Upload
skeeve-stevens
View
271
Download
0
Tags:
Embed Size (px)
DESCRIPTION
IPv6 Security - delivered at INET Colombo, Sri Lanka - May 2011
Citation preview
Skeeve Stevens
IPv6 Security
CEO Director
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• This talk to to help people understand the security implications of migrating to IPv6
• Highlights some key areas for you to consider
• Explain the differences between IPv6 and IPv4
• Technical Difficulty - 2 out of 10 (some slides higher)
• If you know what IPv6 is, then you will understand (mostly) this presentation
• IPv6 - I LIKE! It’s NICE
What is this talk about?
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• If you are new to IPv6 - do not implement it in a production environment until you understand the security implications
• If you do IPv6 without considering security then you WILL get hacked - and quickly. Would you leave your house unlocked?
• CPE’s (modem/router) barely understand IPv6 - initial security is weak - choose the right product! IPv6 Firewalls are coming!
• Use someone who ACTUALLY knows what they are talking about - not just someone who just says they know!
• Security through obscurity = security through
stupidity - they WILL find your v6 address!
IPv6 Security? Oh oh
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• Enabling IPv6 leaves you wide open - immediately
Key Issues to Consider
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• Every aspect of security that you have in IPv4 needs to be replicated to IPv6• SSH, Telnet, Access Lists, SNMP, CoPP – All are immediately open
and accessible when you turn on IPv6 - all IPv4 security is immediately bypassed!
• It isn’t hard to do the security – you just HAVE to do it – or else
• Nothing has changed with the basic tenants of security – just all new commands for some platforms – and often in strange places
• The only new important consideration is that IPv6 requires ICMP for PMTU (Path MTU Discovery) – disabling it WILL break things (in ways that you can’t easily troubleshoot)
Key Issues to Consider
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• IPv4 vs. IPv6• They are totally separate protocols and essentially do not
interact at any point - even on the same router and/or switch• IPv6 is a completely new version - there is no backward
compatibility at all - just some translation methods
• It is a perfect time for you re-evaluate all your security policies and procedures• Zone flow• Device lock down policies and Host build procedures• User restriction• Source/destination control• Inter-departmental security - often ignored
Key Issues to Consider
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• Does your equipment treat v6 the same as v4?• Routers, Layer 3 switches, Firewalls, IPS & IDS, VPN Services
• Equipment• Plan for equipment upgrades if needed• Does it process v6 in hardware or software
• SW may not be fast enough for your application• May cause DoS situations
• Recommendations• Talk to your vendors about stable versions• Use test gear or lab kit where possible• Monitor sites posting vulnerabilities and respond quickly
Equipment Considerations
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• IPv6 address space is huge. Attackers scanning a network range is unwieldy. Example - NMAP doesn’t let you scan IPv6 ranges
• Attackers will look for other ways to find their targets
• Take precautions to protect systems that are caches for addresses
• DHCP servers (reservations)
• DNS (DNS harvesting), Web Log harvesting• Neighbour caches (like ARP cache)
• Don’t simple replicate your IPv4 last octet in IPv6 chazwazza* Make attackers work if they really want a hosts address!
• Inject randomisation in your addressing to make it less obvious - but don’t make life too hard for yourself
* http://www.urbandictionary.com/define.php?term=chazwazza
Tactics
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• Filter unneeded or potentially dangerous communications
Examples:• Routing Header 0 vulnerabilities (sort of like IPv4 source
routing). Deprecated by RFC 5095 but still dangerous since it can let an attacker control hop flow.
• If certain internal IPv6 address never need to hit the Internet, filter them
• ICMP is critical to IPv6. Let certain (but not all) types through hops
• Anycast & Multicast unless they are specifically used• Don’t leave yourself open to potential future attacks - Everything
you know now will change in the next 5 years. They WILL get smarter, they WILL get faster than ever before.
Filtering (More Advanced)
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
One key difference:
The key area where v6 is different from v4 is that v6 packets use a concept knows as extension headers which were developed to improve performance by making the packet header structure more simple.
Essentially v6 extension headers are optional headers that let you specify certain ways that you can influence the packet to behave such a routing the packet through a certain path on the network, or you might have a fragmentation header that breaks up the packet and then reassembles it.
In v4 we had to have all those headers included in one single header but they're optional in v6.
Because they're optional, security protocols need to understand a variable set of headers which makes security devices more complex
Extension Headers (Even More Advanced)
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• IPv6 is not automatically more secure than IPv4• IPv6 is just layer 3... above or below layer 3 will act just the same
as they do with v4 - assuming your apps are layer 3 agnostic
• IPv6 can be attacked just as easily as IPv4 - what does this mean?• MAC can still be spoofed• Flawed web apps will remain flawed - SQL injections, etc• IPv6 attacks will grow more smarter and more creative as
deployments grow• Back in 2002 a Honeypot system caught a hack using IPv6
tunnels to break into sites• Think of the hacks and bugs discovered each month - it is only a
matter of time. IPv6 is new - it will have problems
Please Remember
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
Does this mean that I should avoid v6?
It sounds complicated.
Who will help me?
PRACTICE SAFE IPV6!
So....
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
Thanks....
Questions?Thanks to Kurt Bales, Jeff Doyle and Grant Moerschel for content and inspiration
CONNECT WITH ME
Email~ [email protected]
Web~ www.eintellego.asia
Facebook~ facebook.com/eintellego - [email protected]
LinkedIn~ http://au.linkedin.com/in/skeeve
Twitter~ @eintellego @networkceoau @skeevestevens
CEO Blog~ www.network-ceo.net
Tuesday, 24 May 2011