NBN must avoid becoming 'failed state'

By Ry Crozier on Sep 17, 2010 1:52 PM
Filed under Security

Arbor Networks urges NBN Co to build a network that is secure by design.

Service providers were obliged to defend their networks against security attacks but not to the point they became security police, Arbor Networks solution architect Roland Dobbins told an audience of ISPs today.

Speaking at the AusNOG conference in Sydney, Dobbins (pictured) argued that service providers had an opportunity to be "more proactive on their home turf" when it came to information security.

"Just as we have moral and practical obligations to defend our homes against fire, flood or intruders, we have to do the same for our networks [against threats from the internet]," he said.

"Service providers have to take basic measures to keep their networks up and running.

"Whether we like it or not, we have to do things to strengthen the network itself - [for example, to] filter out hostile traffic directed at our servers. You've got to defend your network. You can't just step back and say, 'I'm at Layer 2. I don't care what happens at Layers 3 or 4."

Could the NBN be a failed state?

Arbor Networks' Roland Dobbins at AusNOG, September 17, 2010.

The internet met nine of 12 criteria to qualify as a "failed state", he said, so it was up to NBN Co to ensure its "brand new, large southern [virtual] continent" didn't fall into the same law-enforcement "cesspit".

"If the network isn't defensible and there's not an active push to impose law and order, there's a danger [the network] wil become a cesspit and fail," as it had in China and Russia where criminal hacking had taken the place of litigation in the West as part of "legitimate" business strategies, he said.

"We have to take positive action," he said, believing that an unmanaged network could rapidly become unmanageable, insecure and then un-securable.

"We don't want that at all," he said.

Dobbins said that a responsibility of governments was to "provide security and stability".

"NBN Co is essentially a Government-owned enterprise. In the public eye ... they see it as an arm of Government," he said.

"Whether that's true or not, people tend to expect more from their governments than they do from the private sector so the bar is set a bit higher.

"It's because of this perception that providing security and stability should be a primary purpose of NBN."

Dobbins said that NBN Co should set security standards in the acceptable-use policies imposed on retail ISPs and the interconnect standards for devices that connected to the network.

It must also "have the ability to marshal resources and be able to coordinate a defence of its infrastructure", he said.

He said NBN Co should write a "formalised NBN threat model" as a living document that was regularly updated.

He also called on NBN Co to contribute to the operations security community globally and urged it to install a chief information security officer with oversight of such issues as a matter of urgency.

Dobbins acknowledged that tackling security in the manner he suggested would involve developing an understanding of the traffic moving across wholesale and retail ISP networks.

But he said he was "not trying to advocate deep-packet inspection", nor did he want to "put NBN Co in the role of law enforcement".

"I'm not trying to say ISPs should be an enforcer," he said in response to a question from AusCERT general manager Graham Ingram.

"I'm saying that to keep a network up and running, there's an absolute minimum of self-defensive things that service providers should do.

"Service providers can be more proactive on their home turf and the NBN might be an opportunity to do it."

19 comments in this discussion

"@block, I was I suppose inferring that the whole idea socially of the Web. The Internet, is a sham as far as expectations regarding services offered, and the security of privacy, and financial ..."

By X_Selectar

Tags

nbn, arbor, networks, security, isp, police, dpi, traffic, mitigation, ddos, cybercrime

