the isp’s role in improving internet security exploring the value and incentives for internet...
TRANSCRIPT
The ISP’s Role in Improving Internet Security
Exploring the value and incentives for Internet Service Providers implementing security mechanisms on their residential networks.
The Internet MATTERS
To state the obvious:
We are increasingly reliant on “Internet Assets”, which are online infrastructure that supports services essential to our economy or government related services.
What are we defending?
Because they do not hold critical data or provide an essential services, the security of computers on residential networks is often ignored in favor of focusing on defending high-profile Internet Assets.
However, the highly interconnected nature of the Internet means all connected machines have an non-trivial degree of interdependence.
Why do residential networks matter? (1)
Base of Worm/Virus Propagation:Actively propagating worms and viruses generate loads of traffic, overloading critical networks and servers and sometimes causing large-scale Internet instability. Computers on high-speed residential networks contribute significantly to critical mass needed for these attacks to spread.
Distributed Denial of Service (DDOS) Attacks: High bandwidth DSL or Cable connections give DDOS
attacks from many residential computers the ability to deny world-wide availability of Internet assets. The wide-spread nature of these sources make the attack extremely difficult to deflect.
Why do residential networks matter? (2)
“Noise” of Scanning and Attacks:
Researchers have detected that a significant portion of all Internet traffic is malicious attacks or scans caused either by active attackers or scanning worms from personal computers. This “noise” makes detecting real intrusions significantly more difficult.
Residential “Stepping Stones” for Intrusions:
Compromised and hijacked residential computers allow malicious users to scan and launch attacks without fear of revealing their identity. Even if an attack is traced to a host, no real attribution or prosecution is possible.
The Problem?
“The average user is not, does not want to be, and should not need to be a computer security expert any more than an airplane passenger wants to or should need to be an expert in aerodynamics or piloting. This very lack of sophisticated end users renders our society at risk to a threat that is becoming more prevalent and more sophisticated”.
- Dan Geer, et al **CyberInsecurity: The Cost of Monopoly
Why are we looking at ISPs?
The current model of individual users being responsible for their own computer security in a “fend for yourself” environment has left the Internet in a precarious state.
Its time to explore new possibilities. As the “gate-keepers” of the Internet, ISP’s are positioned to potentially play a significant role in securing the Internet.
What is the goal?
Explore how the incentives of service providers impact what security mechanisms are implemented.
In the end we want be able to answer:
For security mechanism X, what are the incentives of Internet service providers?
How to do this?
With a myriad of potential security enhancements, we need a structured approach to thinking about them.
This framework needs to get at the key factors that impact how service providers view the security enhancements.
ISP Security “Actors”
Asks the question:
Who implements the security mechanism?
Inter-Organizational
ConsumerEnd-Host
ISPNetworkTraffic
Actors
Security Mechanisms: Consumer End-Host
These are security mechanisms that are provided to and operated by individual end-users on their personal computers.
They often represent common “good care” mechanisms already used by security savvy users or mandated by corporate IT staffs. These mechanisms leverage the ISP’s role as trusted source of network security knowledge and software for the consumer.
Example: Personal Firewall Software
Security Mechanisms: ISP Network Traffic
Security mechanisms that monitor record and potentially alter the rate/type/content of Internet traffic sent to and from end-hosts on the network.
These mechanisms are often more powerful than end-host mechanisms and are operated by the ISP behind the scenes. These leverage the ISP’s role as the gatekeeper of all Internet traffic to and from customers
Example: Blocking traffic on incoming ports known to be malicious.
Security Mechanisms: Inter-Organizational
Other security mechanisms are not contained within a single ISP network, but instead focus on how ISPs interact with each other or other organizations such as law enforcement.
These mechanism leverage the common need of the ISP community as a whole to improve the security of their networks.
Example: Coordination to shutdown DDOS attacks originating in another ISP.
Is this enough?
Knowing who is implementing a security mechanism is a helpful tool in identifying incentives, but is it enough?
No. Since we are considering mechanisms that impact overall Internet security, we cannot look at ISP security enhancements as a monolithic group.
ISP Security “Methods”
Asks the question:
What is the goal of this security mechanism?
This is independent
of the actors involved.
Improve NetworkTransparency
ProtectCustomers
From Attacks
Detect and StopMalicious Outgoing
Attacks
Methods
Security Mechanisms:Protecting Customers from Attacks
Attempts by ISPs to recognize and drop threatening incoming traffic or block common avenues of attack for hackers, viruses and worms in order to decrease the likelihood of an computer on their networks being successfully compromised.
