices," Kosiur writes.
The prescription? Not surprisingly, Kosier recommends, network managers should start to familiarize themselves with PKI systems. This is especially important, he notes, because in most organizations, PKI is used primarily for identity management, and has seen little uptake in support of network management. Elsewhere, organizations should look to acquire routers and other infrastructure devices with more processing power, as they become available. Kosier advises companies to talk with their networking providers so that they can time their upgrade cycles with the availability of these beefier devices. -Stephen Swoyer
|