From ITProPortal: Contributed Post on MANRS and Routing Security

Andrei Robachevsky wrote this contributed blog post for ITProPortal, which was published today at:

https://www.itproportal.com/features/meeting-customer-demand-for-security-minding-your-manrs/

It outlines some of the problems with routing security, explains the MANRS actions, discusses the new Research Study we recently completed, and describes how to Join MANRS and get involved.

Please read it and let us know what you think!

Press Release: New Internet Society Research Reveals Disconnect between Enterprises and Service Providers on Crucial Internet Security Fixes

For Immediate Release

Study Indicates that Enterprises Value Internet and Routing Security More than Service Providers Realize

Washington, D.C. – 16 October 2017 – The Internet Society today announced the results of its recent survey conducted through 451 Research, which points to a disconnect between how much enterprises care about Internet security and what service providers think these customers value. These results indicate an unrealized opportunity for service providers to leverage Mutually Agreed Norms for Routing Security (MANRS), the Internet Society-coordinated routing security initiative, to improve their competitive positioning and generate increased revenue. The study shows that although the MANRS initiative is closely aligned with the goals and security expectations of enterprise respondents, some service providers are failing to recognize that congruence and as a result are underserving their customers and missing additional business opportunities.

Undertaken to better understand the attitudes and perceptions of Internet Service Providers and the broader enterprise community around the MANRS initiative, the MANRS Project Study Report revealed a divide between these two groups and potential ways to bridge it. It showed a large number of enterprise respondents (71 percent) stating that security was a core value for their organization. Once introduced to MANRS, almost all enterprise respondents expressed confidence that MANRS actions over time would be either very effective (34 percent) or somewhat effective (64 percent). Most importantly, enterprises showed a willingness to pay a 15 percent premium to support MANRS compliance.

On the other hand, service providers seem to underestimate the value of MANRS. For instance, service providers were asked what they would do if a MANRS requirement arrived as part of an RFP. Only 12 percent said they would plan for implementation, and 16 percent said it would have no impact. The remaining (72 percent) who said such a requirement would spur consideration of MANRS, however, indicate that practical incentives may yet drive greater adoption.

“There is a gap between enterprises and service providers, to be sure, but also an opportunity to engage,” said Andrei Robachevsky, Technology Programme Manager for the Internet Society. “As they seek out security-minded providers, enterprises could also put MANRS compliance into their RFPs, and for their part, service providers can market compliance with MANRS as a business differentiator. By committing to being held accountable by the Internet community and doing good, they can also align with customer concerns, capture a premium and do well.”

Behind the large number of enterprises who see security as a core value is the growing prominence of the Internet side of business and media coverage of security breaches. Asked about specific threats, enterprise respondents ranked traffic routing, interception, and hijacking at the top of the list (at 74 percent), with DDoS and address spoofing tied for second place (at 57 percent) and concerns over 24×7 Internet service availability and blacklisting following thereafter. While MANRS is not a one-stop solution to all of the Internet’s routing challenges, many enterprises appear to agree that its recommended actions in route filtering, anti-spoofing, coordination, and global validation are important steps in the right direction toward a globally robust and secure routing infrastructure. In addition to revealing a willingness to support MANRS compliance with a 15 percent (median value) price increase, the survey showed that 13 percent of enterprise respondents would only select a provider that was MANRS-compliant in a competitive situation.

“The bottom line impact is real,” said 451 Research Chief Analyst Eric Hanselman and report author. “Our expectation is that MANRS compliance could translate into additional value, just in the procurement process, for instance, through minimization of the discounting required to win contracts, with as much as a 7 percent long-term revenue increase for providers who are able to leverage the MANRS branding as part of the selling process.”

In looking to the future, the MANRS Project Study Report identifies more possibilities. Already trusted by enterprise customers who are lacking cybersecurity resources, service providers could gain additional revenue by adding MANRS-derived services to their portfolio. Anti-spoofing controls that log activity, for instance, can be used to generate periodic reports for customers. These reports can be part of an intelligence feed that alerts customers to misconfigurations or potential attacks. Appropriately automated, this type of service can provide additional customer binding, in additional to generating revenue.

Given all the potential additional revenue, service providers can realize a strong return on a relatively small investment in the four MANRS actions, which represent a lowest common denominator of security measures to increase overall routing security. While the survey indicated that some service provider respondents think that implementation could be disruptive, compared to general routing security practices, all MANRS actions are intended to have low risk and low cost. More details on becoming MANRS compliant can be found in the MANRS Implementation Guide. Service providers who are already compliant can join the MANRS effort here and may download the MANRS badge for their sales and marketing materials here.

