+ All Categories
Home > Technology > Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

Date post: 19-Jan-2015
Category:
Upload: get-your-build-on-with-software-for-the-network-beyond
View: 2,616 times
Download: 3 times
Share this document with a friend
Description:
An hour technical discussion on becoming BYOD-ready (Bring Your Own Device) first hop with two protocols and a single security policy. As BYOD becomes more and more prevalent, it is important to keep in mind that most of the devices support both IPv4 and IPv6 - thus, even if you do not provide yet IPv6 connectivity, you still need to maintain the same protection as with IPv4. In this webinar you will briefly refresh available first hop security measures for IPv4, and focus on the new features that provide the matching functionality for IPv6.
Popular Tags:
64
© 2012 Cisco and/or its affiliates. All rights reserved. 1 Cisco TechAdvantage Webinars Preparing for IPv6 and BYOD with a Single Security Policy This webinar will provide an overview on how BYOD is challenging L2 domain security, and how in this scenario IPv6 requires others capabilities no present in IPv4 to face it. Andrew and Rafael will highlight what is new, what are the threats on the link layer and what solutions are available today at Cisco to mitigate them. Follow us @GetYourBuildOn Andrew Yourtchenko Rafael Maranon-Abreu
Transcript
Page 1: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco TechAdvantage Webinars Preparing for IPv6 and BYOD with a Single Security Policy This webinar will provide an overview on how BYOD is challenging L2 domain security, and how in this scenario IPv6 requires others capabilities no present in IPv4 to face it. Andrew and Rafael will highlight what is new, what are the threats on the link layer and what solutions are available today at Cisco to mitigate them. Follow us @GetYourBuildOn

Andrew Yourtchenko Rafael Maranon-Abreu

Page 2: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 2

Register for a Technical Seminar with our Cisco Software SMEs: http://www.ciscolive.com/london/registration-packages/

Session Title Session Number

Advanced LISP Techtorial TECIPM-3191 Advanced Network Automation TECNMS-3601

Application Awareness in the network; the Route to Application Visibility and Control TECRST-2672

Converged Access: Wired/Wireless System Architecture, Design and Operations TECCRS-2678

Enterprise QoS Design Strategy TECRST-2501

IP Mobility Deep Dive TECSPG-3668

IPv6 for Dummies: An Introduction to IPv6 TECMPL-2192

IPv6 Security TECRST-2680

Scaling the IP NGN with Unified MPLS TECNMS-3601

Software Defined Networking and Use Cases TECSPG-2667

Understanding and Deploying IP Multicast Networks TECIMP-1008

Page 3: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 3

Panelists Speakers

Andrew Yourtchenko Technical Leader

[email protected]

Rafael Maranon-Abreu Product Manager

[email protected]

David Lapier Product Manager [email protected]

Ralph Schmieder Technical Engineer

[email protected]

Page 4: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 4

•  Submit questions in Q&A panel and send to “All Panelists” Avoid CHAT window for better access to panelists

•  Please complete the post-event survey

•  For WebEx audio, select COMMUNICATE > Join Audio Broadcast

•  Where can I get the presentation? Or send email to: [email protected]

•  Join us January 9th for our next TechAdvantage Webinar: Enhancing Application Performance with PfR www.cisco.com/go/techadvantage

•  For WebEx call back, click ALLOW phone button at the bottom of participants side panel

Page 5: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 5

•  Introduction to BYOD, IPv6 and L2 Domain Security

•  IPv6 vs IPv4, what is new?

•  Threats on the link layer

•  Mitigations

Page 6: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 6

http://www.forbes.com/sites/sap/2012/03/05/cisco-the-biggest-mobile-byod-deployment-around/

Page 7: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 7

•  Two of five college students and young employees said they would accept a lower-paying job that had more flexibility with regard to device choice, social media access, and mobility than a higher-paying job with less flexibility.

•  Regarding security-related issues in the workplace, three of five employees believe they are not responsible for protecting corporate information and devices.

The Cisco Connected World Technology Report 2011

Top two perceived benefits of BYOD:

•  Improved employee productivity (more opportunities to collaborate)

•  Greater job satisfaction (flexibility and work-life balance)

Page 8: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 8

•  2+ BYOD per employee.

