Accueil / Technologies / Technique / Closing an internet security gap in Europe (English)
Closing an internet security gap in Europe (English)

The internet architecture, as it stands today, was designed in 1974, and deployment started in 1983. Since then a good deal of patches have been applied, while keeping the architecture unchanged. It was designed as an experimental network, and still is.

Instead of carrying continuous research taking account of expanding scale and needs, the focus was set on turning this unstable and loose construction into a worldwide emporium. Many practical benefits accrued, as well as sore points.

A preliminary question, does it work ? Yes it does. Second question, is it reliable ? Soso. Third question, is it vulnerable ? Absolutely. Without resorting to the subtleties of the Kaminsky flaw (1), the easiest way to shut down any addressable computer, even a group of them, is DDOS(2). It works regardless of operating systems, firewalls, antivirus, etc., and it is usually untraceable. Like in the case of a murder, the best guess is who had an interest in doing it. Sometimes it could be self-inflicted to make someone else appear as a culprit.

In addition the US government requires that backdoors be provided in the internet, for traffic tapping. Actually this is a common requirement in most countries for telephone operators. Based on reports(3) originating from US specialists, these backdoors could be used, without leaving a trace, by anybody who managed to crack the passwords. This opens the way to a wonderful world where everyone is spying on everyone else, if not tampering with highly sensitive pieces of the infrastructure, like DNS or routers.

The impression we get is that a caste of sorcerer apprentices are playing hazardous games like bankers recently.

The perception by public opinion is growing uneasy to discover that such conspicuous security gaps remain uncured, if not getting worse, to the extent that they are more and more put to work for malicious or criminal purposes. Reinventing the internet architecture has become at last an active research field. However we cannot expect workable solutions in the short term. Then, what ?

A recurrent motto is that internet security is a global problem that should be tackled as a whole. Even though this approach could be proved intellectually correct, it is just not practical, due to major disagreements among various actors.

The traditional divide and rule approach needs a consistent set of principles as to how to divide the whole. While the parts may not be entirely consistent, they need to be interoperable. One may observe that a typical organizational pattern in terms of security is to assign responsibilities at State level. As existing structures would not be easily displaced, it seems more feasible to adopt as a starting principle that States are in charge of internet security on their territory. In practice cooperation with transborder organizations are required for efficiency. Some regional aggregation may also turn out to be desirable, when aggregation has already been practiced in other fields than internet. Nonetheless, respons- ibilities need be defined precisely to prevent malicious organizations from using fuzzy areas to their own advantage.
Assuming State responsibility, it is up to each one to set objectives and define an action plan. The list of desirable objectives may be long. However DNS and routers are at the core of correct operation, and therefore could receive a high priority agreed by many States. We know that the management of these critical parts is diverse. To the extent that management per se is not a security risk, there is no need to change it. DNS and routers are vulnerable to DDOS. As a starter DDOS could be assigned top priority, and provide for a number of projects, either at national level, or in cooperation among a group of countries. Most likely, fighting DDOS will not be solved by further replication of equipment, but shall lay upon a distributed set of specific mechanisms collecting advanced warning signals and triggering appropriate responses. This is obviously a matter for study out of the scope of this article.
DDOS is just one case of security risk. Other risks should be tackled as well, but not all at the same time. Making internet security a major objective for improvement, and setting up concrete projects, should create the dynamics necessary for Europe to work together and demonstrate her capability for innovation.

Louis Pouzin
pouzin@eurolinc.eu
in personal capacity


Notes

1. http://en.wikipedia.org/wiki/Dan_Ka...
2. DDOS : Distributed Denial Of Service. Zillions of requests sent simultaneously to a target by zillions of infected PC’s. The effect is stifling the target to crash
3. http://www.networkworld.com/communi...

© Eurolinc 2010 | Contact