Title: The ISPs Role in Improving Internet Security
1The ISPs Role in Improving Internet Security
- An exploration of the need, potential, and
reality of ISP-assisted security mechanisms on
the network fringe.
2Why do we care about the fringe?
Id be really careful with the term fringe.
The truth is that MOST of the computers on the
Internet are at the edge. Servers are at the
edge, as are the users. The number of machines
that are really internal are the minority. So
there are lots of reasons to care about the
fringe. If you are talking about the role of
particular machines (i.e. broadband home users),
then you need to be more specific about what you
really mean.
- Increasing numbers of broadband connections
owned by non-security minded customers is quickly
become a threat to our national Internet
infrastructure
Can you be specific about what it is about having
increased numbers of high-bandwidth end-users
that makes the system more vulnerable as a whole?
Is it the speed at which worms or DoS attacks
can occur? Or is it something else?
3What is the threat?
Again, since most of the computers are at the
edge, the fact that they are the source of
attacks is not surprising and doesnt make the
current situation any different from the past.
- Worms replicate and propagate from the network
edge, causing damaging traffic loads and
potential Internet wide instability. - DDOS attacks are launched from zombie computers,
threatening online assets. - The fringe offers a safe launching point for
sophisticated attackers with stolen accounts, who
can rarely be tracked or caught.
Again, I think you need to be more specific in
justifying this last statement. Why does the
fringe offer a safe launching point, and what is
the implication of having high speed connections
at the fringe?
4What can we do about it? (1)
-
- Attempt to minimize the number of compromised
end-hosts in order to reduce the threat to key
Internet assets and infrastructure - Note The point of this research is NOT to
try and protect every computer on the
Internet.
Do you mean to contrast end-user machines versus
servers? Both are really end hosts. Minimizing
compromised end hosts is probably not specific
enough. Again, you might want to be more
specific about what you actually mean as
infrastructure.
5What can we do about it? (2)
-
- Improve network transparency, attestation, and
inter-organizational information sharing to be
able to identify, block, and prosecute Internet
attacks.
These are all strategies for dealing with the
problem. It might be more helpful to state
precisely what the desired end result is, and
then move to strategies. That is, if I want to
identify, block, and prosecute internet attacks,
then you need to justify why transparency etc is
a necessary/sufficient condition for achieving
that end result.
6Why are we looking at ISPs?
- The average user is not, does not want to be,
and should not need to be a computer security
expert any more than an airplane passenger wants
to or should need to be an expert in aerodynamics
or piloting. This very lack of sophisticated end
users renders our society at risk to a threat
that is becoming more prevalent and more
sophisticated. -
- - Dan Geer, et al
- CyberInsecurity The Cost of Monopoly
This slide and the next are more salient and
insightful ones of the entire presentation so
far. I would start with these, and then talk
about high speed end users after that
7Why are we looking at ISPs?
- The current model of individual users being
responsible for their own computer security in a
fend for yourself environment has left the
Internet in a precarious state. - Its time to explore new possibilities. As the
gate-keepers of the Internet, ISPs are
positioned to potentially play a significant role
in securing the Internet.
8How to define an ISP?
- Main Focus
- Targeting consumer ISPs who control network
edge infrastructure, not those providing
back-bone services. - Security enhancements are geared toward broadband
(cable/DSL) providers, since these high-speed and
always-on connections make users both most
vulnerable and a greater threat to infrastrucure.
9How to define an ISP?
Some discussion of the Internet protocol stack
might be helpful in identifying the different
roles that an ISP can play. For example, an ISP
that has its own physical infrastructure is
different from someone who runs a virtual
topology on top of it.
- Applicability
- Some security mechanisms apply more to
facilities based ISPs (who own/run the actual
infrastructure than to virtual ISPs who simply
lease lines from a cable/telecom infrastructure
provider. - Other enhancements may apply more to companies
providing service to residential users and small
businesses, that is, groups without a dedicated
and knowledgeable IT staff.