Conroy abandons mandatory ISP filtering

Google technology advocate sends NBN safety message

Further security flaws found in Java Runtime Environment

VentraIP deploys DDoS mitigation after attacks

Breaking Stories

CenITex to move from IT provider to broker

Google technology advocate sends NBN safety message

ACMA shops 'freephone' charge changes

Vodafone still losing Australian customers

AWS bags US federal government certification

Comments: 19

MerariSchroeder Sep 17, 2010 3:42 PM	Woah! Hang on a minute. What is this guy trying to say? All those points on the slide have nothing to do with the internet - what a con. The internet represents globalisation and decentralisation and it isn't a single entity, so of course when you put it up against a set of rules designed to describe a tangible centralised authority it will fail. He juxtaposes Australia with hackers from Russia and China. That problem emerged from socio-economic factors not internet throughput. If he was merely talking about security he would have some credibility, but he's not, he's talking about censorship. He tries to claim he isn't "not trying to advocate deep-packet inspection", however you don't need deep packet inspection to censor or police the internet. He's talking about US style law enforcement. People talk about ditching the Monarachy to find a sense of identity for Australia, but at the same time the Government is continuously copying international policy, making us just another face in the crowd. So in summary, he raises an alarm with no basis and comes to no tanglible solution to his intangible problem. Am I the only one confused?
wjc Sep 17, 2010 4:24 PM	NBN threat number 1 - Denial of Service (DOS)once copper goes and mains power goes off! Remember, copper has at least 48Volts DC backup at layer 1 so that you can at least more confidently depend upon power from your exchange in an emergency (yes, Telstra actually has a fuel-oil bill for generators to maintain battery charge at exchanges.) It is SIMPLE to pull through a low-voltage power line at the same time as any NBN fibre and to ensure reliability/resilience at the home/business/repeater termination units - we just have to make sure that Senator Conroy has made this a COMPULSORY part of the NBN requirements and has informed that of that. Even Optus, in its Internet connection brochure, clearly advises its customers to keep a simple, plain wired phone if they have moved all services (VoiP, etc.) to Optus' internet service!!
rdobbins Sep 17, 2010 5:39 PM	@MerariSchroeder: Thanks for taking the time to comment - I understand your confusion, which I believe results from a) a lack of complete information regarding the actual security situation on the Internet today, b) a lack of information concerning the standard best current practices (BCPs) which SPs around the world implement in order to preserve the availability of their networks even in the face of determined attacks, c) the common reaction/mitigation mechanisms utilized by SPs worldwide to protect their servers and those of their customers from DDoS attacks, and d) a misunderstanding regarding the topic under discussion (i.e., self-defense for the NBN and for NBN-connected retail service providers). The discussion had nothing whatsoever to do with censorship, law enforcement in general, or 'US-style law enforcement' - it was about ensuring that the NBN itself is secure so that end-customers can make use of high-speed broadband without being constantly interrupted by DDoS attacks, about minimizing the risks of having their computers/mobiles/etc. compromised and used to launch outbound DDoS attacks/send spam/steal their identities, etc., and about ensuring that the NBN doesn't inadvertently become an enabler of online criminals. To avoid recapitulating information available elsewhere, please have a look at the following presentations which cover the relevant topics in detail: https://files.me.com/roland.dobbins/y4ykq0 https://files.me.com/roland.dobbins/k54qkv https://files.me.com/roland.dobbins/k4zw3x https://files.me.com/roland.dobbins/prguob https://files.me.com/roland.dobbins/dweagy As you can see, this is technical information concerning how to protect content-bearing servers and the networks upon which they depend from attack, so as to keep them up and running - in other words, about ensuring the availability of information and content even in the face of determined attacks from criminally-, ideologically-, or nihilistically-motivated attackers. In short, the discussion was about preserving the ability of end-users to access applications, data, services, content, and information, which is the precise opposite of censorship. Here's the presentation I delivered this morning at AusNOG, which is cited in the above ITNews article: https://files.me.com/roland.dobbins/j0a4sk I hope this helps clarify matters, and thanks again for your feedback!
