NavaneethanC. Arjuman [email protected] ...6 " " Naonal"Advanced"IPv6"Centre" • Premier centre in...
Transcript of NavaneethanC. Arjuman [email protected] ...6 " " Naonal"Advanced"IPv6"Centre" • Premier centre in...
2
• Implemen5ng any new technology brings with it a new set of problems.
• Being aware of their strengths and weakness are vital.
• IPv6 introduces its own sets of problems.
• Does not mean it is insecure, just like IPv4.
Introduc5on
3
• How will IPv6 affect the organiza5on’s network? • How secure is IPv6 compared to IPv4?
• How to implement security prac5ces similar to IPv4?
• Are the current devices capable of blocking and filtering IPv6 traffics?
Concerns
4
• IPv6 has less issues than IPv4.
• IPv6 offers security by default.
• IPv6 makes it harder to perform reconnaissance.
• Services in IPv6 are more secure.
• Moving to IPv6 will solve all the problems.
• Monitoring IPv6 and IPv4 simultaneously is difficult.
Common Misunderstandings
5
• It is a four (4) days course • Curriculum developed by NAv6
• Covers both theory and prac5cal • Cer5fied by IPv6 Global Forum
CSE6 Course Details
6
Na5onal Advanced IPv6 Centre
• Premier centre in the area of Next Generation Internet • NAv6's journey began as Next Generation Network (NGN) research unit started by Network Research Group (NRG) under the School of Computer Sciences, Universiti Sains Malaysia (USM), Penang back in 1992.
• In 2005, this unit was appointed as National Advanced IPv6 Centre of Excellence (NAv6) by the Ministry of Information, Culture and Communication (formerly known as Ministry of Water, Energy & Communications), Malaysia to spearhead the country's transition to be IPv6 ready by 2012.
• NAv6 has been providing IPv6 Certification course since 2006 • Trained over two thousand engineers across thirty (30) countries globally • . NAv6 is also National Chapter on IPv6 research T • Training appointed by IPv6 Global Forum • collaboration with IPV6 Promotional Council of Japan.
7
Morning IPv6 Revisited Mo#va#on For IPv6 • Brief Comparison Between IPv6 And IPv4 • Stateless And Stateful Address Configura#on • IPv6 Header Structure • Comparison With IPv4 Header • IPv6 Addressing • IPv6 DNS And DHCP • Basic Transi#on Mechanisms • IPv6 Auto-‐Configura#on
CSE6 Day 1
8
Message from the Father of Internet
9
• History of how the Internet began
• Understand what IP and how it works
• Refresher on current IP (IPv4) Addressing
• Understand IP Address Management
• Highlight Issues with IPv4
• Approaches to extend IPv4 life: CIDR and NAT
• Introduce IPv6
Mo5va5on for iPv6
10
• Compare IPv4 and IPv6 • Understand IPv6 Address Format • IP6 Header and Extension Header • Autoconfigura5on
• Using RA and ND • Using DHCPv6
• IPv6 Transi5on • Dual-‐stack • Tunneling • Transla5on
Recap on internet and Internet protocol
11
• A and AAAA DNS records
• IPv4 and IPv6 coexistence
• IPv6 support in common opera5ng systems
• Explain the lag in IPv6 deployment • Cost • Security Concerns
Recap on internet and Internet protocol
12
Abernoon IPv6 Security Features IPSec Architecture • Privacy Addresses • Temporary Addresses • Cryptographically Generated Addresses (CGA) • SEcure Neighbor Discovery (SEND) • Mobile IPv6 Security • Dynamic Rou#ng Security Hand-‐On • Exercise: IPSec Configura5on (Hands-‐on)
CSE6 Day 1
13
Security: IPSec
• General IP Security mechanisms – From the IETF IPsec Working Group • hfp://tools.ieh.org/wg/ipsec/ • IP Security Architecture: RFC 4301 • Applies to both IPv4 and IPv6: – Mandatory for IPv6 – Op5onal for IPv4 • Applicable to use over LANs, across public & private WANs, & for the Internet • IPSec is a security framework – Provides suit of security protocols – Secures a pair of communica5ng en55es
14
What is Internet Protocol Security (IPsec) ? • Works at the Network Layer (Layer 3). • Secure communica5on by encryp#ng and authen#ca#ng each IP packet.
• Provides end-‐to-‐end security between hosts. • Securing the network cannot be leb to perimeter devices alone.
