An Emerging Global Ecosystemfor Infrastructure Protection andNetwork Forensics

Anthony M Rutkowski

VP for Regulatory Affairs and Standards, VeriSignmailto:trutkowski@verisign.com

Visiting Prof., Georgia Tech Nunn School

President, Global LI Industry Association

Fostering International Collaboration in Information Security

Research Symposium #727

AAAS, St. Louis, USA

16-17 Jan 2006

V1.0

Outline

+ The emerging global ecosystem▪ Paradigm shifts and what they produce▪ Public infrastructures and what we expect of them▪ Next Generation Network public infrastructures▪ Ecosystem forums and major developments▪ Network forensics and why they are necessary

+ Fostering collaboration on needed capabilities▪ Nudging▪ Just do it

Paradigm Shifts

+ Fundamental points of inflection▪ Digital networks▪ Morris Worm of 1988▪ Intelligent Network failure of 1991▪ Nomadicity (wireless, IP, smart objects)▪ Rapidly scaling SPAM, cybercrime and cyberterrorism▪ 9/11▪ Katrina, Rita, …

+ Produce significant changes to infrastructures and their ecosystems

+ Drive changes to policies and practices

Public infrastructures – definition and treatment

+ Capabilities “generally available to the public”

+ Characteristics and expectations▪ Substantial availability, especially during and after

emergencies▪ Protection for users▪ Quid pro quos established in law, regulations, and

standards

Typical public network infrastructure requirements

+ Availability, Security and Protection▪ High availability

– analysis network metrics and outages

▪ Network attack mitigation▪ Priority access and notices during

emergencies▪ Restoration▪ Personal emergency services▪ Prevent unwanted intrusions

– Filters (DoNotCAll)– Aids (CallerID)

▪ Nomadicity – Number portability– Roaming– Payment method flexibility

▪ Cybercrime mitigation– Forensics capability– Law enforcement/national security

assistance – Fraud detection and management– Prevent cyberstalking– Digital rights management

+ Competition Requirements▪ Unbundling▪ Service interoperability▪ User/subscriber access by service

providers▪ Default service and routing options

+ Operations Requirements▪ Directory access among providers▪ Intercarrier compensation▪ Transaction accounting

+ Innovation and Business Opportunities▪ Infrastructure protection and security

products▪ Signalling and authentication products

+ Other Consumer Requirements ▪ Disability assistance▪ Universal Service

Significant synergies between these groups

+ Government mandates▪ Government specifications▪ Government capability requirements followed by industry

collective (standards) or individual actions– Model is CALEA and E911: legislative authority; FCC framework;

industry or “home-brew” implementations with fail-safe recourse; certification and enforcement process

+ Enforcement▪ Self-certification▪ Proof of performance▪ Periodic tests

Implementing public infrastructure requirements

Next Generation Network Public Infrastructures

Nationwide and WorldwidePublic Networks

OpenIP-enabled

For Communications,Commerce andContent

For Always-On, NomadicPeople andObjects Working assumption

for scope and definition

199019801970

NGN – Long-Term Network Convergence Perspective

Public Switched Telecommunication Network (PSTN)

Intelligent Network Internet (IN)

Open Systems Interconnection Internet (OSI)

Commercial Mobile Radio Systems

2000

NGNs

IP Internet (IP)private quasi-public

Was never designed as public

infrastructure

TelephonySMS/MMSTransport

Legacy Telecom & Wireless Services

Next Generation Networks

Transport

Intelligent Network

IntelligentInfrastructure

Gateways

Gateways

IP-Enabled Services

Access

VoIP and Multimedia Services

Access

NGN Architecture

Intelligent Infrastructure for IP-enabled NGNs is much more critical than for legacy networks – especially

