Fortinet IPv6 Security

IPv4 Highway

Fortinet Confidential

June 8th, 2011

Rainer Baeder

Drivers for IPv6

• Basic Demand Drivers• More network appliances but lack of IPv4 addresses to support

• Control OpEx for network and IT

• Elimination of complex NAT networks

• Strong intrinsic security

• Better support for mobility applications

• Greater flexibility and simplicity• Greater flexibility and simplicity

• New Opportunities to Improve Business Performance Business process improvements• New business opportunities

• More addresses for objects – enhanced automation and productivity

• Machine-to-Machine (M2M) telematics / *Internet of Things*

• IPv6 connection to anything

2

IPv6 – its time for preparing the step

... and basically – we run out of IPv4 addresses

to stay competitive, we must

Snapshot June 3rd 2011

to stay competitive, we must open the door for IPv6and use its foremost

Migration ComplexitiesDeployment Considerations

• Compatibility issues between IPv4 and IPv6

• Vendor interoperability issues with IPv6

• Potential security issues

• Network management considerations

• Existing hardware may not handle IPv6 traffic efficiently• Existing hardware may not handle IPv6 traffic efficiently

• Router memory and CPU limitations may preclude IPv6 deployment

• Technology refresh cycles can be exploited to deploy IPv6 capabilities

• Global public routing practices continue to evolve

4

• Larger IP address space• IP Adresses are 128 bits (instead of 32 bits)

• Advanced header structure• Improved processing capability thru Subsegmenting of essential

and optional headerfields (in ExtensionHeaders)

• Different IPv6 Addresses• Public IPv4 addresses correspond with Global Unicast Addresses

• Private IPv4 addresses correspond with Site Local Unicast

The most important targets of IPv6

• Private IPv4 addresses correspond with Site Local Unicast Addresses

• Special Address types for usage of IPv4 and IPv6 in parallel

• Support of autoconfiguration• Should follow Plug-and-Play principle

• Improved security• 2 additional ExtensionHeaders are foreseen (Encapsulation

Security Payload Header und Authentication Header)

• Both can be used in IPv4 as well

Principle Design Consideration

• “Dual stack when you can – Tunnel when you must –Translate when no other option works”

• Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management

• Now is your time to build a network your way – don’t L7

Application

L8Political

L9Religious

carry the IPv4 mindset forward with IPv6 unless it makes sense

• Design Consistency with IPv4

• Design should work across all WAN clouds, LAN, Enterprises, Data Center, Campus, etc

• Deploy it – at least in a lab – IPv6 won’t bite

• Consider the human factor, keep it simple!

6

L1Physical

L2Data Link

L3Network

L4Transport

L5Session

L6Presentation

IPv6 Transition Methodologies

MPLS-BasedSolutions

6PE 6VPE

IP-TunnelApproaches

ConfiguredTunnels

ConfiguredTunnels

NAT-Based Solutions

IPv4 to IPv4(Mitigation)

IPv4 to IPv6(Interworking)

7

GRE 6to4

6RD

IP

L2TP

GFP ISATAP

Teredo

DS-Lite

NAT44 NAT464

NAT64NAT444

DS-Lite NAT-TCP

NAT-UDP

NAT-ICMP

Dual Stack

IPv6 Protocol Vulnerability

• IPv6 Header• Header Manipulation

• Protocol Fuzzing

• ICMPv6• ICMPv6 Filtering

• ICMPv6 Attacks

• Extension Header• EHeader Filtering

• EHeader Fuzzing

• Router Header Attacks

• Fragmentation Header

• Unknown Header• ICMPv6 Attacks

• Node Survey• Scanning

• Improved/Smart Scanning

• Multicast techiques

• Sniffing

• Unknown Header

• Protocol Layer Header

• Higher Layer Spoofing• Generic Malware

• Router Protocol Security• Flooding / (d)DoS and Packet• Multicast

8

• Interface-local scope• FF01::1 all-nodes

• FF01::2 all-routers

• Site-local scope• FF05::1:3 all-routers

• FF05::1:3 all DHCP servers

• Link-local scope• FF02::1 all-nodes

• FF02::2 all-routers

• FF02::5 OSPFIGP

• FF02::9 RIP-routers

• FF02::B Mobile Agents

IPv6 Address Types – well-known Multicast

• FF02::6A all snoopers

• FF02::1:2 all DHCP agents

9

• FF01::101 / all-NTP Server on the same node as sender• FF02::101 / all-NTP Server on the same link as sender• FF05::101 / all-NTP Server on the same site as sender• FF0E::101 / all-NTP Server in the internet

Global Unicast Addresses correspond with Public IPv 4 addresses Site Local Unicast Addresses correspond with Privat e IPv4 addresses

IPv6 Firewalling

• IPv6 Addressing• Unallocated Addresses

• IPv6 Headers allowance

• L2 FW

• IPv6 and NAT

• Neigbor Discovery allowance

• DHCPv6 Threats

• Endpoint Security

• IPv6, IPSec and Firewalls

• Management

• Routing Security• RIPng, OSPFv3• Neigbor Discovery allowance

(NDP)• Duplicate Address Detection Issue

• Redirect Issue

• SEcure Neigbor Discovery (SEND)

• RIPng, OSPFv3

• QoS Threats

• Tunneled Traffic Inspection

• Unwanted Tunnels

• Mobile IPv6 (MIPv6)

10

Fortinet IPv6 Strategy

• Feature Parity on all function with IPv4 and IPv6 on higher layers

• Application unaware weather it runs on IPv4 or IPv6

• IPv6 Firewalling 3+ years integratedintegrated

• Stepwise extension to a complete functionality on IPv6

• Almost completed now

Today implemented for IPv4 & IPv6

• Stateful Firewalling and Routing• Serviceobjects (eg ICMPv6), IPv6 Addressobjects

• Dynamic Routing, OSPF / RIP / BGP

• AntiVirus Scanning• http(s), ftp, smtp(s), imap(s), pop3(s), Instant-Messaging, nntp

• Intrusion Prevention• Intrusion Prevention• Signature based IPS/IDS and DoS-Protection

• URL Filtering

• Data Leak Prevention

• Management of the device via IPv6• eg SSH or https via IPv6 for devicemanagement

12

Today implemented for IPv4 & IPv6

• Bandwidth Management• Shaping, QoS

• IPSec (IKEv1 & IKEv2)

• DNS (AAAA Record)

• IPv4 over IPv6 Tunneling

• IPv6 over IPv4 Tunneling (eg Tunnelbroker like SixXS)• IPv6 over IPv4 Tunneling (eg Tunnelbroker like SixXS)

• SIP ALG (Application Gateway)• Carrier-grade SIP-ALG. SIP-Fuzzing Protection, Pinholing, Rate-Control

etc.

• Application Control

• Logging and Reporting of Datatraffic, Reporting on FortiAnalyzer

13

Protection on all Layers - UTM

• Combined Methods on different layers

• Allow, but don’t trust all application

• Content of the application

• Support for IPv4 und IPv6

14

Forehand Planning is the key

• Vision for the business or the adoption driver• IPv6 Training• IP architecture that supports the vision -> IPv6 addressing

scheme + design• Evaluate infrastructure readiness to support the IPv6

implementation of the architectureimplementation of the architecture• Drive requirements and define purchasing strategy• Align with other initiatives to accelerate readiness• Define timeline

15

Overnight Adoption is Limiting and Expensive

Thank You.