IPSec
15
IPsec protocol overview
• IPsec services – Authen5ca5on • AH (Authen5ca5on Header -‐ RFC 4302) – Confiden5ality • ESP (Encapsula5ng Security Payload -‐ RFC 4303) – Replay protec5on, Integrity – Key management • IKEv2 (Internet Key Exchange -‐ RFC4306) • Implementa5ons – Linux-‐kernel (USAGI), Cisco
16
Unique Local Address (Privacy) Address It is approximately the IPv6 counterpart of the IPv4 private address. Unique local addresses are available for use in private networks
Cryptographic Generated Addresses (CGA)
In basic CGA, 62 bits are used to store cryptographic hash of a public key. host ID = HASH62(public_key)
Temporary Addresses
Home users are typically assigned with IP address by the ISP. The addresses they use change frequently over 5me and are shared among a number of different users. Thus, an address does not reliably iden5fy a par5cular device over 5me spans of more than a few minutes.
Special Addresses
17
SEcure Neighbor Discovery (SEND)
Neighbor Discovery Protocol (NDP) has specific func5ons like
• Neighbor Discovery (ND), • Address Auto-‐configura5on, • Router Discovery (RD), • Neighbor Un-‐reachability Detec5on (NUD), • Address Resolu5on, • Duplicate Address Detec5on (DAD), • Redirec5on etc.
18
SEcure Neighbor Discovery (SEND)
As NDP is used by both hosts and routers, it is more vulnerable to various afacks unless secured. To encounter the threats to NDP, Secure Neighbor Discovery (SEND) protocol is designed.
19
• Mobility must not weaken the security of IP.
• Primary concern: protect nodes that are not involved in the exchange (e.g. nodes in the wired Internet).
• Resilience to denial-‐of-‐service afacks.
• Security based on return routability: Challenges are sent to iden5ty and loca5on, response binds iden5ty to loca5on.
• Cryptographic keys are sent in the clear.
Mobile IPv6 Security
20
• Rou5ng security is s5ll a problem in IPv6, but chances of solving the problem are higher than in IPv4.
• IPv6 addresses are quite oben dynamically assigned, it is of the utmost importance that this process be done in a secure fashion.
• Rou5ng header can be used to: • Reach a hidden host via a visible one • Ability to use reflec5on to launch a DoS afack
Dynamic Rou5ng Security
21
Morning IPv6 Security Issues Debunking IPv6 Security Myths • Similar IPv4/IPv6 Network Security Issues • IPv6 Transi#on Security Issues • Security Implica#on Of Mixed IPv4/IPv6 Network
CSE6 Day 2
22
IPv6 Is Neither A Magic Bullet, Nor A Poison Pill
“If we do deploy IPv6, will it hurt us or benefit us when it comes to security?”
Its 50-‐50, but end of the day, you s5ll have to deploy IPv6! (i.e. Address deple5on)
“Security” should not be the reason for NOT deploying IPv6
Be skep5cal to “Snake oil” claims that IPv6 improves your network’s security
23
Myths 1
• IPv6 Improves Security Because “All IPv6 Traffic Gets Encrypted With IPSec”
Debunking IPv6 Security Myths
Myths 2 If We Don’t Deploy Na5ve IPv6, We’ll Be Able to Control Whether Our Users Are Able to Get At IPv6-‐Served Content”
24
Myths 3
“IPv6 is less secure because it does not require NAT”
Debunking IPv6 Security Myths
25
• Scanning Gateways and Hosts for weakness • Scanning for Mul5cast Addresses • Unauthorised Access Control • Firewalls • Protocol Weaknesses • Distributed Denial of Service • Transi5on Mechanisms • Worms/Viruses – There are already worms that use IPv6
Similar IPv4/IPv6 Network Security Issues
26
Base on RFC 4942, IPv6 Security Overview September 2007 “The transi5on from a pure IPv4 network to a network where IPv4 and IPv6 coexist brings a number of extra security considera5ons that need to be taken into account when deploying IPv6 and opera5ng the dual-‐protocol network with its associated transi5on mechanisms”
IPv6 Transi#on Security Issues
27
Overview of the various issues grouped into three categories: • issues due to the IPv6 protocol itself • issues due to transi5on mechanisms, • issues due to IPv6 deployment.
IPv6 Transi#on Security Issues
28
According on RFC 4942 “It is important to understand that deployments are unlikely to be replacing IPv4 with IPv6 (in the short term), but rather will be adding IPv6 to be operated in parallel with IPv4 over a considerable period, so that security issues with transi5on mechanisms and dual stack networks will be of ongoing concern.”