•  1 BYOD per employee.

•  0 BYOD per employee.

Page 9: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 9

Source: Cisco VNI Global Forecast, 2011–2016

More Devices

More Internet Users

Faster Broadband Speeds

More Rich Media Content

Growth Catalysts

Nearly 19 Billion Connections 4-Fold Speed Increase

3.4 Billion Internet Users 1.2 M Video Minutes per Second

Page 10: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

Launch activated 3000+ Websites 50 Network (ISPs) 4 Home Router Vendors

Public Sector in 1st 100 sign ups (3006 total) * National Library of Medicine NASA Department of State Department of Education REMS Doingwhatworks USGS U Penn, UNC, U Wisconsin, NCSU, U Utah USDA VA National Park Service US Census Bureau Source : http://www.worldipv6launch.org/participants/?q=1

Page 11: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 11

Inside – Out •  Globalization •  Technology Leadership •  Industry mandate •  BYOD-Security-Visibility •  Flatten management plane Dual-Stack Enterprise IPv4 Internet

Outside – In •  Internet Evolution •  Business Continuity •  B2C, B2B

IPv4 Enterprise IPv6 Internet

http://www.cisco.com/en/US/netsol/ns817/networking_solutions_program_home.html

Page 12: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 12

•  No plans

•  24 months

•  12 months

•  6 months

•  Done

Page 13: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 13

0 10 20 30 40 50 60

In Progress

6 months

12 months

24 months

No plans

“When are you planning to deploy IPv6 in production”

July 2010

0 10 20 30 40 50 60

Done

6 months

12 months

24 months

No plans

March 2012

32%

40%

65%

15%

Page 14: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

Cisco Catalyst Switches

Cisco WLAN Controller

ISE

iOS or Android Devices

AD/LDAP

User X User Y

MDM Mgr

NCS Prime

ASA Firewall

CSM / ASDM

Page 15: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 15

Operations contained within the link boundaries, necessary for a node to communicate with its neighbors, including the link exit points.

•  It encompasses: •  Address configuration parameters •  Address initialization •  Address resolution •  Default gateway discovery •  Local network configuration •  Neighbor reachability tracking

Page 16: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 16

Example of Inside Attacks exploiting IPv6 Link Operations

The attacker can become the local default gateway by sending rogue Router Advertisements

The attacker can disable the local IPv6 network by poisoning Duplicate Address Detection

IPv6 Link Operations can be easily attacked

inside the local network

The attacker can spoof a user address by snooping Neighbor Solicitation and poisoning Neighbor Advertisement

The Challenge Attacks Inside the network

Data Security at Edge

Authenticated Device SiSi SiSi

SiSi SiSi

Page 17: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 17

•  Catalyst Integrated Security Features (CISF)

For more info: http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf

Page 18: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 18

Intelligent Perimeter at the edge

Monitor device address assignment with Binding Integrity Guard

Maintain a trustworthy database of IPv6 devices and block illegitimate IPv6 data traffic with Source Guard

IPv6 First Hop Security in the access switch

Block rogue advertisements from illegitimate routers and DHCP servers with RA Guard and DHCPV6 Guard

The Solution IPv6 Snooping and Guard

Data Security at Edge

Authenticated Device SiSi SiSi

SiSi SiSi

Intf IPv6 MAC VLAN State

g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001B 001B 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/15 ::001D 001D 110 Active

g1/0/16 ::001E 001E 200 Verifying

g1/0/17 ::0020 0020 200 Active

g1/0/21 ::0021 0021 200 Active

… … … … …

Pre-configure port roles and dynamically learn a trusted domain of routers/DHCP servers

Track IPv6 devices by snooping neighbor and router solicitations, DHCP requests and query their status when they become inactive

