Secure Communications

1
Secure Communications Intelligent
Infrastructure ServicesNASSCOM CEO
ForumAristotle BaloghMay 4, 2005
2
The On-Line World is a War Zone

• Internet bubble era innovation in crime
• Inter-networks are becoming an integral part of
  all business and consumer interactions
• Crooks are following the money and the
  opportunities
• Escalating precedents continue
• gt 2Gb attack traffic against .com/.net October
  2002
• Attack guided by monitoring effect on target
  service January 2004
• Broad-based zero-day exploit July 2004 (Mydoom
  variant)
• Cell phone virus spread just by proximity
  Summer 2004
• Week long DDoS attack to destroy on-line business
  September 2004, October 2004
• 5K - 50K zombie army attacks, for rent Fall
  2004

3
Industry Shifts are Creating Challenges

• The Internet and telecom networks are merging
• Like other historical infrastructure build-outs,
  there is no precedent for the scale, especially
  in number and power of endpoints
• Communication commerce are all about instant
  gratification
• Demands always on, globally available services
• Driven by mobility and broadband larger, more
  immersive content and multiple identities
• Great Aunt Louise shopping eBay actually,
  obsessed with eBay
• Our Industry is delivering ever more complicated
  products
• Accumulates more features, layers, operating
  systems
• Leads to never-ending stream of major defects and
  security vulnerabilities
• Packet stream of death vulnerabilities Cisco,
  July 2003, October 2004 Nortel, November 2004
  Linux, Jan 2004
• Vulnerabilities misclassified
• Results in abysmal overall dependability

4
Average Internal Realities Create More
Challenges

• Complex, unknown interdependencies among
  application components compound OS/server/storage
  and network layer dependencies
• Change causes failure, some of which is not even
  knowable a priori
• Applications continue indefinitely, often
  decaying with no planned obsolescence
• Distortion and mismatch as versions/types of
  infrastructure components rev even unsupported
  software
• For most, hundreds of gratuitous differences in
  applications and infrastructure configurations
  across the enterprise
• Administrators must apply different rules for
  every system or component
• Human error rate for somewhat involved recovery
  procedures can be 25
• Applications are generally not operator
  fault-tolerant

5
More Internal Realities

• Actual availability is much better than expected,
  then much worse
• Failure timing is unpredictable complacency sets
  in between failures
• Failures and attacks often provide subtle hints
  of impending effects, but aggregated metrics and
  event analysis is challenging, if even possible
• Staffing models must be based on failure and
  attack is an exception
• Special Commission style root cause is expensive,
  but required
• Sev 3 and Sev 4 defects accumulate to cause Sev 1
  2 customer impacts
• Budgets for product development, QA, and
  environments is finite
• Security is considered a nuisance and a hindrance
  

6
VeriSign Relevant Experience
E-Commerce 136K Merchants 10B
Transactions/qtr 37 North American eCommerce
Internet Addressing 42M Domain
Names 15B Queries per day 908M Internet users
Web Security 462K Web sites 150K Businesses 90
Secure Communications
Communications 3B Signals/day 40M
SMS/day 1300 Carriers
7
Example Characteristics of Intelligent
Infrastructure

• Understands multiple identities, preferences and
  end-user device capabilities, adapting the
  service routing
• Integrates disparate protocols, technologies and
  networks, creating an interoperable single image
  for the end user
• Underlies many if not most network interactions
  and captures the network effect benefit across
  diverse and increasing interactions
• As reliable as the Howrah Bridge or Indian
  Railways, and as critical
• Trust its performance implicitly
• Can withstand the storms of security attacks and
  hacks
• Absorb F5 tornado winds of Distributed Denial of
  Service attacks
• Identify bad guys, across all services, and
  adapt real-time sense-and-respond
• Self-heal from faults

8
The Challenge Security, with Availability
Scalability
MTTD (mean time to detection) / MTTR (mean time
to repair)
Continuous growing in number and sophistication
Level Scope
Variable
99.5 - 99.95
Availability Scalability
99.95, improving to 99.99
99.999 1 total outage every 5 7 years
2 - 25 failure rate
1 - 10 failure rate

• Key component of the customer experience is
  availability, security and scalability
• Feature/function superiority is irrelevant if the
  platform is not available or reliable
• Failure rates of each layer and the
  people/processes that operate them are additive
• Must engineer the service as a whole, including
  people, processes, and systems, masking lower
  layer failures and making the system operator-
  and process-fault tolerant

9
Imperatives of Secure Critical Service Delivery

• 1 Get the basics right
• Enforce highly disciplined change problem
  management
• Implement compulsive vulnerability/patch
  management
• Use few, standard architectures
• Ensure comprehensive and true-to-production QA
• Monitor all components and applications, 24x7
• Provide admin and critical facilities support,
  24x7
• Regularly audit, to learn and fix, not punish
• Pursue ever-better continue raising the bar
• Use the right technologies VPN, SSL, strong
  authentication, etc.
• Qualify off-the-shelf components comprehensively
• Engineer hardened, step-wise OS and tools images
• The Perimeter is a fallacy -- Keep it crunchy to
  the core!

10
Imperatives of Secure Critical Service Delivery

• 2 Drive absolute simplicity
• Minimize the components (and technology) to the
  customer
• Sometimes skip the latest technology and
  complicated features
• Drive architecture from detailed and complete
  recovery analysis (not just the obvious failures)
• Favor fail-fast
• 3 Implement closed-loop systems continuous
  feedback
• Review system architectures yearly
• Review all firewall rules, power and network
  connections quarterly
• Scan for WiFi networks weekly
• Attempt security penetrations daily (!)
• Use forward validation and interlocks for data,
  but also scrub
• Implement closed-loop monitoring and
  tracer/synthetic transactions, as the customer
  would
• Implement push-button diagnostics

11
Actual DNS Operation Security Summary Report
12
Imperatives of Secure Critical Service Delivery

• 4 Provision extreme over-capacity
• Provision extreme over-capacity at the edges, and
  end-to-end for network services
• Guarantee graceful degradation
• Protect limited components at the core
• Validate end-to-end performance across input
  extremes
• 5 Enforce independent diversity
• Always use 2 different implementations for
  components, except at the protected core
• Implement at least two no-compromise primary
  sites, and a tertiary
• Isolate global procedures and soak changes
• Stop the cascade decouple anywhere possible and
  use silos
• Enforce independence at the micro level, for
  instance, restartability

13
Winning Our ODI, Every Day
There is no playbook for the inter-networked
economy in an age of pervasive, on-line criminal
activity Challenges continue to mount, driving
the need for an ever-better culture and for
questioning the status quo and conventional
wisdom, while transcending the tyranny of the
urgent We need a standard technology based,
process-centric environment that continuously
learns and bakes-in best practice fail
internally and fix, before it becomes external
We have many ODI matches to deal with every
year, usually unannounced And for us, defeat can
be truly catastrophic, while victory is fleeting
(with no country-wide celebration or
felicitations from the Prime Minister)
14
Thank You

• Ari Balogh, 1.703.948.3292, abalogh_at_verisign.com
• Ramesh Krishnan, 91.98107.05915,
  rkrishnan_at_verisign.com
• Manoj Srivastava, 1.703.948.3254,
  msrivastava_at_verisign.com