10An Initial Framework to Classify Potential
Security Enhancements
Its hard for me to know what or why this
framework is being introduced. One way to remedy
this is to present the question first, and then
the framework as an answer (maybe not unique) to
the question. Without the proper motivation, the
framework becomes just more details that the
audience has to try to understand.
End-Host
- The Actor Framework divides potential ISP
security enhancements into three categories based
on where they occur
Actor Framework
Network Traffic
Organizational Procedural
11End-host Security Enhancements
- These are security mechanisms implemented that
involve individual users computers. -
- Frequently they represent the ISP facilitating
good security common sense security practices.
One thing you might consider is putting the
definition of each of these enhancements on the
previous slide with the graphical representation
of their relationships. So a single slide with
all three on there. Then you might walk through
the examples one group at a time, or maybe try to
fit all three groups on the same slide (again
with the pictures).
12Examples End-host mechanisms
- Anti-Virus Software Update Subscriptions
- Personal Firewall Software
- Detection of vulnerable or compromised computers
on the ISP network. - Protective Anti-Phishing software.
- User Personal Security Education
13Network Traffic Security Enhancements
- These are powerful mechanisms that exploit the
control an ISP has to analyze and control all
incoming and outgoing network traffic. - These mechanisms are more technically complex,
but also have a more far-reaching impact and can
not only protect but also detect and block
malicious out-going traffic.
14Examples Network Traffic mechanisms
- Egress-filtering on outbound traffic
- Ingress filtering or proxy traffic from dangerous
black-list. - Port blocking/throttling to prevent scans/attacks
for common vulnerabilities and worm propagation. - Incoming/outgoing email virus scanning
- Coordinated cross-ISP support for IP trace-back.
15Examples Network Traffic mechanisms
- General Deployment of Advanced Network devices
that analyze or prohibit traffic to a significant
degree - e.g.
- - Intrusion/DDOS Prevention Systems
- - Context Sensitive Firewalls (default deny)
- - Active connection monitoring devices.
16Organizational Procedural Security Enhancements
- The policies, procedures and organizational
relationships used by an ISP will also affect the
impact it has on Internet security. - These mechanisms focus on the ability to
effectively collaborate with other parties with a
common interest in improving security.
17Examples Organizational and procedural mechanisms
- Effectively responding to abuse complaints of
attacks originating within an ISP network - Accessible logs of traffic connections and
associated user data to allow for later use as
potential evidence - ISP collaboration for technology development and
information sharing standards.
18Examples Organizational and procedural mechanisms
- Development metrics for quantifying the security
of an edge ISP network. - IPv6 Deployment.
- Operational guarantees on integrity of key data,
such as DNS and BGP information. - Collaboration with US-CERT Information Sharing
and Analysis Center.
19A Second Framework to Classify Potential Security
Enhancements
Again, this needs proper motivation in order for
an uninformed audience to follow it.
Particularly if this is your own work and
framework, you need to justify why its worth the
effort for the audience to learn it. (I am not
saying its not worthwhile, simply that you
havent motivated it properly).
- The method framework looks at the nature of
the security enhancement and classifies it
depending on how it attempts to improve security.
Protect Computer And Data
Detect Block Outgoing Malicious Traffic
Method Framework
Improve Traceability And Transparency
20The Two Frameworks Together
- The actor and method frameworks are independent
of each other. That is, being in a given category
in one framework does not imply being in a
certain category in the other framework. - The combination of the two frameworks yield nine
different categories of security enhancements,
which we call clusters. -
- Classifying potential security enhancements into
clusters gives us a useful tool to analyze these
changes without having to look at each one
individually.