NS ND RS

DAD NS DHCP

RA

Page 19: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 19

IPv6 Snooping

Securing IPv6 Networks – Quick Intro

IPv6 FHS RA

Guard DHCPv6 Guard

Source/Prefix Guard

Destination Guard

Protection: •  Rouge or

malicious RA •  MiM attacks

Protection: •  Invalid DHCP

Offers •  DoS attacks •  MiM attacks

Protection: •  Invalid source

address •  Invalid prefix •  Source address

spoofing

Protection: •  DoS attacks •  Scanning •  Invalid

destination address

*

* Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table

RA Throttler

Facilitates: •  Scale

converting multicast traffic to unicast

ND Multicast Suppress

Reduces: •  Control traffic

necessary for proper link operations to improve performance

Core Features Advance Features Scalability & Performance

Page 20: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 20

Prevent Rogue Router Advertisements from taking down the network

Before RA Guard After RA Guard

Host A First Hop Switch

RA

I am a router

Yea! Thanks

Host A First Hop Switch

RA

I am a router

Not according to me

Page 21: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 21

Prevent Rogue DHCP responses from misleading the client Before DHCP Guard After DHCP Guard

Host First Hop Switch Host First Hop Switch

DHCP Request DHCP Request

DHCP Server DHCP Server

I am a DHCP Server

I am a DHCP Server

I am a DHCP Server

I am a DHCP Server

Page 22: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 22

•  Deep control packet Inspection •  Address Glean (ND , DHCP, data) •  Address watch •  Binding Guard

Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.

Intf IPv6 MAC VLAN State

g1/0/10 ::001A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

IPv6 Binding Table

IPv6 Source Guard

IPv6 Destination

Guard Device Tracking

Page 23: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 23

IPv6 Snooping

Securing IPv6 Networks – Quick Intro

IPv6 FHS RA

Guard DHCPv6 Guard

Source/Prefix Guard

Destination Guard

Protection: •  Rouge or

malicious RA •  MiM attacks

Protection: •  Invalid DHCP

Offers •  DoS attacks •  MiM attacks

Protection: •  Invalid source

address •  Invalid prefix •  Source address

spoofing

Protection: •  DoS attacks •  Scanning •  Invalid

destination address

*

* Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table

RA Throttler

Facilitates: •  Scale

converting multicast traffic to unicast

ND Multicast Suppress

Reduces: •  Control traffic

necessary for proper link operations to improve performance

Core Features Advance Features Scalability & Performance

Page 24: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 24

•  Very important.

•  Important.

•  Neutral.

•  Not important.

Page 25: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 25

Risk and Exposure •  Exposed to end users, the access layer is inherently

vulnerable

Infrastructure Protection •  Security at the network edge protects the network

infrastructure

Network Intelligence •  Key data can only be gathered at the access layer

Page 26: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 26

Threats are very much topology dependent: what is specific to IPv6 from topology standpoint?

•  More addresses!

•  More end-nodes allowed on the link (up to 264 !) •  Bigger neighbor cache on end-nodes and on default-router •  May lead to some dramatic topology evolution •  Creates new opportunities for DoS attacks

Threats are also dependent on the protocols in use: what is different?

•  More distributed and more autonomous operations

•  Nodes discover automatically their default router •  Nodes auto-configure their addresses •  Nodes defend themselves (SeND) •  Distributed address assignment creates more challenges for address security

Page 27: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 27

DHCP-server

Router

–  Assign addresses –  Announces default router –  Announces link parameters

“Old” IPv4 link model is very much DHCP-centric

Page 28: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 28

DHCP-server

–  Assign addresses

–  Announces default router –  Announces link parameters

–  Assign addresses

–  Assign addresses

–  Assign addresses

IPv6 link model is essentially distributed, with DHCP playing a minor role

Page 29: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 29

host

router

time server

web server

Trusted end-nodes un-trusted end-nodes

attacker DHCP server/relay •  Distributed: security

verified between any pair of nodes

•  Centralized: security verified between each node and the central switch

Page 30: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 30

•  Defined in RFC 4861, “Neighbor Discovery for IP Version 6 (IPv6)” and RFC 4862 (“IPv6 Stateless Address Autoconfiguration”)

•  Used for: Router discovery IPv6 Stateless Address Auto Configuration (SLAAC) IPv6 address resolution (replaces ARP) Neighbor Unreachability Detection (NUD) Duplicate Address Detection (DAD) Redirection

•  Operates above ICMPv6 Relies heavily on multicast (including L2-multicast)