djzort Sep 17, 2010 5:54 PM	@rdobbins "it was about ensuring that the NBN itself is secure so that end-customers can make use of high-speed broadband without being constantly interrupted by DDoS attacks" NBN is supposed to be a Layer 2 provider only. So why should NBN do anything about DDOS? DDOS is a layer3+ problem which is your ISP's responsibility and is most often best applied on international links and on the other end of international links.
rdobbins Sep 17, 2010 6:21 PM	@djzort: Firstly, there are multiple ways to DoS layer-2 infrastructure if the appropriate layer-2 BCPs aren't implemented. Secondly, by developing and imposing standards for NBN-connected layer-2/layer-3 RSP PE and end-user CPE, NBNCo can ensure that RSPs have the requisite tools and mechanisms to deal with DDoS attacks, quarantine botted hosts, et. al., and also help coordinate opsec activities amongst RSPs in the event of wide-scale security events. Thirdly, DDoS isn't solely a phenomenon related to international peering/transit links - especially when more and more botted hosts are showing up on Australian broadband networks and launching outbound/crossbound DoS attacks. Thanks for your comment!
MerariSchroeder Sep 17, 2010 6:44 PM	Ok - so it is about security then. Therefore, I think the part about 'failed state' in the article distracts from your true message. Also the NBN really doesn't have anything to do with it, although it does offer a good platform for you to spread your message of security. In general all businesses not just ISPs should be employing a best practice security model. Perhaps there should be an Australian standard and visible savings from insurance. I'm not an expert in this field. But I understand most breaches occur from within companies not externally. So security must begin at businesses and then out. What specific measures can the NBN implement? Software to kill DDoS on request quickly? I doubt much can be done at Layer 2 except notifying ISPs of statistical spikes who then investigate more thoroughly, etc... Unfortunately I see barriers to best practice. 1. A security industry which doesn't benefit from giving away their "checklist". Prohibative costs to contract an expert. 2. Operating Systems which don't allow security profiles at install or after install. Requiring expensive contractors. 3. A General lag in technology (software and hardware) to embrace security - it's often an after-thought, but getting better. I hope to find time to have a look at your actual presentation - but can't promise anything.
deteego Sep 18, 2010 1:24 AM	djzort wrote: @rdobbins "it was about ensuring that the NBN itself is secure so that end-customers can make use of high-speed broadband without being constantly interrupted by DDoS attacks" NBN is supposed to be a Layer 2 provider only. So why should NBN do anything about DDOS? DDOS is a layer3+ problem which is your ISP's responsibility and is most often best applied on international links and on the other end of international links. Long story short, the issue is that NBN (being a FTTH infrastructure) means that it can deliver massive amounts of bandwith within the network in a short amount of time, which makes the NBN a much more appealing platform to perform DDoS attacks on compared to other networks (especially if that network happens to also be within Australia). For the more sophisticated DDoS attacks, they are only usually stopped after an initial wave. The difference between that initial wave on a slower/fragmented network and on one like the NBN can be the difference between hours of downtime compared to days/weeks Taking into account what rdobbins stopped, this is something that needs to be stopped above the ISP level
Francis Sep 18, 2010 8:54 AM	@ Roland Dobbins says "Just as we have moral and practical obligations to defend our homes against fire, flood or intruders, we have to do the same for our networks [against threats from the internet],". An excellent point. In all the Hullabaloo over the internet we overlook the fact that it is not just a provider of Internet services but Telephony and Pay TV also. In many cases we have a failure of telephony services at critical times in this country due the fact that the cables concerned are strung from Power Poles. As such they are brought down by Bush Fires, Storms and even Motor Vehicle Collisions with poles. We often take the cheap (and Nasty) way out. This would not happen in most of the developed world so why should we tolerate it here? Communications are critical in such times of need but often fail as we have seen in all our capital cities due to storms and as in the Ash Saturday fires in Victoria. It is not just a matter of protecting our networks from Hackers and DDOS attacks but climatic and environmental events also.