21Using a Matrix to Cluster Similar Security
Enhancements
- A 3 x 3 matrix can be used to combine them into
a single system for grouping and analyzing
potential security enhancements. - This matrix allows us to place each security
mechanism into a CLUSTER with similar
enhancements -
Method
A c t o r
22The Two Frameworks Together
This is cute, but again needs motivation. What
benefits come from having this matrix in this
manner? Is this taxonomy exhaustive? Is it
insightful? Are you providing a systematic way
to catalog everything, or is there something more
to it? For example, one thing that would be very
interesting would be a situation in which one of
the boxes was NOT filled with a current security
mechanism and where its absence actually
suggested a new approach to thinking about how an
ISP could mitigate risk.
-
- Each cluster contains an example of a security
enhancement which falls within this category
23So where from here?
- We have now seen the potential for ISP security
enhancements, but the next important question we
want to answer is -
- If these mechanisms are technically feasible and
well understood, why are few if any ISPs
currently user them?
24Looking at the Incentives
- For ISPs, like any business, the decision to
implement depends on both the potential value
gain and the associated cost. - Value vs. Cost
- decision on security enhancement
25The goal Understand ISP Incentives
- Key Assumption
- ISPs have positive and/or negative incentives to
implement certain types of security enhancements,
and these incentives apply only to certain
clusters of the framework matrix.
26Assigning Incentives to Clusters
Only at this point does it become clear that you
are trying to find a way to understand the way in
which the economic incentives of ISP affect the
possible mechanisms that could be implemented.
This statement should come much earlier, and I
think it would help to make the presentation much
simpler.
- For example An ISP may have an incentive to
increase revenue by charging for security
services. Logically, the main security
enhancements that can be charge for are in the
end-user protect computers/data cluster. -
P B T
E N O
- This corresponds to the upper-left corner cluster
on the matrix. For each discussed incentive, we
visually highlight the clusters that apply. - We abbreviate each of the six categories with a
single letter to reduce clutter
27Negative Incentives of ISPs
- The following section will outline the negative
incentives of ISPs, that is, forces causing
service providers to be less likely to implement
a given security enhancement
28Negative Incentive Employee Time
- Being a business, ISPs want to minimize the
number of employees it needs for operation. The
too main employee areas to consider for this work
are network operations staff and customer service
staff.
P B T
E N O
29Negative Incentive Infrastructure Costs
- Many security enhancements will require
replacing or improving the ISP's current
infrastructure. Some changes may simple require
additional capacity for current infrastructure,
but many security improvements are themselves new
pieces of the network hardware sold by network
security companies.
P B T
E N O
30Negative Incentive Software Licensing Costs
P B T
- End-host or network based protection schemes may
require that ISPs license commercial software for
each customer, leading to significant expenses.
E N O
31Negative Incentive Carrier-only Responsibility
- Currently ISPs are not liable either in the case
that a computer on their network is compromised
or an attack originates from their network. -
- Initial steps to help protect computer and
detect attacks could move ISPs move closer to
liability, something they would like to avoid.
P B T
E N O
32Negative Incentive Increased Network Complexity
- Network complexity is the enemy of network
reliability, which is a top priority for
operators. Security features can add complexity,
leading to increased network problems.
P B T
E N O
33Negative Incentive Consumer Complexity
- A major selling point for Internet service is
the simplicity with which it operates. Security
mechanisms often require additional work on
behalf of the user, increasing complexity.
P B T
E N O
34Positive Incentives of ISPs
- The following section will outline the positive
incentives of ISPs, that is, forces causing
service providers to be more likely to implement
a given security enhancement
35Positive Incentive General Customer Satisfaction
If you are going to contrast positive versus
negative, I would maybe choose a different color
for the positive boxes (maybe green).
- While ISPs are not required to protect customer
machines, the safety of an end-users computer may
impact their overall satisfaction with the ISP,
decreasing time spent with customer service, etc.
P B T
E N O
36Positive Incentive Network Utilization
- Compromised hosts often generate massive amounts
of traffic as a result of scanning or
denial-of-service (DOS) attacks. - This traffic uses up the finite amount of
bandwidth and ISP has (or alternatively, is
charged for), decreasing their overall quality of
service or increasing bandwidth costs.