•  Works with ICMP messages and messages “options”

Page 31: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 31

ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) Query = please send RA

ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Option = Prefix, lifetime

RS

RA

Use B as default gateway

  Find default/first-hop routers

  Discover on-link prefixes => which destinations are neighbors

Messages: Router Advertisements (RA), Router Solicitations (RS)

B A

Page 32: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 32

Node A sending off-link traffic to C

•  Attacker tricks victim into accepting him as default router •  Based on rogue Router Advertisements •  The most frequent threat by non-malicious user

Src = C’s link-local address Dst = All-nodes Data = router lifetime, autoconfig flag Options = subnet prefix, slla

RA

B

Src = B’s link-local address Dst = All-nodes Data = router lifetime=0

RA

C A

Page 33: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 33

•  Stateless, based on prefix information delivered in Router Advertisements Messages: Router Advertisements , Router Solicitations

ICMP Type = 133 (Router Solicitation) Src = UNSPEC (or Host link-local address) Dst = All-routers multicast address (FF02::2) Query = please send RA

ICMP Type = 134 (Router Advertisement) Src = Router link-local address Dst = All-nodes multicast address (FF02::1) Data = router lifetime, retranstime, autoconfig flag Options = Prefix X,Y,Z, lifetime

RS

RA

Source traffic with X::x, Y::y, Z::z

Computes X::x, Y::y, Z::z and DAD them NS

Page 34: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 34

C

•  Attacker spoofs Router Advertisement with false on-link prefix •  Victim generates IP address with this prefix •  Access router drops outgoing packets from victim (ingress filtering) •  Incoming packets can't reach victim

Node A sourcing off-link traffic to B with BAD::A

Src = B’s link-local address Dst = All-nodes Options = prefix BAD, Preferred lifetime

RA

B

B filters out BAD::A

Computes BAD::A and DAD it

Src = B’s link-local address Dst = All-nodes Options = prefix X Preferred lifetime = 0

RA

Deprecates X::A

A

Page 35: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 35

ICMP type = 135 (Neighbor Solicitation) Src = A Dst = Solicited-node multicast address of B Data = B Option = link-layer address of A Query = what is B’s link-layer address?

ICMP type = 136 (Neighbor Advertisement) Src = one B’s IF address Dst = A Data = B Option = link-layer address of B

NS

NA

A and B can now exchange packets on this link

B A C

•  Resolves IP address into MAC address •  Creates neighbor cache entry

Messages: Neighbor Solicitation, Neighbor Advertisement

Page 36: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 36

•  Attacker can claim victim's IP address

B

NS Dst = Solicited-node multicast address of B Query = what is B’s link-layer address?

Src = B or any C’s IF address Dst = A Data = B Option = link-layer address of C

NA

A C

Page 37: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 37

ICMP type = 135 (Neighbor Solicitation) Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already?

NS

Node A can start using address A

B A C

•  Verify address uniqueness

•  Probe neighbors to verify nobody claims the address Messages: Neighbor Solicitation, Neighbor Advertisement

Page 38: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 38

•  Attacker hacks any victim's DAD attempts •  Victim can't configure IP address and can't communicate

Src = UNSPEC Dst = Solicited-node multicast address of A Data = A Query = Does anybody use A already? NS

Src = any C’s IF address Dst = A Data = A Option = link-layer address of C

NA “it’s mine !”

C A

Page 39: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

39 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

SEND: SEcure Neighbor Discovery Distributed L2 Security Model

Page 40: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 40

•  Advantages –  No central administration, no central operation –  No bottleneck, no single-point of failure –  Intrinsic part of the link-operations –  No tying up to the L2 infra –  Load distribution

•  Disadvantages –  Heavy provisioning of end-nodes –  Only provisioned end-nodes are protected –  Tied up to nodes capability –  Bootstrapping issue –  Complexity spread all over the domain

Provisioning Infrastructure

Configuration Server

DHCP Server

Time Server

Certificate Server

Hosts

L2/link Infrastructure

Internet

Page 41: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 41

WHAT SEND PROVIDES •  Each node on the link takes care of its own security •  Verifies router legitimacy •  Verifies address ownership

WHAT SEND DOES NOT PROVIDE •  It does not verify other key role legitimacy (DHCP server, NTP, etc.) •  It only applies to link operations •  It does not provide end-to-end security •  It does not guarantee authorization (≠ 802.1X)

Page 42: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 42

•  SeND is NOT a new protocol

•  SeND is “just” an extension to NDP with new messages (CPS/CPA) and more options (Signature, etc.)