This “customer protection” is the most common notion of ISP based security.
Example: Intrusion Detection Software to recognize and block incoming attacks.
Security Mechanisms:Blocking Outgoing Attacks
Includes mechanisms to detect computers on the ISP network that are sending traffic deemed to be “attacks” either as a result of a malicious user or because the hosts have been compromised by a hacker or worm. Once detected this behavior is either stopped, blocked, or throttled.
Example: Scanning network for likely compromised hosts and blocking all out-bound traffic from these hosts until the computers have been cleaned.
Security Mechanisms:Improving Network-Use Transparency
Improving the transparency of the network to help service providers monitor, trace and record traffic with greater ease and accuracy. This will allow easier recognition of attacks, and increase the chances that an attack can be traced close to its source, and potentially an individual for prosecution.
Example: ISPs keep “call records” of IP to IP mapping each computer a customer has sent/received traffic to/from, with information describing the type and quantity of traffic.
Developing a Structure to Analyze ISP Incentives
We now have two different means of classifying ISP security mechanisms, the “Actor” and “Method” schemes.
We want to develop a framework that will give us a useful tool to cluster security mechanisms into common groups and use this to analyze how incentives apply to ISPs without having to look at each security enhancement individually.
The Cluster Framework using a 3x3 Matrix
The Actor and Method schemes are independent.
As a result, a 3 x 3 matrix can be used to combine them into a single system for grouping and analyzing potential security enhancements.
This matrix allows us to place each security mechanism into a CLUSTER with similar enhancements
Method
Actor
The Two Frameworks Together
Each cluster contains an example of a potential security enhancement which falls within this category
Protect
Computers
and Data
Block malicious outgoing traffic
Improve
transparency
Customer
End-Host
Personal Firewall Software
Detecting infected end-hosts
Secure login to ISP account to prevent account theft
ISP
Network Traffic
ISP Network Intrusion Detection
Detecting and throttling/blocking Worm/Virus Propagation
IP source address validation
Inter-Organizati
onal
Information sharing to block new viruses/worms
Block outgoing traffic deemed dangerous by other ISPs.
ISP coordination on an IP trace-back strategy.
Understand ISP Incentives
The task from here:
We will explore the positive and negative incentives ISPs have relating to security mechanisms and outline which “clusters” these incentives apply to.
In the end, we will be able to take a security mechanism, identify its cluster, and then use our exploration of the incentives to find what considerations impact the ISP when deciding whether to implement this enhancement.
Assigning Incentives to Clusters
For example: An ISP may have an incentive to increase revenue by charging for security services. Logically, the main security enhancements that can be charge for are in the “Customer end-host” & “protect Customer” cluster, since these changes are more visible to and provide extra value to the customer.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
This corresponds to the upper-left corner cluster on the matrix. For each discussed incentive, we visually highlight the clusters that apply. Negative incentives are in red, positive incentives in green.
Negative Incentives of ISPs
Since few of the discussed security mechanisms are implemented on a widespread scale, we begin by outlining the negative incentives which have given us today’s ISP security environment.Negative incentives are forces causing service providers to be less likely to implement a given security enhancement
Negative Incentive: Employee Time
Being a business, ISPs want to minimize the number of employees it needs for operation. The two main employee areas to consider for this work are network operations staff and customer service staff.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Negative Incentive: Infrastructure Costs
Some network traffic security enhancements will require replacing or improving the ISP's current infrastructure. Some changes may simple require additional capacity for current infrastructure, but many security improvements are themselves new pieces of the network hardware sold by network security companies.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Negative Incentive: Software Licensing/Development Costs
End-host or network based protection schemes may require that ISPs either develop or license commercial software for each customer, leading to significant expenses. This is particularly difficult for small providers.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Negative Incentive: Disrupting Legitimate Customer Use
Since network traffic or behavior is difficult to classify as “strictly malicious” well meaning security mechanisms may well have unintended consequences that prohibit a form of legitimate network use by a customer.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Negative Incentive: Carrier-only Responsibility
Currently ISPs are not liable either in the case that a computer on their network is compromised or an attack originates from their network.