Security Implica#on Of Mixed IPv4/IPv6 Network
29
Abernoon IPv6 Security Issues • Impact of Network Address Transla#on Removal (NAT) • IPv6 Filtering by Legacy Firewalls • IPv6 DNS threats • Rogue IPv6 Networks and Nodes IPv6 Security Monitoring Managing and Monitoring IPv6 Networks IPv6 Forensics Exercise: IPv6/IPv4 Network Monitoring using iNetmon (Hands-‐on)
CSE6 Day 2
30
• What is NAT ?
• How it works?
• The Need for Address Transla5on • Advantages and Disadvantages of NAT
• Impact of Network Address Transla5on Removal (NAT)
Impact of Network Address Transla#on Removal (NAT)
31
If a firewall is not configured to apply the same level of screening to IPv6 packets as for IPv4 packets, the firewall may let IPv6 pass through to dual-‐stack hosts within the enterprise network, poten5ally exposing them to afack.
IPv6 Filtering by Legacy Firewalls
IPv6 is enabled on several hosts with default firewall policies of ACCEPT and no rules. This allowed IPv6 traffic to completely
bypass the numerous IPv4 rules
32
DNS afacks are generally grouped into three main categories of threats:
• Data corrup*on. • Denial of Service. • Privacy.
IPv6 DNS threats
33
• Organiza5ons that aren't running IPv6 and don't plan to run it any5me soon, should configure their firewalls to block IPv6 traffic from coming in and out of their networks.
• However, this should be a temporary measure because an increasing amount of Internet traffic is IPv6-‐based, and organiza5ons don't want to limit access to customers or business partners around the world that will be using IPv6.
Rogue IPv6 Networks and Nodes
34
• How to monitor your network?
• How to use Network Monitoring to trouble shoot network
• Hands on using iNetmon Enteprise
IPv6 Security Monitoring
35
The analysis of ar5facts on IPv6 enabled systems is very similar to the analysis on tradi5onal IPv4 systems. In some cases, same methods and tools may be used, in other cases, tools and methods may need to be slightly modified or enhanced, to include IPv6 address support. This topics will includes
Issues with dual protocol systems. Finding IPv6 configura5on details. Regular expressions and IPv6 ar5facts
IPv6 Forensic
36
Morning IPv6 Security Issues Introduc#on and Effects of IPv6 Network A]acks IPv6 Spoofing ICMP A]ack, Ping A]ack, Smurf A]ack, PING Flood, Ping of Death Port Scan A]ack RIPng Rou#ng A]ack DHCPv6 A]ack ICMPv6 A]ack IPv6 DAD (Duplicate Address Detec#on) DoS A]ack Demonstra#on of IPv6 Network A]acks (Case Examples)
CSE6 Day 3
37
Based upon IPv4 experiences the new protocol incorporates a number of elements that address known security problems. The following Afacks have substan5al differences when moved to an IPv6 world. In some cases the afacks are easier, in some cases more difficult, and in others only the method changes:
• IPv6 Spoofing. • ICMP afack, Ping afack, smurf afack, PING flood, ping of death. • Port scan. • RIPng Rou5ng afack. • DHCPv6 afack. • ICMPv6 afack • IPv6 DAD (Duplicate Address Detec5on) DoS afack.
Introduc#on and Effects of IPv6 Network A]acks
38
IPv6 Spoofing
• The core principles of a flooding afack remain the same in IPv6 as in IPv4.
• Whether a local or a distributed DoS afack, flooding a network device or host with more traffic than it is able to process is an easy way to take a resource out of service.
• Techniques used to locate and trace back DoS afacks in IPv4 can be used in IPv6, though new techniques may be presented.
39
IPv6 Spoofing
40
IPv6 Spoofing
41
ICMP Afack
ICMP is used by the IP layer to send one-‐way informa5onal messages to a host. There is no authen#ca#on in ICMP, which leads to afacks using ICMP that can result in a denial of service, or allowing the afacker to intercept packets. There are a few types of afacks that are associated with ICMP shown as follows:
ICMP DOS Afack. ICMP packet magnifica5on (or ICMP Smurf). Ping of death. ICMP PING flood afack.
42
ICMP DOS Afack
• Afacker could use either the ICMP "Time exceeded" or "Des#na#on unreachable" messages.
• Forging one of these ICMP messages, and sending it to one or both of the communica#ng hosts.
• Connec5on will then be broken.
• If an afacker forges an ICMP "Redirect" message, it can cause another host to send packets for certain connec5ons through the afacker's host.
43
Smurf Afack
• An afacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses.
• All the systems on those networks send ICMP echo replies to the vic5m.
