Embed Size (px)
Citation preview
IPv6 Network Assessor
111© 2005 Cisco Systems, Inc. All rights reserved.
Susan Shareshian
Solutions Manager, Cisco Systems, Inc.
2© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Session Agenda
• Impetus Behind the Development Efforts
• Overview of the Network Assessor Tool
• Plans for the Future
3© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Why are we moving to IPv6?
333© 2005 Cisco Systems, Inc. All rights reserved.
RST-121010987_04_2005_c2
4© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
• The Office of Management and Budget (OMB) is requiring all Federal agencies to transition their network backbones to IPv6 by June 2008
• IPv6 Enables New Services and Applications
• Many other countries are already well on their way to implementing IPv6
Business and Technical Reasons
5© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
How Do We Get There from Here?
• IT Departments must include IPv6 as a core element of their IT strategy
• Applications must become IP version agnostic
• Education and careful planning are crucial
• Baseline and test any anticipated changes/installations
• IPv4 & IPv6 will coexist for the foreseeable future
• No D-Day / Flag Day
• Approximately 1/3 of the deployed desktop systems are ‘IPv6 capable’
• Service providers are deploying IPv6 now!
6© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
What’s the cost?
• Hardware Costs
Short Term, replace devices that don’t understand IPv6 or perhaps just a software upgrade
Long Term, normal lifecycle replacement as IPv6 becomes prevalent
*Offering Dual-Stack uses more memory and processing power
• Software Costs
Most “modern” hardware, routers, servers, clients, can be upgraded to support IPv6
COTS applications are moving that way now
Custom applications that make socket calls need to be made protocol agnostic
• Human Capital Costs associated with Training
Cost to train an organization’s personnel to install, operate, maintain, and service IPv6 hardware and software
• Operational Costs of multiple IP environments
7© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
IPv6 Network Assessor
777© 2005 Cisco Systems, Inc. All rights reserved.
RST-121010987_04_2005_c2
8© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Cisco IPv6 Network Assessor Description
• Identifies and polls selected devices and collects appropriate data which then indicates the capability to support IPv6
• Provides observations and recommendations that may be used by the customer as guidelines for future design issues
• Assessment examines Cisco IOS® based routers and Catalyst® Operating System (CatOS) and IOS® based switches, and provides for a general overview of the devices
• If more in-depth device evaluation is required, additional audits that provide device specific information such as the GSR audit, as well as audits that provide a baseline over time, are available as part of Cisco® Advanced Services
IPv6 Network Assessor is a stand alone portable tool that can inventory classified and nonclassified networks
9© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Cisco IPv6 Network Assessor Capability Reports
Results may be organized as follows:
• The device is currently capable of supporting IPv6 features; hardware and software upgrades are not required
• The device needs:
IOS upgrade
Flash memory upgrade
Processor memory upgrade
Both flash and processor memory upgrades
Memory and IOS upgrades
• The device is not capable of supporting IPv6 services
• The analysis was unable to determine the device’s capability to support IPv6; further analysis is required
Cisco IPv6 capability assessments are designed to build a meaningful report on the network device capability to support IPv6
10© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Components• Native Windows Application
Runs under:
Windows XP Professional
Windows 2000 Server
Windows Server 2003
• Microsoft SQL Server Data Repository
MSDE or SQL Server 2000 SP3a
Local or Remote Installation
Key Features• Discovery
SNMP or Fingerprint
• Credentialed Inventory
Telnet/SSH
• Exception Tracking and Reporting
• Extensive Operator Controllable Multi-Threading for Concurrent Processing
• IPv6 Capability Reports Query and Data Export Facility
Cisco IPv6 Network Assessor
11© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
DiscoverySNMP Discovery
• Discovery
One or more IP address ranges specified by the operator
• Inventory
snmpget retrieves MIB-I data• Security Requirements
Read-only (public) SNMP community string.
• Notes
Devices will respond if and only if (IFF):
Device exists
SNMP Agent running
Valid read-only community string
Not IP address restricted
Device will not respond
Unless ALL conditions above are satisfied
Fingerprinting
• Discovery
One or more IP address ranges specified by the operator.
Icmp echo to determine if device exists• Inventory
IP port scans (a.k.a. port probes)
Library of known device responses
One or more “guesses”
Reverse DNS lookup• Security Requirements
None.• Notes
Will be detected and isolated by any customer intrusion detection software.
12© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Credentialed Inventory
• Configure SettingsSeed File Requirements
Host List, Username & Password, Group Names….
Importing Seed File into Settings with Import Wizard
• Building the DatabaseRunning multiple scans to collect every available target
Using Exception Reporting to keep track of multiple scans
Exporting Scan Status Reports
How many scans are required to build a database
• InventoryQueries each Switch and/or Router by invoking a series of “show” commands
Communication with target hosts via Telnet or SSH
• Security RequirementsUsername and Password with sufficient privileges to execute the “show” commands on the target
13© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
Plans for the Future
131313© 2005 Cisco Systems, Inc. All rights reserved.
RST-121010987_04_2005_c2
14© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
IPv6 Audit
• Local Audit capabilities – Multi Vendor
– 5 day or 7 day
– Trending, utilization, capacity
– IPv6 capability and recommendations
• Capture and Report IPv6 Capability of every device on the network
– Servers
– IP Phones
– Applications
15© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
IPv6 Services Practice
• IPv6 Migration and Assessment Services
– Certified Engineers
– Best Practices
– Tools
– Secure Facilities
– Documentation Repository
– Dedicated Engineering and Testing Facilities
• Next Phase of tool…….
– Security Assessments
16© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID © 2006 Cisco Systems, Inc. All rights reserved.
