Zaccone Carmelo - IPv6 and security from a user’s point of view

468 views
434 views

Published on

Zaccone Carmelo - IPv6 and security from a user’s point of view

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
468
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Zaccone Carmelo - IPv6 and security from a user’s point of view

  1. 1. IPv6 and security from a user’s point of view<br />AWT.be<br />ir. Zaccone Carmelo<br /> Expert within the ‘Pôle Veille Technologique et Juridique’ <br />Agence Wallonne des Télécommunications<br />
  2. 2. Agenda<br />Quick overview of network security considerations<br />The AWT.be’ safe/secure IPv6 deployement scenario<br />Conclusions: the errors, mistakes and lessons learned<br />
  3. 3. Putting the rumoraside<br /><ul><li>It’s very often said that IPv6 is more secure than IPv4. </li></ul>This is a false rumour!<br /><ul><li>IPsec is indeed mandatory but only mean a more secure data transport:
  4. 4. iif endorsed by all hosts
  5. 5. iif implemented by all applications
  6. 6. iif a key exchange system is adopted worldwide</li></li></ul><li>Putting the rumoraside<br /><ul><li>Assuming all of this would however enable to have a more secure Internet: Operators may tracks sources of attacks because of
  7. 7. direct host-to-host communications
  8. 8. v6 infrastructure support peer-to-peer applications</li></li></ul><li>Both protocols face most of the same threats<br /><ul><li>Mostly the same:
  9. 9. Layer 3/Layer 4 spoofing/sniffing, network flooding,
  10. 10. DHCP vulnerabilities, Man in the Middle attacks,
  11. 11. Virus, spam, spit, ...
  12. 12. Nevertheless, IPv6 specificities bring new perspectives on some type of attacks
  13. 13. The IPv6 protocol security enhancements
  14. 14. closes doors for some threats
  15. 15. open new doors for some others threats
  16. 16. NDP & auto-configuration offers new attacks (e.g. fake RA, fake DaD reply). nb: SEND is a potential answer
  17. 17. Dual Stacks may introduce backdoors</li></li></ul><li>Trivial benefit, scanning IPv6 is harder<br /><ul><li>IPv6 subnet is 4 billion times harder to scan than all of IPv4
  18. 18. Address allocation scheme
  19. 19. Traditional v4 sequential IP allocation </li></ul> -> rich set of neighbored targets<br /><ul><li>Sparse ip allocations make
  20. 20. brute force scanning impractical
  21. 21. removes hacking tools (e.g. backdoors scanners trojan)
  22. 22. removes worm propagation vectors
  23. 23. removes DDoS tool (eg. Smurf uses broadcast)
  24. 24. makes life harder on spammers
  25. 25. makes life harder in hackers war
  26. 26. Use of trivial IP address allocations can degrade this !</li></li></ul><li>Agenda<br />Quick overview of network security considerations<br />The AWT.be’ safe/secure IPv6 deployment scenario<br />Conclusions: the errors, mistakes and lessons learned<br />
  27. 27. The AWT infrastructure<br /><ul><li>Inside IT services are enterprise like:
  28. 28. Mail/Agenda (MS exchange),
  29. 29. DB (MySQL, Oracle, MSSql),
  30. 30. Storage (cifs, SAN),
  31. 31. Etc,
  32. 32. Outside IT services are traditional ones:
  33. 33. DMZ (HTTP,FTP, Mail, etc)
  34. 34. VPN
  35. 35. Large information technology infrastructure (PC & servers):
  36. 36. mix environment throughout many vendors (Microsoft, Linux, Apple, VMWARE) & over various generations (eg. Srv2000/2003, XP, SEVEN, OSX)
  37. 37. Network with many different IP segments (VLANS) where all traffic is firewall controlled</li></li></ul><li>IPv6 Genesis @ AWT.be<br /><ul><li>Implication of the network administrator for long time (’99)
  38. 38. IPv6Forum, Alcatel v6Team lead, IETF, EU,
  39. 39. Task Force AWT « Technology Watch WG »
  40. 40. Interest of the system administrator !
  41. 41. Theoretical Know How BUT few practice !
  42. 42. workshop (mid 2006) of NREN BELNET «  v6 user » but not « v6 administration»
  43. 43. arrival of the IPv6 customer’s connectivity service
  44. 44. assignment of AWT.be RIPE Range [2001:06a8:3880::/48]
  45. 45. Administrators’ brainstorming leaded to a ‘Safe & Secure’ IPv6 introduction approach </li></li></ul><li>Practically<br /><ul><li>True ‘brain teaser’ to segment the IPv6 addresses range in a efficient and secure matter