For more information, read the full MANRS Project Study Report.

About the Internet Society
Founded by Internet pioneers, the Internet Society (ISOC) is a non-profit organization dedicated to ensuring the open development, evolution, and use of the Internet. Working with a global community of chapters and members, the Internet Society collaborates with a broad range of groups to promote the technologies that keep the Internet safe and secure, and advocates for policies that enable universal access. The Internet Society is also the organizational home of the Internet Engineering Task Force (IETF).

###

Internet Society Contact:
Megan Kruse
Manager, Technology Outreach and Strategic Planning
Internet Society
+1-703-439-2775
kruse@isoc.org
www.internetsociety.org

Media Contact:
Andrea Maclean
Wireside Communications®
For the Internet Society
+1-804-593-4181
amaclean@wireside.com
www.wireside.com

New Study: Understanding MANRS’ Potential for Enterprises and Service Providers

MANRS was founded with the ambitious goal of improving the security and reliability of the global Internet routing system, based on collaboration among participants and shared responsibility for Internet infrastructure. These are undoubtedly essential pillars supporting the Internet’s tremendous growth and success, but we must better articulate the incentives of contributing to global security and resilience to grow MANRS participation and reach our goals.

To do so, we engaged 451 Research to understand the attitudes and perceptions of Internet service providers and the broader enterprise community around MANRS and how it relates to their organizations. The results of the study are documented in the report:
https://www.routingmanifesto.org/resources/research/.

The study results demonstrate considerable unrealized potential for MANRS, showing that enterprises are interested in security and their interest should be a strong incentive for more service providers to participate. Market education could be particularly effective in overcoming the operational inertia that many providers face.

The key points from the study are:

  • While MANRS itself is not well known by enterprises, its attributes are highly valued.
  • Enterprises have high expectations for MANRS efforts.
  • Enterprise perceptions of MANRS can translate into increased revenue for service providers.
  • Existing MANRS actions cover a reasonable set of controls.
  • There are options to extend the MANRS actions for some providers.

While there have been challenges in creating a dramatic increase in MANRS adoption, the study shows there is solid alignment between the motivations of service providers and the aspirations of enterprises.

We encourage you to read the entire report and let us know what you think! We hope that with additional effort, bringing these two together could create a bright future for MANRS.

Verisign joins MANRS to further security, stability and resiliency of the internet routing system

Verisign, a renowned security solutions provider and a DNS registry and root server operator, demonstrated its commitment to ensuring that the global routing system becomes more secure by joining Mutually Agreed Norms for Routing Security (MANRS) today.

To create a sustainable technical and business environment, organizations must work together to address the challenges of the Internet’s routing system. Deploying small measures, like those defined in the MANRS Actions, can make a big difference. MANRS provides added value for the network operator and its customers: better protection against traffic anomalies caused by misconfigurations; cleaner setups resulting in easier troubleshooting and lower time-to-resolution (TTR); improved peering conditions; and opportunities for valuable collaboration with other operators through a discussion forum and professional network. And many MANRS participants go beyond these baseline actions, leading the group of participants and encouraging further collaboration.

“As the registry operator for .com and .net, root server operator for the A and J roots, and root zone maintainer, Verisign is deeply committed to ensuring the security, stability and resiliency of the internet. Routing security is of the utmost importance, and we are pleased to support MANRS, as we have since its inception, in its goal toward promoting a culture of collective responsibility, collaboration and coordination among our peers in the global internet routing system,” said Frank Scalzo, Director, Security Strategy.

We are looking for more security leaders – networks that have already implemented the MANRS recommendations and much more – to sign up, support this effort, and encourage others! A new MANRS Implementation Guide is also available to help organizations deploy the Actions and get started.

Are you a network expert? Please participate in a MANRS configuration survey and share your knowledge!

MANRS defines 4 Actions, which are really the building blocks for simple use cases. We believe that even if these measures are implemented widely, security and resilience of the Internet routing system will significantly improve. The minimum baseline that MANRS defines also allows networks to build on, implementing routing security in more complex network topologies.

But it is easier to say then to implement. To facilitate implementation of MANRS Actions the community have developed a BCOP document – a MANRS implementation guide.

In order to make it more practical and useful we need actual configuration examples from most commonly used vendors and equipment models.

We created a simple survey to collect this information. It should take only 10-15 min to complete if you know how to configure these things. For some of the questions there are example, to give you an idea of what is expected.

Please contribute to the survey and share knowledge:

https://www.surveymonkey.com/r/ZC8WDJN

Your participation is highly appreciated!