for protection and security

Emergence of an ecosystem

+ Collective behavior▪ Forums▪ Common activities▪ Marketplace

Nationwide and WorldwidePublic Networks

OpenIP-enabled

For Communications,Commerce andContent

For Always-On, NomadicPeople andObjects

Directed at protection and security for this infrastructure

ITU-T

Next Generation Network Standards Forums

IETF

ATIS

ETSI

NGNFramework

NGNOSS

3GPP

NGN Focus GroupNGN Focus Group

STF NGNSTF NGN

GSC

SG17SG17

GSC9GSC9

WAE FGWAE FG

MWS FGMWS FG

VoIP FGVoIP FG

TISPANTISPAN WG8WG8

WG1WG1

WTSCWTSCPTSCPTSC

OPTXSOPTXS

TMOCTMOC

CableLabs

W3C OASIS

SA5SA5

DSL Forum

ECMA

NGN@homeNGN@home

Parlay

JWGJWG

PAMPAMCCUICCUI CBCCBC

PMPM

ApplicationsApplications

LILIAT-DAT-D

WG7WG7

WG3WG3WG4WG4 WG5WG5

WG6WG6WG2WG2

GlobalNGN

Framework

WTSAWTSA

SG11SG11

SG02SG02

SG19SG19

SG04SG04NGNMFGNGNMFG

SG09SG09

SG13SG13

3GPP2

TSG-CTSG-C

TSG-STSG-S

TSG-ATSG-A

TSG-XTSG-X

SG03SG03

TIA

TR-41TR-41TR-8.8TR-8.8

3GPP2 OP3GPP2 OP

TR-45.2TR-45.2TR-45.6TR-45.6

TR-34.1.7TR-34.1.7

CPWGCPWG

MESAMESA

SG15SG15

TeleManagementForumSA2SA2

OBFOBF

IPDR

EPCglobal

OSS/J

DMTF

OMA

NGN Focus Group

NGN Focus Group

GeneralGeneral

InternetInternetO&MO&M

RoutingRouting

SecuritySecurity

TransportTransport

PGCPGCSA1SA1

SA4SA4

GSC10GSC10

SG16SG16

INCINC

TR-45TR-45

SA3SA3

NIIFNIIF

EIDQ

Ecosystem standards activities

+ Pragmatically meeting real needs today▪ IP-enabled public product standards▪ Global interoperability and markets▪ Secure, stable infrastructure▪ Compatibility with existing network infrastructures▪ Common regulatory requirements

+ Engaging all relevant standards bodies▪ Identifying existing useable standards▪ New standards and administrative practices adopted only as necessary

+ Focused on “open” unbundled service modules and capability sets▪ Staged in multiple “releases” over time

+ Standards participants primarily other industry players – worldwide, regionally, and nationally

+ Significant consensus focus (but no agreement on specifics)▪ Infrastructure protection▪ Security▪ Authentication▪ Directories▪ Resource access controls

Unification of communities and requirements

+ Legal▪ FCC rules under both CALEA and

Title I authority▪ ITU and Cybercrime Treaties form

basis of international cooperation

+ Institutional▪ FCC Homeland Security Bureau

formed▪ EC Joint IS – JHA joint staff group

formed▪ New DHS policy chief appointed▪ New NSC Cybersecurity Director

appointed▪ DOD cyberwarfare command scales

work

Justice

InfrastructureProtection

HomelandSecurityCyberwar

TelecomRegulatory

NGN Policy-Legal-Regulatory Ecosystem Forums

ITU ConventionInt’l Telecom Regs

APEC-TEL

Commission of the European Community

USAFCCFCC

[WCIT][WCIT]PP2006PP2006

eSecTG

eSecTG

NSTACNSTACCanada

Australia

InfsoInfso

ParliamentParliamentACAACA

NANCNANC

IndustryCanadaIndustryCanada

Many Others

CybercrimeConvention

Signatories &Justice Ministers

CITEL

DOSDOS

Other multilateral and bilateral agreements

DOJDOJ DOCDOC

DHSDHSPSECPPSECP

WGSCWGSC WGANTSWGANTS

PCC.IPCC.I

NGN WGNGN WG NGN regNGN reg

i2010i2010Germany

RegTPRegTP

France

NetherlandsUKHomeOfficeHomeOfficeParliamentParliament

CIOTCIOTEZEZ

OFCOMOFCOM

JusticeJusticeARTART

JusticeJustice

BfVBfV

JHAJHA

Ecosystem legal-regulatory activity

+ Pragmatically meeting real needs today▪ National public infrastructures have special properties – the public and the nation depend on

these infrastructures▪ Responsibility for national public infrastructure rests with designated governmental

authorities and coordinated through intergovernmental treaties▪ Shift from common carrier models to capability requirements on public infrastructures▪ Interest in service innovation and marketplace competition

+ Tripartite ensemble emerging almost everywhere▪ Telecom regulators and consumer protection agencies (infrastructure capabilities)▪ Homeland security and national security agencies (real-time analysis and response)▪ Justice agencies (analysis and enforcement)

