Protecting Internet Traffic: Security

Challenges and Solutions

Sponsored by the IEEE Internet Initiative
August 16th, 2017

1 IEEE Internet Initiative Overview

 Mission Statement
To provide a collaborative platform for advancing solutions
and informing global technology policymaking through a
consensus of sound technical and scientific knowledge in
the areas of internet governance, cybersecurity, privacy,
and inclusion.

2 IEEE Internet Initiative Overview

Global IEEE Internet Community

Through the IEEE Internet Initiative, global technical and

policy communities can work together to improve internet
governance.
Inform, debate, share findings, and improve decisions
Help foster trustworthy technology solutions and best practices

We enable bi-directional dialogue to encourage online

collaboration and information exchange.

Community participants can connect via global conferences

and workshops on internet governance, cybersecurity,
privacy, and inclusion.

3 IEEE Internet Initiative Overview

Benefits for Active Members

Dialogue with experts

working in technology Both online and face-to-face
and public policy

A weekly report on
significant internet
policy related activities
IEEE Global Internet Policy Monitor
around the world

On internet governance,
Resources and
information
cybersecurity, privacy, and
inclusion

4 IEEE Internet Initiative Overview

 Follow our Updates

Twitter @IEEENetPolicy

#internetinclusion

#ETAP

On the web: internetinitiative.ieee.org

Join the Internet Technology Policy Community.
Engage in conversations on Collabratec.
Read the weekly Global Internet
Policy Monitor.
Subscribe and contribute to the bi-monthly
IEEE Internet Policy Newsletter.
Find reports, presentations, webinars, videos
and other resources.
Upcoming Events

Webinar on IoT Security

Best Practices
27 Sept 2017

Internet Inclusion:
Advancing Solutions
Face-to-face meeting in
Washington, DC
16 October 2017
The George Washington
University Cloyd Heck Marvin Center

More information available at:

http://internetinitiative.ieee.org/events

6 IEEE Internet Initiative Overview

Get Involved

IEEE Internet Initiative is a community of experts in technology

and policy, and you are invited to join and participate.
Membership is open and free. Everyone is welcome.

online email
internetinitiative.ieee.org internetinitiative@ieee.org

7 IEEE Internet Initiative Overview

 Protecting Internet Traffic:
Introduction
Jared Bielby, Netizen Consulting

8 IEEE Internet Initiative Overview

Introduction

Protecting Internet Traffic: Security Challenges and Solutions

Experts in Technology and Policy (ETAP)

The early days of the Internet Initiative and localized regional events around the world.

Collabratec Internet Technology Policy Community

Moving from event to action Collabratec and the ETAP research groups.

Protecting Internet Traffic, White Paper

Over a years worth of research and deliberation, finalized in a white paper on security
mechanisms and best practices for consideration at the manufacturing design phase.
Proposed: a thorough study on protecting internet traffic does not yet exist, and existing
technology is not yet sufficient to meet the goal of protecting internet traffic.

9 IEEE Internet Initiative Overview

Presenters

Mikal Dautrey, Partner at ISITIX

MA Computer Sciences, Tlcom Paris Tech. Partner at ISITIX, a small consulting firm operating
in the field of IT Infrastructure Management and Security, since 2002.

Sukanya Mandal, IEEE member, data science professional

B.Tech, Electronics and Communication Engineering. Researching Machine Learning, Natural
Language Processing, Internet of Things, Internet Governance and Data Governance.

Jay Wack, President Tecsec, Inc.

Expert in cryptography, with over 45 years in the electronic security industry, several U.S. patents
in cryptography and security product design.

Ali Kashif Bashir, University of the Faroe Islands

Ph.D. in Computer Science from Korea University. Associate Professor of Department of Science
and Technology, University of the Faroe Islands, Faroe Islands, Denmark.

Nagender Aneja, Universiti Brunei Darussalam

Senior Manager at the Innovation and Enterprise Office of Universiti Brunei Darussalam and is a
PhD Student at YMCA University of Science and Technology, India.

10 IEEE Internet Initiative Overview

 Internet Traffic Perimeter Protection

Jay Wack, President Tecsec, Inc.

11 IEEE Internet Initiative Overview

Recognize the Environment

It is not possible to absolutely define any networkand it is also not

possible to defend that which you cannot define.
Start with yourself and those things you can control
Use the tools already available
Use good computer hygiene

The Internet is a loose affiliation of members all trying to achieve

ubiquitous connectivity.
Everyone can get to everyone else by design and in many unexpected ways
Standards support interoperability and at the same time provide a predictable attack surface

Pay attention to the difference between the security OF the Internet and
the security ON the Internet

12 IEEE Internet Initiative Overview

Be Responsible for Yourself

Things to Control or at least try to pay attention to:

1. Secure booting
As an End Userperiodically restart from a known good source

2. Access control
Differential Access control is necessary for all components:
Physical Logical Functional and Content

3. Authentication of Identity takes many forms

Pay attention to who you communicate with and about

4. Firewall and intrusion prevention system (IPS)

Unless you are more competent than the provider of your
Operating System use the tools and settings provided

5. Updates and patches A very NECESSARY function

13 IEEE Internet Initiative Overview
RTFM

Freeware is worth exactly what you paid for it.

Born of dissatisfaction with major providerswhere nothing is
perfectbut likely better than anything you, with some very few
exceptions, write yourself.