•  Therefore ND+SeND remains a protocol operating on the link

•  SeND is a distributed mitigation mechanism •  SeND does not provide any “end-to-end” security

•  SeND specified in RFC3971 and RFC3972

Page 43: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 43

ND-message

SIGN VERIFY

Address Src = My address!

Prefix Interface-id =

Computes Address

Page 44: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 44

Router R host

Certificate Authority CA0 Certificate Authority Certificate C0

Router certificate request

Router certificate CR

Certificate Path Solicit (CPS): I trust CA0, who are you ?

Certificate Path Advertize (CPA): I am R, this is my certificate CR

1

2

3

4

5

6 Verify CR against CA0

7 Start using R as default gateway

Router Advertisement

Page 45: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 45

  A chain of trust is “easy” to establish within the administrative boundaries, but very hard outside

To benefit fully from SeND, nodes must be:   Provisioned with CA certificate(s)   Time synchronized/have access to the NTP server   Have access to a CRL or OCSP server

ADMINISTRATIVE BOUNDARY CA

Router Host

CA

Router Host

CA

Page 46: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 46

Due to transition realities and lack of pervasive support for SeND:

  At best there will be a mix of CGA ,

Router Auth. and “old” ND support

  More likely, a small number of SeND

capable nodes lost in the middle of many

non-capable.

This has almost no value because it’s a 2 player games: nodes with no SeND/CGA support can’t verify SeND/CGA credentials!

Page 47: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 47

Trustee

Move to a different deployment model ?

Page 48: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

48 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Centralized L2 security model

Page 49: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 49

•  Advantages –  central administration, central operation –  Complexity and provisioning limited to first hop

–  All nodes protected

–  Transitioning much easier

•  Disadvantages –  Applicable only to certain topologies

–  Requires first-hop to learn about end-nodes –  First-hop can be a bottleneck and single-point of

failure

Provisioning Infrastructure

Configuration Server

DHCP Server

Time Server

Certificate Server

Hosts

L2/link Infrastructure

Internet

Page 50: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 50

WHAT IS IT? • Takes care of all nodes security, primarily from a link-operations standpoint •  Leverages information gleaned by snooping link-operations • Arbitrates between different address assignment methods, different protocols,

different nodes, different ports, etc.

REQUIREMENTS • Must be “in the centre” or part of the security perimeter • Requires some provisioning • Must be versatile (NDP, SeND, DHCP, MLD, etc.)

Page 51: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 51

First Hop Security (FHS)

FHS

FHS FHS

Page 52: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

52 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public

Centralized L2 security technology

Page 53: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 53

host

Router Advertisement Option: prefix(s)

“I am the default gateway”

?

•  Configuration- based •  Learning-based •  Challenge-based

Verification succeeded ?

Bridge RA

•  Switch selectively accepts or rejects RAs based on various criteria •  Can be ACL based, learning based or challenge (SeND) based •  Hosts see only allowed RAs, and RAs with allowed content

Goal: to mitigate against rogue RA

Page 54: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 54

ipv6 access-list ACCESS_PORT

remark Block all traffic DHCP server -> client

deny udp any eq 547 any eq 546

remark Block Router Advertisements

deny icmp any any router-advertisement

permit any any

Interface gigabitethernet 1/0/1

switchport

ipv6 traffic-filter ACCESS_PORT in

Page 55: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 55

•  Extension headers chain can be so large than it is fragmented!

