Post on 22-Jan-2016
description
transcript
Prof. Dr. Sureswaran RamadassDirectorNational Advanced IPv6 Centre (NAv6)Universiti Sains Malaysia
IPv6 Security:Firewall Considerations
Why IPv6? 1. Exhaustion of the IANA IPv4 free pool.
2. Awareness activities such as the IPv6 Forum and “World IPv6 Day”.
3. Imminent exhaustion of the free pool of IPv4 addresses at the different RIRs.
4. All OS has IPv6 support part of your network is already running IPv6!
5. IPv6 is the only way moving forward! How about NAT???
NAT Causes Problems
• Breaks globally unique address model• Breaks address stability• Breaks always-on model• Breaks peer-to-peer model• Breaks some applications• Breaks some security protocols• Breaks some QoS functions• Introduces a false sense of security• Introduces hidden costs
Drivers for IPv6• An explosion of Internet applications, games,
information sources, and financial transactions.
• The movement of traditional services such as voice and video from legacy circuit-based infrastructures to IP networks.
• Millions of new IP-enabled mobile devices, with millions more projected in the near future.
• Expanding economies in populous countries such as China and India, and developing economies throughout the world.
• Burgeoning consumer electronics industries finding new ways to exploit IP capabilities.
• Emerging IP-enabled sensor networks for industrial,medical, and military applications.
MigrationDeploymentIPv6
RIRs have been allocatingIPv6 address space since 1999.
Thousands of organizations havereceived an IPv6 allocation to date.
ARIN has IPv6 distribution policies for service providers, community networks,
and end-user organizations.
6
IPv6 Deployment has begun
IPv4 & IPv6 Coexistence
• Today, the Internet is predominantly based on IPv4.
• For the foreseeable future, the Internet must run both IP versions (IPv4 & IPv6) at the same time. (When done on a single device, this is called the “dual-stack” approach.)
• Deployment is already underway: Today, there are organizations attempting to reach your mail, web, and application servers via IPv6...
7
Is IPv6 more secure than IPv4?less
Does IPv6 help or hinder network security?
The Answer is not that simple!
The Big IPv6 Security Question
Types of IPv6 Security Issues• Issues due to the IPv6 protocol itself• Issues due to transition mechanisms• Issues due to IPv6 deployment.
used in
• Dual-stacking increase the complexity of the network, and thus the number of potential vulnerabilities.
• Co-existence traffic usually results in complex traffic (with multiple encapsulations).
• This increases the difficulty of performing Deep Packet Inspection (DPI)
• Increase in complexity of firewall filtering policies or detection.
Co-existence Security Concerns
IPv6 Deployment Security Concerns• There is much less experience with IPv6 than
with IPv4
• IPv6 implementations are less mature than their IPv4 counterparts
• Security products (firewalls, NIDS, etc.) have less support for IPv6 than for IPv4
• The complexity of the resulting network will increase during the transition/co-existance period:– Two internetworking protocols (IPv4 and IPv6)– Increased use of NATs– Increased use of tunnels– Use of other transition/co-existance technologies
• Lack of well-trained IPv6 Engineers.
Areas of Concern of IPv6 Deployment
System Security Security Training & Experience
Hackers
Application Security
Network Security
• Attacker already have many IPv6 capable tools:
THC-IPv6 Attack Suite
Alive6
Parasite6
Redir6
Fake_Router6
Detect-New-IPv6
DoS-New-IPv6
Smurf6
rSmurf6
TooBig6
Fake_MIPv6
Fake_mld6
Fake_Advertiser6
SendPees6
DNSDict6
Trace6
Flood_Router6
Flood_Advertise6
Fuzz_IP6
etc…
Unfortunately, IPv6 security controls and
products seems to be a bit
behind.
THC-IPv6 Attack Suite
Nmap
iNetmon/Wireshark
Multi-Generator (MGEN)
IPv6 Security Scanner (vscan6)
Halfscan6
Strobe
Netcat6
Imps6-tools
Relay6
6tunnel
NT6tunnel
VoodooNet
Scapy6
Metasploit (etc.)
Web Browsers (XSS & SQLi)
TCPDump
COLD
Spak6
Isic6 Hyenae
SendIP
Packit
4to6ddos
6tunneldos
IPv6 Security Hacking Arsenal/Tools
IPv6 and Firewall
• On Windows, many third party host based firewalls have only limited support for IPv6.– Some have none at all.– Others may even block some mechanisms such as DHCPv6 or SLAAC. – In Windows 7 and above, the built-in firewall has excellent support for IPv6 • On *BSD, the pf kernel-based packet filter can easily be deployed as an
excellent host based dual stack firewall. You can even build a full gateway firewall using it.
• The pfsense open source project has built a good GUI around pf, has very limited support for IPv6.
• On Linux, netfilter/iptables is roughly equivalent to *BSD’s pf, but is not as complete and also does have support for IPv6.
Host Based Firewalls
• In addition to all the typical gateway firewall mechanisms and controls for IPv4 (including port forwarding and NAT), true dual-stack gateway firewalls should include the following new features:– Support for native dual stack service, plus tunnel endpoint support for
one or more mechanisms including 6in4, TSP, 6rd, and even 4in6.– Configurable Router Advertisement Daemon– Support for multiple internal subnets with different /64 prefixes into
each internal subnet.– Packet filtering controls for IPv6 traffic independent of controls for IPv4.– Independent control over all ICMPv6 messages– Dual stack application layer proxies for the most common protocols
(HTTP, SMTP, SIP, etc)
Gateway Firewalls
At least a Link-Local Address (FE80::/10)
Likely a Unique Global Address (2000::/3)
Possibly a Site-Local Address (FC00::/7)
You will probably need MULTIPLE Firewall or ACL policies for these
extra networks within your organization
Typical IPv6 Devices Have MultipleAddresses
How to filter ICMPv6?
Handling new extension headers
Filtering Multicast and Anycast
Hosts w/multiple addresses
Firewalls (and Admins) Must Learn New Tricks
20
• More powerful than ICMPv4• ICMPv6 uses IPv6 extension header # 58 (RFC 2463)
– Type Description– 1 Destination Unreachable – 2 Packet too Big– 3 Time exceeded– 4 Parameter problem– 128 Echo Request– 129 Echo Reply– 130 Multicast Listener Query – sent to ff02::1 (all nodes)– 131 Multicast Listener Report– 132 Multicast Listener Done – sent to ff02::2 (all routers)– 133 Router Solicitation (RS) – sent to ff01::2 (all routers)– 134 Router Advertisement (RA) – sent to ff01::1 (all nodes)– 135 Neighbor Solicitation (NS) – sent to ff02:0:0:0:0:1:ff00::/104– 136 Neighbor Advertisement (NA)– 137 Redirect
ICMPv6