  46. 46. The access network had to be Firmware upgraded and IPv6 features (some where still in beta) turned on
  47. 47. Policy to not introduce IPv6 into the main firewall (PIX535) but rather
  48. 48. playing with a dedicated firewall (PIX515) natively using V6 only (except a single IPv4 in the v4 management network)
  49. 49. dedicated v6 LANS hermetic to v4 LANS (no dual stacks @start)
  50. 50. Firewall is ruling all LANS (RA + ACL)
  51. 51. Learning v6 ACL syntax and trying not to make typing errors in addresses
  52. 52. Usual deny ALL policy for incoming traffic
  53. 53. Usual intelligent interfaces security level (eg. OutsideNW< GuestNW < EmployeNW)</li></li></ul><li>Practicallycont’d<br />Learning & Playing native from end host stations point of view<br />Setting up the v6 only inside servers farm zone (eg. DNS)<br />Setting up the beta-employee & beta-guest v6 only networks<br />Introduction of AWT services facing the IPv6 Internet <br />Setting up the v6 only DMZ servers farm zone<br />Safe approach: no IPv6 in the production services<br />reverse-proxy for http, ftp<br />relay for smtp, network share<br />slave for dns<br />Mainlybecause<br />MS Windows server < Server2008, same for SQL, etc<br />Not enough confidence/experience with v6 in Linux<br />Logging analysis tools not yet ready <br />
  54. 54. Practicallycont’d<br />Leaving (3 months ago) trial state by inserting dual stacks <br /><ul><li>from v6 capable end stations point of view
  55. 55. from v6 capable host servers point of view</li></ul>Setting up the beta-employee & beta-guest dual stacks networks<br />dedicated IPv6 network segments different than the v6 only LANs<br />combining users v4 & v6 subnets on the same VLAN<br />combining guest v4 & v6 subnets on the same VLAN <br />Setting up the dual stacks DMZ servers farm zone<br />dedicated IPv6 network segment different than the v6 only DMZ<br />combining DMZ v4 & v6 subnets on the same VLAN<br />removing the reverse-proxy http, ftp, the slave dns<br />enabling (stack + apps) IPv6 support on Linux production servers (MS windows’ll come next year with migration to server2008)<br />
  56. 56. Agenda<br />Quick overview of network security considerations<br />The AWT.be’ safe/secure IPv6 deployement scenario<br />Conclusions: the errors, mistakes and lessons learned<br />
  57. 57. Errors, mistakes & lessons<br /><ul><li>FW is not capable of all RA settings such router does (eg. FLAGS)
  58. 58. FW v6ACL must take care of more ICMP messages than in v4
  59. 59. Huge attention to give when typing IPv6 addresses
  60. 60. Not an easy task to analyse IPv6 logs
  61. 61. We see as many attacks attemps than on IPv4
  62. 62. Remote access : moving to OpenVPN as Cisco VPN concentrator is not v6 capable
  63. 63. Special attention to reverse-proxy (http, ftp):
  64. 64. AWT v4 servers uses virtual hosting for many websites
  65. 65. AWT reverse-proxy was not hosting all the websites
  66. 66. AWT uses DNS CNAME for the websites virtual hosts</li></ul>-> some public websites (not in the rproxy) became ‘down’ for IPv6 internet users (we discovered it by analysing our v6 FW logs)<br />
  67. 67. Errors, mistakes & lessons<br /><ul><li>Special attention to dual stacks employees:
  68. 68. some internal websites (not in the rproxy) became ‘down’ for AWT users when dual stack was turned on.
  69. 69. Personal software Firewal/Anti-Virus (e.g. symantec, mcafee) not ready for IPv6
  70. 70. Dual stacks hosts become more vulnerable
  71. 71. Need to disable v6 stacks when outside the secured AWT office
  72. 72. Need to higher awareness/consciousness of the users
  73. 73. not NAT for security through obscurity
  74. 74. direct public IP reachability, so take care to host local services (e.g. file share)
  75. 75. Same law enforcement on network logs conservation for IPv6 than IPv4! v6 simplifies the games: no NAT translations to record</li></li></ul><li>cz@awt.be<br />
  76. 76. IPv6 and security from a user’s point of view<br />AWT.be<br />ir. Zaccone Carmelo<br /> Expert within the ‘Pôle Veille Technologique et Juridique’ <br />Agence Wallonne des Télécommunications<br />

×