• Consuming the target system's available bandwidth and crea5ng a denial of service (DoS) to legi5mate traffic.
44
PING flood afack
• A broadcast storm of pings overwhelms the target system so it can't respond to legi5mate traffic.
• ICMP nuke afack: Nukes send a packet of informa5on that the target OS can't handle, which causes the system to crash.
45
Ping of Death
• An afacker sends an ICMP echo request packet that's larger than the maximum IP packet size.
• Since the received ICMP echo request packet is larger than the normal IP packet size, it's fragmented.
• The target can't reassemble the packets, so the OS crashes or reboots.
46
Port Scan Afack
• Port Scan afack refers to scan TCP/UDP ports to discover services they can break into.
• All machines connected to a LAN or connected to Internet via a modem run many services that listen at well-‐known and not so well-‐known ports.
• Essen5ally, a port scan consists of sending a message to each port, one at a 5me.
• The kind of response received indicates whether the port is used and can therefore be probed further for weakness.
47
RIPng Rou5ng Afack
• This afack takes advantage of Rou5ng Informa5on Protocol (RIP), which is oben an essen5al component in a TCP/IP network.
• RIP is used to distribute rou5ng informa5on within networks, such as shortest-‐paths, and adver*sing routes out from the local network.
• Like TCP/IP, RIP has no built in authen5ca5on, and in the provided informa5on.
48
DHCPv6 Afack
• The threats against DHCPv6 are similar to those in IPv4: – Starva#on:
• The afacker plays the role of many DHCPv6 clients and requests too many addresses, which depletes the pool of IPv6 addresses.
– Denial of service (DoS): • The miscreant sends a huge amount of SOLICIT messages to the servers.
• forcing them to install a state for a while and causing a huge load on the servers’ CPU and file systems, un5l that legi5mate clients can no longer be served.
49
IPv6 DAD (Duplicate Address Detec5on) DoS Afack
• In networks where entering hosts obtain their addresses with stateless address Auto-‐configura5on, an afacking node could launch a DoS afack by responding to every duplicate address detec5on afempt.
• If the afacker claims the addresses, then the host will never be able to obtain an address.
50
Abernoon IPv6 Security Threat Mi#ga#on Firewall for IPv6 Exercise: Configuring and Deploying IPv6 Firewall (Hands-‐on) DHCPv6 and ICMPv6 Network A]ack Mi#ga#on CSE-‐6 Overall Summary
CSE6 Day 3
51
IPv6 Security Threat Mi5ga5on
• Introduc5on to firewalls that are IPv6 capable
• Hands-‐on configura5on and deployment of a IPv6 Firewall
• Techniques and recommenda5on in mi5ga5ng DHCPv6 and ICMPv6 network afacks
52
Firewalls for IPV6
• IPv6 architecture and firewall -‐ requirements – No need to NAT – same level of security with IPv6 possible as with IPv4 (security and privacy) • Even befer: e2e security with IPSec – Weaknesses of the packet filtering cannot be hidden by NAT – IPv6 does not require end-‐to-‐end connec5vity, but provides end-‐ to-‐end addressability – Support for IPv4/IPv6 transi5on and coexistence – Support for IPv6 header chaining – Not breaking IPv4 security • There are some IPv6-‐capable firewalls now – Cisco ACL/PIX, iptables, ipfw, Juniper NetScreen
53
IPv6 firewall setup -‐ method1
• Internet ↔router↔firewall↔net architecture • Requirements: – Firewall must support/recognise ND/NA filtering – Firewall must support RS/RA if Stateless Address Auto-‐ Configura5on (SLAAC) is used – Firewall must support MLD messages if mul5cast is required
54
IPv6 firewall setup -‐ method2
• Internet ↔ firewall ↔ router ↔ net architecture • Requirements: – Firewall must support ND/NA – Firewall should support filtering dynamic rou5ng protocol – Firewall should have large variety of interface types
55
IPv6 firewall setup -‐ method3
• Internet ↔ firewall/router(edge device) ↔ net architecture • Requirements – Can be powerful -‐ one point for rou5ng and security policy – very common in SOHO (DSL/cable) routers – Must support what usually router AND firewall do
56
Morning Revision Crea#ng IPv6 Security Policy (Hands-‐on) Cer#fica#on Exam (Theory) Cer#fica#on Exam A^ernoon Discussion Crea#ng IPv6 Security Policy For Own Organiza#on Case Study and Discussion Presenta#on of Cer#ficate of A]endance
CSE6 Day 4
57
58
Thank You