•  Finding the layer 4 information is not trivial in IPv6 Skip all known extension headers Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE Or end of extension headers => FAILURE

IPv6 hdr HopByHop Routing Destination Destination Fragment1

IPv6 hdr HopByHop Fragment2 ICMP Data

Layer 4 header is in 2nd fragment

Page 56: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 56

host

Binding table

Address glean

–  Arbitrate collisions, check ownership –  Check against max allowed per box/vlan/port –  Record & report changes

Valid?

bridge

Goal: to enforce address ownership and mitigates against address DoS

Page 57: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 57

H1

Binding table

IPv6 MAC VLAN IF STATE

A1 MACH1 100 P1 STALE

A21 MACH2 100 P2 REACH

A22 MACH2 100 P2 REACH

A3 MACH3 100 P3 STALE

H2 H3

Address glean

DAD NS [IP source=UNSPEC, target = A1]

DAD NS [IP source=UNSPEC, target = A3]

NA [target = A1LLA=MACH1]

IPv6 MAC VLAN IF STATE

A1 MACH1 100 P1 REACH

A21 MACH2 100 P2 REACH

A22 MACH2 100 P2 REACH

–  Keep track of device state –  Probe devices when becoming stale –  Remove inactive devices from the binding table –  Record binding creation/deletion/changes

Goal: to track active addresses (devices) on the link

Page 58: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 58

H1

Binding table

NS [IP source=A1, LLA=MACH1]

DHCP-server

REQUEST [XID, SMAC = MACH2]

REPLY[XID, IPA21, IPA22]

H2 H3

data [IP source=A3, SMAC=MACH3]

DAD NS [IP source=UNSPEC, target = A3]

NA [IP source=A1, LLA=MACH3]

IPv6 MAC VLAN IF

A1 MACH1 100 P1

A21 MACH2 100 P2

A22 MACH2 100 P2

A3 MACH3 100 P3

DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

Goal: to monitor address allocation and store bindings

Page 59: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 59

H1

Binding table IPv6 MAC VLAN IF

A1 MACA1 100 P1

A21 MACA21 100 P2

A22 MACA22 100 P2

A3 MACA3 100 P3

H2 H3

Address glean

–  Allow traffic sourced with known IP/SMAC –  Deny traffic sources with unknown IP/SMAC

P1:: data, src= A1, SMAC = MACA1

P2:: data src= A21, SMAC = MACA21

P3:: data src= A3, SMAC = MACA3

P3 ::A3, MACA3

DAD NS [IP source=UNSPEC, target = A3]

NA [target = A1LLA=MACA3]

DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

Goal: to validate source address of IPv6 traffic sourced from the link

Page 60: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 60

host

Forward packet

•  Mitigate prefix-scanning attacks and Protect ND cache •  Useful at last-hop router and L3 distribution switch •  Drops packets for destinations without a binding entry

Lookup D1

found

B

NO

L3 switch

Src=D1

Internet

Address glean Scanning {P/64}

Src=Dn

Binding table Neighbor cache

Goal: to validate destination address of IPv6 traffic reaching the link

Page 61: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 61

•  ~8660 MAC addresses seen

•  ~90% MAC addresses dualstack - capable

•  More info: http://blogs.cisco.com/borderless/ipv6-at-ciscolive-san-diego/

Page 62: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 62

  BYOD brings new security and scalability challenges to L2 domain.

  Modern devices support and prefer IPv6 connectivity.

  Securing the access layer with a single policy mitigate vulnerabilities in L2 Mobility environments.

  IPv6 FHS Cisco solution provides solid protections from rogue or mis-configured users in IPv6 or dual-stack networks, and efficiently handle wireless scalability.

Page 63: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 63

  First Hop Security white paper http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/

whitepaper_c11-602135.html

  First Hop Security documentation http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-first_hop_security.html

  Cisco Support IPv6 Community: https://supportforums.cisco.com/community/netpro/network-infrastructure/ipv6-transition

  Product Manager: Rafael Maranon-Abreu [email protected]

  Technical Leader Engineering: Andrew Yourtchenko [email protected]

Page 64: Preparing for BYOD and IPv6 with a Single Security Policy TechAdvantage Webinar

© 2012 Cisco and/or its affiliates. All rights reserved. 64

•  Thank you! •  Please complete the post-event survey •  Join us January 9th for our next webinar:

Enhancing Application Performance with PfR Register: www.cisco.com/go/techadvantage Follow us @GetYourBuildOn


Recommended