 

OpenTransit further strengthens its security policy after joining MANRS and more affiliates from the Orange group to follow

Lats year one of the Orange subsidiaries – Open Transit Internet (OTI) joined MANRS. The company offers the wholesale Internet connectivity services and DDoS protection among others.

While OTI complied with all 4 actions at the time of joining, its engineers worked hard on strengthening security policy further, that includes, for example, monitoring potential BGP leaks and mitigating them as appropriate.

“Digital technologies and the Internet are the backbone of our society and economy. They are deeply changing our lifestyles and organizations.  This is why, at Orange, as trusted connectivity provider we are always looking for greater reliability and security. The adherence to MANRS initiative is part of our commitment to cooperate with leading actors, like ISOC, in order to improve the security for all” – said Arnaud MARTIN, Chief Information Security Officer (Orange group).

Network operators are invited to participate in the survey on BGP prefix hijacking

BGP prefix hijacking remains a problem for Internet routing, despite the (partial) use of RPKI or detection services. In order to better understand the existing BGP hijacking defenses and the needs of network operators, CAIDA and the ICS-FORTH research institute, started a research effort, developing a survey as a first step.

The survey, which is targeted at network operators, has the objective to study several things:
– the operators’ awareness of BGP prefix hijacking attacks,
– presently used defenses (if any) against BGP prefix hijacking,
– the willingness to adopt new defense mechanisms, and
– reasons that may hinder the deployment of BGP prefix hijacking defenses.

The survey can be found here: http://tinyurl.com/hijack-survey. It has a total of 21 questions, which should take no longer than 10 minutes to answer. We encourage network operators to participate.

A summary of the aggregate results will be published as a part of an article/conference paper.

A MANRS BCOP document is published

A MANRS Best Current Operational Practices (BCOP) document has been published. Its objective is to provide guidance to network operators in implementing the MANRS actions. The development of the document was done at the BCOP Task Force at RIPE where it was reviewed by the experts from the operators community.

Based on the BCOP document, a set of online training modules is under currently development. These will walk engineers through a tutorial and provide a test at the end, with a view to this being the first step towards a MANRS certification. The modules will be available as standalone ones, but we are also working with other partners who are interested in including it in their curricula.

Making MANRS Even Easier to Implement – Last Call for the MANRS BCOP Document

Last week at RIPE 73 in Madrid, the MANRS BCOP document was presented and discussed at the BCOP TF session and the Routing-WG. The MANRS BCOP document “provides guidance to ease deployment of measures required by MANRS and is targeted at stub networks and small providers. The document should also assist in checking if the network setup is compliant with MANRS.”

It was agreed to give the community another four weeks of review. Last call ends on 28 November 2016, and we welcome your feedback via the RIPE BCOP Mailing List.

Although the content of the document itself wasn’t discussed at the meetings, people shared their views on the best way to publish the document once the review is complete.

In the RIPE region, a standard way to publish a completed work is to produce a RIPE document. This is a great way of making it available to the community, but some felt a RIPE document may not be ideal because every change then requires issuing a new RIPE document, and the MANRS BCOP is a bit too volatile for that.

An idea could be to rearrange the document into a stable/fundamental part and more volatile parts, and publish the first as a RIPE document. This may take some time and work.

In the meantime, we will publish the draft document on the MANRS site and refer to it from the RIPE BCOP repository, Deploy360, and other known places. We’ll assign a version number to ensure stability of the publication and consistency of references.

Please join the discussion on the BCOP mailing list and help us review the document between now and 28 November.

Promoting MANRS to a Wider Audience

MANRS Logo 150x150We are approaching the second anniversary of launching this MANRS initiative, and we have now grown to over 40 network operators. We have just published a press release about MANRS and are working to increase MANRS’ visibility in wider circles. Working together, these participating network operators are taking action to improve the resilience and security of the routing infrastructure to keep the Internet safe for businesses and consumers alike.

From the release: “Implementing MANRS helps improve Internet security and resilience and helps enable a sustainable business environment. MANRS provides added value for the network operator and its customers: better protection against traffic anomalies caused by misconfigurations; cleaner setups resulting in easier troubleshooting and lower time-to-resolution (TTR); improved peering conditions; and opportunities for valuable collaboration with other operators through a discussion forum and professional network. Although committing to MANRS has its costs, the scope of the actions is specifically defined to minimize costs and the risks of implementing them.

We are excited to embark upon this public relations outreach to inform more network operators about the initiative, grow its membership, and work toward improving routing security for everyone on the Internet.

Read the full release here, and stay tuned for a coverage recap in a few days!