P B T
E N O
37Positive Incentive Improved Network Monitoring
Ability
- The sheer volume and noise associated with
malicious traffic (incoming and outgoing) make it
difficult for ISPs to effectively monitor and
control their network.
P B T
E N O
38Positive Incentive Legal Requirements
P B T
- While only limited legal requirements currently
exist, the possibility exists that they could be
required at any cluster in the matrix.
E N O
39Positive Incentive Service Differentiation /
Revenue Sources
- If security enhancements are protective,
visible, and relatively simple to understand,
adding these mechanisms can be sold to customers
for an increased monthly fee, or used to provide
a higher perceived quality of service than other
ISPs
P B T
E N O
40Positive Incentive Improving Network clean-up /
outages
- A bad worm/virus outbreak can lead to service
degradation and large clean-up costs. Thus,
certain types of prevention/monitoring may be
valuable to the ISP to reduce later costs.
P B T
E N O
41Positive Incentive Hacker Friendly ISPs and
Social Concerns
- ISPs that pay no attention to network security
and as a result host many machines used to launch
attacks draw widespread criticism from more
conscientious portions of the ISP community.
This is especially true for large tier 1
providers.
P B T
E N O
42A Framework for Analyzing the Incentives for a
Security Mechanism
- Having outlined the clusters to which these
incentives apply, we can know ask the question -
- For security enhancements in cluster X, what are
the incentives of Internet service providers? -
The question is whether or not this is really
possible. Here, you would be most convincing if
you went through a few examples that illustrated
how the enhancements in a cluster are affected by
ISP incentives. Again, in order for the
framework to be valuable, you should be able to
provide some insight which was not immediate from
simply asking the question outright
43What still needs to be better understood?
-
- We need to further explore the RELATIVE STRENGTH
of these incentives, which ultimate determines
the ISPs final decision. - Additionally, there are likely MISSING
INCENTIVES not considered in this outline. - This is the current focus of my research.
The fact that you believe there are missing
incentives makes me question the value of your
framework.
44My working sources currently
- Cybersecurity Center (Keith, Martin, et al)
- Other members of Stanford CS Dept. (Yashar,
Guido, etc) - Johannes Ullrich (DShield, SANS ISC)
- North America Network Operators Group (NANOG)
Forums and resources. - ISP-Security mailing list (havent contact yet)
45Conclusions
Modeling incentives is inherently challenging.
The type of analysis that you suggest (if
pursued, expanded, and refined) could lead to a
qualitative assessment of the types of decisions
that an ISP is likely to make. But its
predictive power is apt to be limited, due to its
qualitative nature. I feel like there is a
fundamental question underlying your work here
that is never stated, but is really important to
what you are trying to do. One possibility is
how do the economic incentives of ISPs affect
their decisions to implement security
enhancements? This is a HUGE question and topic,
more than a dissertations worth. I think you
have done an admirable job in trying to get your
arms around all of it, but it may be too big. If
you want, I can try to help you narrow things a
bit, which may make things easier overall.
-
- After getting a clear picture of HOW and WHY the
ISPs make the security-relevant decisions, we can
look at their incentives vs. the overall value
and suggest areas in which to focus efforts to
yield the most efficient and effect boost in
Internet security. - Note This is not the focus of the research,
just a conclusion that points to further
potential work.
46Maybe Questions to consider
- What are the forces acting on ISPs?
- How do ISPs make money (if they do)?
- What is the organizational structure of an ISP
business? What roles to people play? Who makes
the decisions? About what? What are their
responsibilities? How are they rewarded or
punished? How do people within the organization
make decisions? - Can you identify cases of perverse incentives,
either in the way the ISP as a whole interacts
with the outside world or within the ISP itself? - What are the security enhancement decisions
facing ISPs, and how do the above issues affect
them (if at all)?