Francis Sep 18, 2010 9:19 AM	@ WJS You make a valuable point. However The majority of the Copper network is also safe from damage underground also. While I do not live in the sticks I do live in a suburb on the outer Northern Suburbs of Sydney. As our power supply is often affected by a variety of environmental effects I have UPS units on all our computer and audio visual equipment as well as a small (6.9 KVA) backup generator in the Garage. Yet all this is for naught as when the power goes down so does the Telstra Cable network as it like the Optus network relies on power supplies along its length powered from the overhead cables, this is then exacerbated by the fact that we live in a Mobile Phone Black spot, but then we can recharge the Mobile Phone Batteries. Without going into a lot of detail we can physically secure the NBN as per my previous post and we can secure its power by building in a basic UPS (Uninteruptable Power Supply) at or near the attachment of the NBN to your home. To do otherwise would be a dereliction of duty of those responsible for and building the NBN.
DazzaJ Sep 19, 2010 8:29 AM	This seems to delve into the "monitoring", "Logging", "Filtering", "Censorship", "control of information", and limit of freedom, that Conroy is so adamant about, only this time it stated as defensible, regulated, marshal resources, law and order . . . .! A system has to be secure, but this idea of enforcing so-called laws, and extreme personal left wing values on peoples internet use is again very Chinese. "To filter out hostile traffic .. ", again what is deemed as hostile?, the fact that I don't like or trust Labour any more, is that "Hostile" so therefore should I be filtered, monitored, logged and recorded?? The NBN needs to be secured as any network needs to be secure, but it should NOT be just an oversize logging, filtering and data mining system that Labour seems so intent on creating.
Francis Sep 20, 2010 8:49 AM	@ DazzaJ I would not necessarily lump all actions of Conboy on Labor. Conboy seems to be a hard right law unto himself and as such deserves all he gets.
arosewar Sep 21, 2010 1:36 PM	@ DazzaJ Why are you jumping on this band wagon this has nothing to do with Censorship or Control of Information. This has to do with Proactively protecting users and providers of the NBN from Denial of Service based attacks. Think of the damage that can be done when you have a clueless home users with 100Mb of bandwidth to their Door and no idea about how to protect themselves we have this issue now but the bandwidth provided to home users is not that high up to 1/5th of this to be precise so the damage a potential crimial hacker could do with a connection 5X as fast is something that needs to be considered. How would you like to be DDoS'd by the script kiddy around the corner who just doesn't like you for some reason and have you 100Mb connection dropped to less that 1Mb? What impact could this have on Business etc and Corporate Espionage if I can DDoS my competitors website from hacked computers on the NBN. You should be starting to see the picture now. This is not about Censorship or Filtering it's about prevention and protection for users of the NBN to ensure that they are not the targets or instigate attacks from their new high speed connections.
anonymous Sep 21, 2010 5:37 PM	@arosewar, you're probably right, but it seems that Dobbins was positively inviting adverse comments by choosing to seek publicity through being tendentiously controversial. No, I don't want to cop a DOS attack from a script kiddie or anyone else, but if Dobbins wanted a professional debate on dealing with DOS attacks he should have used professional language instead of irrelevantly rabbitting on about the NGO Fund for Peace.
johnpro2 Sep 23, 2010 7:05 AM	@anon:but if Dobbins wanted a professional debate on dealing with DOS attacks he should have used professional language. ****** Maybe ..but in the real world of marketing a 'sales gimmick' can often get an audiences attention. After all, we read it. I was rather impressed with the level of professionalism displayed all the same. Jp
Francis Oct 6, 2010 10:51 PM	@ arosewar. Your article is in part relevant, but falls apart when you study the Bigpond user policy. This essentially prevents users sending bulk E-Mails to more than 20 recipients without a 10 Minute break or 30 seconds apart. This effectively stops the sort of argument you are putting forward. I an sure that other ISP's have similar safeguards.