Some operators fear that providing security for customers may create implied liability.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Negative Incentive: Increased Network Complexity
Network complexity is the enemy of network reliability, which is a top priority for operators. Security features can add complexity, leading to increased network problems.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Negative Incentive: Consumer Complexity
A major selling point for Internet service is the simplicity with which it operates. Security mechanisms often require additional work on behalf of the user, increasing complexity.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Negative Incentive: Consumer Privacy
Many of the mechanisms described here require a degree of monitoring and record-keeping related to an individual’s computer and Internet traffic. Users may object to these techniques on privacy grounds.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Negative Incentive: Global Instead of Local Benefit
Many enhancements that improve overall Internet security provide little actual value to the ISP implementing the change. It is bad business to invest money and resources for changes that help your competition more than they help you.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Positive Incentives of ISPs
The following section will outline the positive incentives of ISPs. These are forces causing service providers to be more likely to implement a given security enhancement
Positive Incentive: General Customer Satisfaction
While ISPs are not required to protect customer machines, the safety of an end-users computer may impact their overall satisfaction with the ISP, decreasing time spent with customer service, and improving customer retention.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Positive Incentive: Network Utilization
Compromised hosts and incoming scans/attacks often generate massive amounts of traffic as a result of scanning or denial-of-service (DOS) attacks.
This traffic uses up the finite amount of bandwidth and ISP has (or alternatively, is charged for), decreasing their overall quality of service or increasing bandwidth costs.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Positive Incentive: Improved Network Monitoring Ability
The sheer volume and noise associated with malicious traffic (incoming and outgoing) make it difficult for ISPs to effectively monitor and control their network.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Positive Incentive: Legal Requirements
While current legal requirements are limited sharing customer information and network access to law enforcement, the possibility exists that they could be required at any cluster in the matrix.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Positive Incentive: Service Differentiation / Revenue Sources
If security enhancements are protective and relatively simple to understand, adding these mechanisms can be sold to customers for an increased monthly fee, or used to provide a higher perceived quality of service than other ISPs
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Positive Incentive: Improving Network clean-up / outages
A bad worm/virus outbreak can lead to service degradation and large clean-up costs. Thus, certain types of prevention/monitoring may be valuable to the ISP to reduce later costs.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Positive Incentive: Concerns about Image in ISP community
ISPs that pay no attention to network security and as a result host many machines used to launch attacks draw widespread criticism from more conscientious portions of the ISP community. This is especially true for large tier 1 providers who often top “worst offender” lists of ISPs.
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Hypothetical – Worm Port Blocking
Let’s say a new worm begins to spread on TCP port 445. Because we are consider with overall Internet security, we would like ISP X to block outgoing traffic on this port to slow the spread of the worm. What are the incentives of the ISP in this case?
Hypothetical – Worm Port Blocking
This security mechanism falls in the “ISP Network Traffic” and “Block outgoing attacks” cluster of our framework.
We can look at our incentive analysis and see which factors will potentially influence the ISP’s decision
End-host
NetworkTraffic
Inter-Organ.
Tra
ns-
pa
ren
cy
Blo
ckO
utg
oin
g
Tra
ffic
Pro
tect
Cu
stom
ers
Hypothetical – Worm Port Blocking
Examine each potential negative incentive in this cluster, find those that directly apply:
- Employee Time *- Infrastructure Costs- Disruption of Legitimate Use *- Network Complexity *- Consumer Privacy
Hypothetical – Worm Port Blocking
Examine each potential positive incentive in this cluster, find those that directly apply:
- Improve network monitoring abilities *- Decrease Network Load *- Concerns about image in ISP community *
Importantly, What’s not here? Benefit for customers
Final Observation: ISP Security Incentive Inversion
ISPs have begun implementing more of the security mechanisms in the “Protect Customers From Attacks” category of the Method scheme, however, this is the category that has the LEAST overall impact at protecting key Internet Assets.
Furthermore, ISPs have little incentive to detect and block outgoing attacks or improve transparency as to help law enforcement to catch and prosecute Internet criminals. These are the categories with the greatest potential to help overall Internet security.
Recognizing this “incentive inversion” is central to understanding the issues surrounding ISP based security mechanisms.
Observations… most of the activity has been in the “protect customers and data” section, naturally. Note, this is the category with the least value for the Internet as a whole (the impact is indirect for the real Internet Assets).
Much less of a reason to block outgoing attacks, though this is highly desirable since attacks are thwarted much more easily near the source.
End-user solutions are inherently weak: Run by users who may not configure them correctly. Difficult to detect malicious behavior because they can be circumvented. Finally, the protect stuff that we don’t REALLY care about.
Potential on collaboration to develop + train on ISP security tools is great, collaboration so far has been minimal. This is especially important for smaller ISPs.
Fundamental collective action problem stops solid potential enhancements. Either make it in their best interest, or require it across the board