Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP,...
-
Upload
ella-carlson -
Category
Documents
-
view
219 -
download
0
Transcript of Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP,...
![Page 1: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/1.jpg)
Security Implications of IPv6
Tim HelmingDirector of Product Management
Corey, Nachreiner, CISSP, Sr. Network Security Strategist,
![Page 2: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/2.jpg)
Welcome to WatchGuard’s IPv6 Webinar Series!1 3 42
Security Implications of IPv6• v6 in a v4 world• v6 security advantages/disadvantages
![Page 3: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/3.jpg)
You’re here because v6 matters to you
![Page 4: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/4.jpg)
Part 1: Security Implications of IPv6 in a (mostly) IPv4 World
![Page 5: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/5.jpg)
I’m Running IPv4…Does This Affect Me?
![Page 6: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/6.jpg)
Remember This?
![Page 7: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/7.jpg)
Tunnels In My v4? Holy Teredo!
![Page 8: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/8.jpg)
Talking Behind My Back?
Within the confines of your network, many devices may be communicating over IPv6, even if they are not sending packets to and from the Internet!
![Page 9: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/9.jpg)
Remember...
…Which means...
![Page 10: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/10.jpg)
Spotting and Controlling Rogue IPv6
![Page 11: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/11.jpg)
Part 2: Security Implications of IPv6
![Page 12: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/12.jpg)
The Big IPv6 Security Question
![Page 13: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/13.jpg)
•IPv6 Offers:
![Page 14: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/14.jpg)
IPv6 Security: The Good
![Page 15: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/15.jpg)
Built-In IPSec Offers Better Security… Right?
IPSec is a mandatory part of the IPv6 Protocol
![Page 16: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/16.jpg)
What’s IPSec Again?
Among other things, IPSec consists of:
• Authentication Headers (AH) – Provides data origin authentication and integrity (protects against replay attacks)
• Encapsulating Security Payloads (ESP) – Adds encryption to the mix to provide confidentiality
Internet Protocol Security (IPSec) is a standard for adding strong authentication, message integrity, antireply, and encryption (confidentiality) to IP packets, thus providing secure and private communications.
![Page 17: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/17.jpg)
What are IPv6 Extension Headers?
Remember IPv6 header simplification?
Version IHL Type ofService Total Length
Identification FlagsFragment
Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
IPv4 Header (20 bytes)
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv6 Header (40 bytes)
Dropped options need to go somewhere…
Ext. headers may include:
•Hop-by-hop options•Destination Options•Routing•Fragmentation•AH Header •ESP Header•Etc…
![Page 18: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/18.jpg)
Built-In IPSec Offers Better Security… Right?
IPSec is a mandatory part of the IPv6 Protocol
What does this really mean?
•Part of IPv6 protocol stack, not an optional add-on•Implemented with AH and ESP Extension Headers•Follows one standard (less interop issues)•Every IPv6 device can do IPSec•However, IPSec usage is still OPTIONAL!
![Page 19: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/19.jpg)
Wait! Doesn’t IPv4 Offer IPSec too?
Some truths about IPv6’s additional IPSec Security:• IPv4 has it too (though, not “natively”)• You don’t have to use it, and most don’t• Still complex• May require PKI Infrastructure
So is this really a security benefit?• Short term – probably no measureable advantage over
IPv4 IPSec• Long term – More applications will leverage it now that it’s
mandatory!
![Page 20: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/20.jpg)
So Long NAT! Hello, End-2-End Addressing
![Page 21: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/21.jpg)
Vast Address Space Naturally Thwarts Certain Attacks
(340 unidecillion)
Too big for automated reconnaissance and attack:
![Page 22: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/22.jpg)
IPv6 Security: The Bad
![Page 23: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/23.jpg)
Immature Protocols = Increased Vulnerability & Risk
During the creation life-cycle of new standards and protocols:•Security is often an after-thought•Unexpected problems happen due to complex interactions•Many issues don’t surface until the tech receives wider usage
These concepts have proven themselves with many new network protocols in the past. Most experts suspect there are many security issues in IPv6, and
related protocols, that we have yet to uncover.
![Page 24: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/24.jpg)
Unfamiliarity Causes Misconfigurations
Many network administrators and IT practitioners are still relatively unfamiliar with all
IPV6’s “ins and outs”
Common issues:
• Not realizing IPv6 is already in their network•Ignorance of Tunneling Mechanisms•Lack of ACL policy for IPv6 multi-homing•Unawareness of potential privacy issues•Over permissiveness, just to get it to work
![Page 25: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/25.jpg)
Automatic Addressing May Pose Privacy Concerns
1. MAC Address: 90-3A-2B-06-2C-D12. Split in half: 90-3A-2B 06-2C-D13. Insert FFFE: 90:3A:2B:FF:FE:06:2C:D14. Change 7th bit to 1: 92:3A:2B:FF:FE:06:2C:D1
![Page 26: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/26.jpg)
I also have 192.168.20.1
I also have 192.168.20.1
A Look Back at IPv4 ARP Poisoning
Who has 192.168.20.34?