+ Pervasive vulnerabilities not well understood▪ Rapid introduction of new technologies, especially platforms not designed for public

infrastructure use▪ Open complex public communication network infrastructures▪ Nomadic users and providers▪ Uncontrolled access devices and capabilities▪ Growing appreciation of cybercrime and potential terrorism actions ▪ Lack of real-time response mechanisms made apparent with Tsunami + Katrina-Rita

NGN Security and Infrastructure Protection Capabilities

+ PSTN/ISDN Emulation services+ PSTN/ISDN Simulation services+ Internet access+ Other services+ Media resource management+ QoS-based Resource and Traffic Management+ QoS service level support+ Classes and Priority Management+ Processing/traffic overload management+ Accounting, Charging and Billing+ Identification+ Authentication+ Authorization+ Security and Privacy+ Mobility management (personal and terminal)+ Critical Infrastructure Protection+ Inter-provider and universal service compensation+ Service unbundling+ Exchange of user information among providers+ Services Coordination+ Application Service Interworking+ Service discovery

+ Service Registration+ Profile Management+ User Profile+ Device Profile+ Policy Management+ Personal information support+ Group management+ Personal information support/management+ Presence+ Location management+ Push-based support+ Device management+ Session handling+ Digital Rights Management+ Fraud Detection and Management+ Number portability+ Users with disabilities+ Lawful interception+ Malicious user identification+ Emergency communications+ Presentation of identities+ Network/Service provider selection

The network forensics Rosetta Stone

IdentityIdentityStoredTrafficStoredTraffic

AnalysisAnalysis

Provider Subscriber

NetworkIdentifiers ContentData

Necessary for+ Law Enforcement+ Homeland Security+ Infrastructure Protection+ Network Management

Real-TimeTraffic

Real-TimeTraffic

ContentData

Additionally necessary for a broad array of operational, public interest and commercial needs

Public network forensic components

+ Identity▪ Ability to authoritatively identify the service provider, obtain contact

information and get to authoritative user/subscriber/object directories and network identifier bindings

▪ Key requirements established by law and regulation; and may be maintained in part by government agencies

+ Stored Traffic▪ Any information generated by network processes that is relevant to a

user/subscriber/object communication and has significant latency (i.e., is not real-time)

▪ Requirements and access controlled by law and regulation, and may include ad hoc requests (e.g., subpoena), preservation orders, and general data retention

+ Real-time Traffic▪ Any information generated by network processes that is obtained in

real-time▪ Requirements and access controlled by law and regulation (lawful

interception capabilities and execution of orders)

+ Analysis▪ Network Operations, Administration, and Maintenance▪ Fraud detection and prevention▪ Infrastructure protection▪ Law enforcement, public safety, and national security needs

Identity

Provider Subscriber

NetworkIdentifiers

StoredTraffic

ContentData

Real-TimeTraffic

ContentData

EU Data Retention Directive effect on network forensics

+ Harmonizes data retention and access across Europe

+ Applies to▪ Fixed network telephony▪ Mobile telephony▪ Internet access, messaging and telephony

+ Provides data necessary to▪ trace and identify the source of a communication▪ trace and identify the destination of a communication▪ identify the date, time and duration of a communication▪ identify the type of communication▪ identify the communication device or purported device▪ identify the location of mobile communication equipment

+ Does not include content

+ Includes privacy enhancement features

+ Adopted by European Parliament on 14 Dec 2005

+ Likely to be the subject of considerable implementation collaboration activities in 2006-2007

IdentityIdentity

StoredTrafficStoredTraffic

Provider Subscriber

NetworkIdentifiers

ContentData

Specific network forensic “enablers” needed now

+ Provider information▪ All providers of services on Next Generation public communication

infrastructures must be– Registered with appropriate authority– Authenticated– Provided a unique global identifier which is automatically “resolvable” into provider

identity information, subscriber directory URI, and used in all network communications

+ User/subscriber information▪ All users or subscribers of public communication services and the “bindings” with

their communication identifiers must be– Capable of common global discovery– Automatically “resolvable” through the provider into trusted contact and reference

information using a common global directory standard (E.115v2)

+ Ability to exchange and analyze information related to protection and

security▪ Common global protocols and arrangements for rapidly discovering and

exchanging forensic data for protection and security

Collaboration

+ Nudging▪ Analyzing▪ Evangelizing▪ Breaking down stovepipes▪ Filing

– Statutory and regulatory proceedings– Standards activities

+ Just do it▪ Forums▪ Specifications▪ Products and services