Privacy setting are available on all major Operating Systems and

Applications. RTFM Read the Instructions and be aware of
settings. You really do have a lot of choices available.

Fundamentally you cannot trust anything or anyone on the Internet

to be who or what is claimed: Trust but Verify.

Understand that the majority of people on the Internet are just like
you; well meaning and good. However there are, and will be, many
who are neither. Be Responsible: Protect yourself.

14 IEEE Internet Initiative Overview

 Determining the Size of Our Problem

https://assets.documentcloud.org/documents/1217406/jtrigall.pdf

https://www.nytimes.com/2017/08/03/business/china-internet-
censorship.html?rref=collection%2Ftimestopic%2FInternet%20Censorship
%20in%20China&action=click&contentCollection=world&region=stream&m
odule=stream_unit&version=latest&contentPlacement=2&pgtype=collectio
n

http://www.zdnet.com/article/legal-loopholes-unrestrained-nsa-
surveillance-on-americans/

http://www.npr.org/templates/story/story.php?storyId=126097038

You own your data, protect it. Nothing is perfect. Consider the idea that
we can all improve how we use and participate with the Internet making it
safer, and more useful for everyone.

15 IEEE Internet Initiative Overview

Standards: Get Involved

Standards form the fundamental building blocks for product

development by establishing consistent protocols that can be
universally understood and adopted. This helps fuel compatibility
and interoperability and simplifies product development, and speeds
time-to-market. Standards also make it easier to understand and
compare competing products. As standards are globally adopted
and applied in many markets, they also fuel international trade.

It is only through the use of standards that the requirements of

interconnectivity and interoperability can be assured. It is only
through the application of standards that the credibility of new
products and new markets can be verified. In summary standards
fuel the development and implementation of technologies that
influence and transform the way we live, work and communicate.

16 IEEE Internet Initiative Overview

 Internet Traffic Inside Protection

Nagender Aneja, Universiti Brunei Darussalam

17 IEEE Internet Initiative Overview

Internet Traffic Inside Protection

Inside Protection
Application
Security

Authentication

Encryption
Application Security

Confidentiality of data
within application
Confidentiality
Availability of the
application
Integrity of the data
within the application
Availability Integrity
Multi-tenants privacy
is a stronger objective
than confidentiality

19 IEEE Internet Initiative Overview

Authentication

Means to provide Authentication Credentials

Login ID and Password, Smart Cards, One-time Password,
Biometric Authentication, Digital Certificates

Ignored over Ethernet

Implementation of 802.1x for Ethernet as well as
for Wireless
Encryption

Protects Confidentiality/Integrity of data and

verifies sender
Can be used for both wired and wireless
networks.
Can be Symmetric or Asymmetric
Encryption Algorithms

Data Encryption Standard - symmetric-key

64-bit Plaintext is converted to 64-bit Ciphertext with help
of 56-bit Cipher Key

Triple DES
Key length of 168 bits

Advanced Encryption Standard

new standard for encryption, 256-bit cipher key
AES is implemented in either 128- or 192-bit mode for
performance considerations
Encryption Algorithms

Blowfish
symmetric cipher splits messages into blocks of 64 bits
and encrypts them individually
Ecommerce platforms for securing payments to password
management tools
Free availability in the public

Twofish
256 bit key length symmetric algo
Encryption Algorithms

Rivest, Shamir, and Adelman (RSA)

public-key encryption algorithm and
Standard for authenticating stations IPSEC/IKE, SSL
authentication
In most web applications, file is encrypted with a
symmetric key and the symmetric key is encrypted with
RSA.
In case of digital signature, the private key is used for
encryption so that receiving party is sure that file has not
been altered.
The Future of Encryption

Honey Encryption will deter hackers by serving up

fake data for every incorrect guess of the key
code.

Quantum key distribution, which shares keys

embedded in photons over fiber optic, that might
have viability now and many years into the future
as well.
 End User Education and Employee
Training

Mikal Dautrey, Partner at ISITIX

26 IEEE Internet Initiative Overview

 Organizational maturity

Business
objectives,
Convincing the board
Regulation,
Context Educating managers
awareness
Methodologies

Maturity
Risk monitoring Risk assessment
Mastering
Fully
implemented
Partially
implemented

No methodology

Risk mitigation Risk mitigation

implementation strategy

27 IEEE Internet Initiative Overview

Educating users

Theory Field experience

Training + awareness !
28 IEEE Internet Initiative Overview
 Security by design

by design is necessary but doesnt

replace training and qualified staff, Not possible ?
especially for complex or hazardous task

Not so easy

Easy

29 IEEE Internet Initiative Overview

Best practices

So many rules

How can your

organization implement
best practices
efficiently?
Organize code reviews
Automate security
enforcement by using
development tools (bug
finding and formal
Ref : Microsoft web programming
recommendations verification tools)

- Work with opinionated frameworks and

systems that favor security by default
- Improve your technical team security
awareness by showing them hacking
scenarios

30 IEEE Internet Initiative Overview

 Economics

Internet competitive Cyber criminality competitive

advantage advantage

Global reach Global reach

No frontiers No frontiers
Positive scale effect Positive scale effect
Long tail rule Long tail rule

Increasing security hinders competition both on the offender side
(good effect) and on the offended side (bad effect).
Will find a right balance so that the good effect overtakes the bad one ?

31 IEEE Internet Initiative Overview

 Protecting Internet Traffic:

Questions & Answers

32 IEEE Internet Initiative Overview