Observations on an enterprise IPv6 firewall and IDS

IPv6 WG discussion item

Observations onan enterprise IPv6

firewall and IDS

Tim [email protected]

IETF 68, 19th March 2007Prague


Talk outline

Scenario IPv6 firewall and IDS deployment Observations on firewall activity Observations on IDS activity Considerations for firewall management Considerations for IDS developers


Scenario

Enterprise (academic) network Approx 1,000 hosts/servers Up to 2,000 users

Using various OS’es and hardware

Running a dual-stack deployment IPv6 pervasively on the wire Most network services dual-stack (DNS, MX, web, etc)

Operational now for over three years Partially done through 6NET project (www.6net.org)


Border firewall and IDS Lacking a suitable

commercial solution at this time, currently looking for unified IPv4/IPv6 solutions

Currently use parallel paths into our site Commercial IPv4 firewall BSD pf for IPv6 Snort IDS for both Dual-stack DMZs

including wireless LAN


IPv6 firewall experience

Currently logging all pf blocked connections Averaging around 20-30k entries per week Very low compared to IPv4

Most logged filter events are between our IPv6 DMZ and the internal IPv6 network Similar level and protocols to existing IPv4 DMZ filtering

Around 500 or so ‘miscellaneous’ entries per week No real evidence of systematic port scans ‘Probing’ is to ports on publicly advertised systems, e.g.

DNS servers, MX servers, Web servers, NTP servers


Miscellaneous filters

In the ‘miscellaneous’ category: X11 traffic http

Highlights ruleset inconsistencies between IP versions. ftp SubethaEdit (port 6942) ssh auth microsoft-ds (port 445) …


Microsoft-ds example Log entries:

15:33:18.038763 2002:8c6d:14e7::8c6d:14e7.51878 > augur.ecs.soton.ac.uk.microsoft-ds: S 919595593:919595593(0) win 8192 <mss 1220,nop,wscale 8,[|tcp]>

15:33:21.034973 2002:8c6d:14e7::8c6d:14e7.51878 > augur.ecs.soton.ac.uk.microsoft-ds: S 919595593:919595593(0) win 8192 <mss 1220,nop,wscale 8,[|tcp]>

15:33:27.028456 2002:8c6d:14e7::8c6d:14e7.51878 > augur.ecs.soton.ac.uk.microsoft-ds: S 919595593:919595593(0) win 8192 <mss 1220,nop,nop,sackOK>

Target is a publicly advertised IPv6 node The 2002::/16 source prefix is 6to4

8c 6d 14 e7 is 140.109.20.231 Apparent source:

231.20.109.140.in-addr.arpa. 86400 IN PTR guppy.iis.sinica.edu.tw.


Malformed packets

An example sent towards our web server, perhaps looking to exploit an OS-specific bug/feature:

06:35:10.825875 2001:0:4136:e378:0:12c0:69f8:e96c > augur.ecs.soton.ac.uk: no next header




Rarer ‘probing’ example

One host (in Thailand) checking presence/route to a number of publicly advertised systems:

20:06:51.850661 2001:f00::8.45821 > augur.ecs.soton.ac.uk.33434: udp 16 [hlim 1]

20:07:03.935552 2001:f00::8.45822 > sixprints.ecs.soton.ac.uk.33434: udp 16 [hlim 1]

20:09:14.044278 2001:f00::8.45824 > seven.ecs.soton.ac.uk.33434: udp 16 [hlim 1]

20:09:23.785148 2001:f00::8.45825 > zepler.ecs.soton.ac.uk.33434: udp 16 [hlim 1]

20:09:33.249159 2001:f00::8.45826 > moorhen.ecs.soton.ac.uk.33434: udp 16 [hlim1]

20:09:43.009118 2001:f00::8.45827 > crow.ecs.soton.ac.uk.33434: udp 16 [hlim1]

20:09:52.503731 2001:f00::8.45828 > jackdaw.ecs.soton.ac.uk.33434: udp 16 [hlim1]

20:10:02.243615 2001:f00::8.45829 > coot.ecs.soton.ac.uk.33434: udp 16 [hlim 1]


Intrusion Detection Systems

We use Snort open source IDS/IPS http://www.snort.org/

A patch is available for IPv6 transport inspection Just looks at certain application layer ‘signatures’

Fuller support in release code soon We expect a new test (beta) version any day now Will include official IPv6 support for some features

Probably Stream5, HTTP Inspect, DCERPC and FTP Telnet preprocessors

New record type for IPv6 events Will also need IPS IPv6 communication to firewall

To react to observed potential attacks


Observations on our IDS

Running on our external link path Note Snort supports multiple probe points

In a recent week’s logs: Events logged from 26 different sources

Some from same /64 link, so it’s possible IPv6 privacy addresses may mask true number of sources

Can check the signature IDs, e.g: http://www.snort.org/pub-bin/sigs.cgi?sid=1042


Example IDS events seen

Logged events include: WEB-IIS view source via translate header BAD-TRAFFIC udp port 0 traffic WEB-MISC backup access WEB-MISC SSLv3 invalid data version attempt IIS UNICODE CODEPOINT ENCODING ATTACK-RESPONSES 403 Forbidden TCP Portsweep DOUBLE DECODING ATTACK OVERSIZE REQUEST-URI DIRECTORY

Similar to what we see for IPv4 IDS


Firewall management

Currently we have two firewall platforms Could be managed via single interface/GUI

Need a consistent management interface for IPv4 and IPv6 hosts Allow dual-stack or multiaddressed nodes to be managed Reduce management complexity Avoid inconsistencies

Not the case for all platforms looked at to date Also important to consider IPv6-enabled status of all

services for an IPv6 DNS-advertised host


IDS considerations

The Snort we’ve used only examines application layer data for potential attacks Uses the same signatures as IPv4

We need to understand IPv6-specific issues to detect in IPv6 IDS systems, e.g. Excessive hop-by-hop headers/options Routing Header usage Header ordering Malformed headers Transition tool abuse

Snort won’t see these issues today


Summary

IPv6 firewall activity light (but so is traffic level) Probing activity targeted at ‘advertised’ IPv6 addresses

IPv6 IDS seeing IPv4-like attacks But we’re only looking at the application not the IP layer And no way to do IPS messaging over IPv6 yet

Need to consider how firewalls can be consistently managed for dual-stack IPv4/IPv6 nodes

Need to discuss IPv6-specific IDS considerations Testing new Snort version soon Seeking people to help start an ID on this topic…

Documents

Observations on an enterprise IPv6 firewall and IDS