X_Selectar Oct 7, 2010 12:18 AM	1.) Does anyone really believe a NBN will be built ? 2.) If discussion about DOS attacks are dominating conversation why not take steps to educate the general public about securing their systems with basic security measures. As I've said on numerous Blogs / Forums there will be a lot of security issues raising the data transfer speeds to 100 Mb's/sec. 3.) I think Francis made a really valid point. Although the Internet is almost a rogue state, it is "Served" up to the consumer, servers do have abilities to log, flag, drop suspicious clients. 4.) We've already seen Feb 10th 2010 distributed denial of service (DDoS) attacks take down the Web sites of the Australian Parliament House and Communications Minister Stephen Conroy. 5.) Once people understand the Web, and its carrier, The Internet is a conglomerate of individuals who may come together and attack someone who upsets them, the closer we come to understand were to put our energies. This Internet is embryonic, the demands put upon it may be unreal ? Driven by fantasy, business hopes, delirium of huge gains in so many areas shows how silly this great Internet plan is, and the people trying to make it do what it was never intended. I believe a lot of people are taking the idea of "Creating a National Network" as some Biblical occurrence, where perfection can, and must be obtained. Aint gonna happen ! Studying attacks on sites such as Anti Malware Forums isn't a waste of time, many have several servers, so they can switch to a seperate one during a DDOS. We need smart thinkers who can keep one step ahead of the bad guy's, now, not after creating a NBN ! While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack -- the final target and as well the systems controlled by the intruder. Understanding we are still in infancy with the Web, and not expecting too lofty an expectation may be our best bet at stopping running in circles like a dog chasing its' tail !
umbria Oct 7, 2010 12:26 PM	Mister X, 1) yes, an NBN will certainly be built and the sooner the better, primarily with fibre to premises, and hopefully as infrastructure in the public interest and not skewed to deliver annual shareholder profits. The coalition primarily lost the election because they didn't accept this reality; 2) network speed is a factor, but good defences are needed at any speed; 3) yes, independent server defences are indeed a part of this; 4) DDoS defence is interesting. I can imagine that with national fibre interconnection, distributed defensive detection systems can be developed which will more quickly recognise attacks and which packets should be silently dropped to cripple them; 5) the copper network has been delivering data services for which it was never designed for a couple of decades, and fibre will do the same. This is not fantasy but garden-variety progress. You are quite right to propose iterative improvements to security while delivering big picture defensive gains as they become possible.
block Oct 7, 2010 3:57 PM	What do you mean the copper wires were never designed to carry data? There are roads out there today that are not designed to carry the cars in 10 years time. Guess what, the cars will be designed to work on the existing roads. The fact is the ADSL technologies were designed to run on the existing copper infrastructure. Yes, we may reach the limitations of that copper or get to the point of diminishing returns for the development of new standards, however saying it wasn't designed for it is not really relevant.
X_Selectar Oct 8, 2010 2:51 AM	@block, I was I suppose inferring that the whole idea socially of the Web. The Internet, is a sham as far as expectations regarding services offered, and the security of privacy, and financial integrity. The engineering behind it is very sound as you point out. 1. Yep, copper has more than adequate capacity to deliver high speed broadband, and phone line! 2. Yesterday I awoke to a no "dial tone" situation. The day before my Internet connection had been dropping out intermittently, so a frustrating day, however next day a technician took half an hour to fix this, after all the obvious checks at the exchange, my Computer, leads, etc. I asked him what had happened? "Short circuit, cable under the road has lost insulation, water got in, so I changed to another cable, under the road." Too easy. My ISP also offered me a better plan, same price, triple the data allowance, and three times the speed, I accepted ! Social scamming: Today received a call (from overseas) from a woman saying she was from Microsoft saying, "my Computer was sending a lot of data, and she'd put me onto a Technician to help me configure my Computer." I said, "Really, your from Microsoft ?" She really couldn't speak english well enough to convince me, I know how much Data I send, cos I pay for it !!! I just hung up on her! Still I'm not convinced the average Joe would ring their ISP when experiencing problems, the fear of viruses often clouds the brain. I reckon a lot of people would believe an "overseas caller" saying they are from Microsoft, plus, "let us play with your Computer, and credit card." These are issues aside from the NBN, but integral points to educate people about. Too much talk of Tech perfection in this NBN proposal. MerariSchroeder made some interesting comments above. Expecting "Security, and "Great Service" is asking for Government intervention, of which will be inferior as they are politicians, not engineers ! The Internet is a unregulated wasteland, but it will take care of itself, if users are educated, and politicians keep their noses out of it. " ...NBN Co to build a network that is secure by design." Naive ? Impossible !