I Do. Here’s my MAC
I Do. Here’s my MAC
Hey Everyone. I have 192.168.20.34
Hey Everyone. I have 192.168.20.34And 192.168.20.2,
And …..And 192.168.20.2,
And …..
No authentication or securityNo authentication or security
![Page 27: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/27.jpg)
I Do. Sendtraffic to meI Do. Send
traffic to me
Neighborhood Discovery Suffers from Similar Issues
Who has 2001::3/64?
I Do. Here’s my Layer 2 addressI Do. Here’s my Layer 2 address
Who has 2001::3/64?
Neighbor SolicitationNeighbor Solicitation
Neighbor AdvertisementNeighbor Advertisement
ND SpoofingND Spoofing
No authentication or securityNo authentication or security
![Page 28: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/28.jpg)
Many Other Neighbor and Router Discovery Issues
Solution: SEcure Neighbor Discovery (SEND) – RFC 3971
•Essentially adds IPSec to ND communications•Requires PKI Infrastructure•Not available in all OSs yet. •802.1X also an option
Other ND related attacks:
•Duplicate Address Detection (DAD) DoS attack•ND spoofing attack for router (allows for MitM)•Neighbor Unreachability Detection (NAD) DoS attack•Last Hop Router spoofing (malicious router advertisements)•And many more… (http://rfc-ref.org/RFC-TEXTS/3756/chapter4.html)
![Page 29: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/29.jpg)
New Multicast Protocol Helps with Reconnaissance
In the first webinar, we introduced IPv6 multicast addresses:IPv6 multicast includes a ton of reserved addresses. Here’s a few:
Multicast Address Reservation
FF02::1 All Host Address
FF02::2 All Router Address (LL)
FF02::9 RIP Routers
FF02::A EIGRP Routers
FF02::B Mobile-Agents
FF02::1:2 All DHCP Agents
FF05::2 All Router Address (SL)
FF05::1:3 All DHCP Servers
FF05::1:4 ALL DHCP Relays
FF0X::101 NTP
FF0X::106 Name Service Server
Attackers can use these multicast
addresses to enumerate your
network.
Attackers can use these multicast
addresses to enumerate your
network.
Note: RFC 2375
![Page 30: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/30.jpg)
IPv6 Security Controls Lagging Hacking Arsenal/Tools
Attackeralready have many IPv6 capable tools:
THC-IPv6 Attack Suite
Unfortunately, IPv6 security controls and products seems to be
a bit behind.
![Page 31: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/31.jpg)
IPv6 Security: The Different
![Page 32: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/32.jpg)
Neutral IPv6 Differences of Concern
Some of IPv6’s differences have security connotations that you should know about. However, they aren’t necessarily
inherently good or bad
![Page 33: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/33.jpg)
Typical IPv6 Devices Have Multiple Addresses
You will probably need MULTIPLE Firewall or ACL policies for these
extra networks within your organization
You will probably need MULTIPLE Firewall or ACL policies for these
extra networks within your organization
![Page 34: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/34.jpg)
Extra Security Can Cause Insecurity
InternetInternet
![Page 35: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/35.jpg)
Firewalls (and Admins) Must Learn New Tricks
![Page 36: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/36.jpg)
EXTRA: The Same
There are some security issues that IPv6 has little effect on:
![Page 37: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/37.jpg)
IPv6 Security: Conclusion
![Page 38: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/38.jpg)
So… Does/Will IPv6 Provide More Security?
![Page 39: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/39.jpg)
Wrapping It Up
![Page 40: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/40.jpg)
Coming Up Next…(1 month from now)1 2 43
What To Expect from IPv6• ISP activities• Connecting the Islands
![Page 41: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/41.jpg)
Major References
• IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf
•IPv6 Security Challenges https://www.cs.siue.edu/~wwhite/CS447/TopicalPaper/Originals/Bridges_IPv6SecurityChallenges.pdf
• IPv6 Security Challenges by Samuel Sotillo http://www.infosecwriters.com/text_resources/pdf/IPv6_SSotillo.pdf
•IPv6 Security Best Practices http://www.cisco.com/web/SG/learning/ipv6_seminar/files/02Eric_Vyncke_Security_Best_Practices.pdf
•IPv6 Security Considerations and Recommendations•http://technet.microsoft.com/en-us/library/bb726956.aspx
•NIST: Guidelines for the Secure Deployment of IPv6http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
•IPv6 Transition/Coexistence Security Considerations (RFC 4942)http://www.ietf.org/rfc/rfc4942.txt
•And many more….
![Page 42: Security Implications of IPv6 Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,](https://reader036.fdocuments.us/reader036/viewer/2022062618/5514435c5503462d4e8b4a55/html5/thumbnails/42.jpg)
Thank You!