• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference
 

IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference

on

  • 567 views

gogo6 IPv6 Video Series. Event, presentation and speaker details below: ...

gogo6 IPv6 Video Series. Event, presentation and speaker details below:

EVENT
gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com
November 12 – 14, 2012 at San Jose State University, California
Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp

PRESENTATION
IPv6 Security
Abstract: http://www.gogo6.com/forum/topics/speaking-on-ipv6-security-at-gogo6-live
Presentation video: http://www.gogo6.com/video/ipv4-vs-ipv6-the-shifting-security-paradigm-by-joe-klein-at
Interview video: http://www.gogo6.com/video/interview-with-joe-klein-at-gogonet-live-3-ipv6-conference

SPEAKER
Joe Klein - Cyber Security Principal Architect, QinetiQ
Bio/Profile: http://www.gogo6.com/profile/JoeKlein749

MORE
Learn more about IPv6 on the gogoNET social network
http://www.gogo6.com
Get free IPv6 connectivity with Freenet6
http://www.gogo6.com/Freenet6
Subscribe to the gogo6 IPv6 Channel on YouTube
http://www.youtube.com/subscription_center?add_user=gogo6videos
Follow gogo6 on Twitter
http://twitter.com/gogo6inc
Like gogo6 on Facebook
http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777

Statistics

Views

Total Views
567
Views on SlideShare
567
Embed Views
0

Actions

Likes
1
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference Presentation Transcript

    • IPv4 vs. IPv6 The Shifting Security ParadigmJoe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x, “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” JSKlein@gmail.com Voice: 703-594-1419 Blog: http://scientifichooligan.me/
    • Scope of the CyberSecurity problem  What is the cost of Cybercrime ?  Number of records compromised ?  Number of Systems/Networks/Applications Compromised ? Millions? Billions? Trillions? Estimates?
    • Classes of Attack - Targeted  Inbound Directed   Flaws in technology   Flaws in governance   Flaws in people   Flaws in adequate funding & staffing  Insiders   Disgruntled   Opportunistic   Untrained  Vendors   Supply Chain
    • Verizon - 2012 DATA BREACHINVESTIGATIONS REPORT Reference: http://securityblog.verizonbusiness.com/
    • What We Know About TodaySecurity measures?“The best companies aren’t the ones who stop attacks, – that’s important – it’s the companies that can spot intrusions quickly and respond to them in ways that limit the damage.” “This idea that you can stop intrusions… just isn’t going to hold up against certain kinds of threats.” - Richard Bejtlich – TaoSecurity Blog,
    • Our Current Security ModelSource: http://www.photographersdirect.com/buyers/stockphoto.asp?imageid=2249700
    • Two Models of Survivability “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
    • The Human Body Uses Both “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
    • Trust Network Model (RFC 1918)| IPv4Everyone All nodes and routers trust each other that:   All devices behave correctly X   Layer 2 (MAC) and Layer 3 (IP)   Hosts always provide true information   Routers always provide true information Behind the NAT: “Blind Trust behind the NAT”   All devices behave correctly   Layer 2 (MAC) and Layer 3 (IP)   Hosts always provide true information   Internal communications   Outbound Initiated communications trusted   Inbound Initiated communications trusted   Routers always provide true informationNo one NETWORK CENTERIC – Fortress Model
    • Trust Node Model (RFC 3756) | IPv6Everyone   Corporate Internet: “Blind Trust” X   All authenticated nodes and routers trust each other to:   Behave correctly at the IP layer   Not to send any network discovery message that contains false information   Not to send router discovery message that contains false information   Public wireless: “Trust transit, trust but verify nodes”   Router is trusted by the other nodes in the network to: X   Be a legitimate router   Faithfully route packets between the local network   Faithfully route packets to any connected external networks   The router is trusted to:   Behave correctly at the IP layer   Not to send any network discovery messages that contain false information   Not to send router discovery messages that contain false information. X   Ad hoc network: - “Trust but Verify hosts and transit”   Nodes do not directly trust each other at the IP layer nor trust routersNo one HOST CENTERIC – Organism Model
    • Survivability model | Resilience/Agility  Preparing for, preventing, or otherwise resisting an adverse event;  Absorbing, withstanding, or maintaining essential functions in the face of the event;  Recovering from the event; and  Adapting to (changing processes, systems, or training based on) the event, its consequences, and its implications for the future. This must be done as close to real-time as possible! Reference: www.cyber.st.dhs.gov/wp-content/.../Dr_Steven_King-_ASD_RE.pdf
    • Techniques for Resilience/AgilityAdaptive Integrity Pro-activeContainment Isolation Randomness and unpredictabilityCyber Modeling Least Privilege ReconstitutionDeception Monitoring RedundancyDetection Cyber Maneuver Topology HidingDistributedness Precedence AttributionDiversity Prioritization IPv6 Features mapped to Resilience Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures Workshop Oct 29, 2010
    • Why is your Internet Edge Scanned? ISRWhy?  Money  Pre-Attack Preparation  ResearchHow:  Inbound – Packets against your infrastructure  Outbound – Outbound Queries & CookiesSteps:  Intelligence – Footprinting   Data retrieved ‘Third Party Sources’  Surveillance – Scanning   Directly or In-directly (services)   Layer 3-7, 8-10  Reconnaissance – Enumeration   Directly or In-directly (services)   Layer 3-7, 8-10 Our Focus is layer 3-7
    • Attackers Assumption  One address per physical Interface  Inbound addresses = Outbound addresses  Device addresses say the same over time   Inside the same network   With the same local address  If a system is not responding,   Do a port scan to find if it was crashed or now blocked   Check back later to see if it was rebooted IPv4 thinking in an IPv6 Resilient World
    • Problems in IPv4  Even a Script Kiddie can do it!   Destination – Your Network   Densely Populated, ‘Fast’ brute-force tools, Single Interface Address   Source of scan   Needle in a haystack, Fast vs. Slow, limited context due to address fragmentation   NAT and Tunnels hide true sources   Attribution is hard
    • Detecting | Impact of Host Density - 2006IPv4 Brute Force Attack -Internet Survival Time   Attacker   Find & compromise an un-patched computer with a Windows operating system.   Less than 6 minutes   5+ min to find   >1min to compromise   Identifying attacker   Noise hides indications of an attack Reference: SANS Institute’s Internet Storm Center
    • IPv6 Brute Force Attack - Internet Survival TimeIPv4 Internet: 1 Day Internet 298.26162 Days 24 0.02560 Minutes 27 0.00320 Minutes 28 0.00160 MinutesIPv6 Internet: Internet 89,088,482,281,112,800,000,000,000 Millennium 32 20,742,528,671,657,900 Millennium 56 1,236,351,053 Millennium 64 4,829,496 Millennium Assumption: 10,000 Scans per minutes, to identify endpoints, non-optimized, non-distributed scanners Brute Force Target scan is now indicator of an attack Detectable at Firewall and DNS Server
    • Smart Targeting IPv6Identify end devices based on IPv4 address (Dual-Stack) • Scan IPv4 Range, obtain host names.domains • Query AAAA based on names.domainsIdentify end devices based on IPv6 Address IdentifierLinear search find one device, scan up 1, 2, 3 or a, b, cBracketed Search Find 1 device, scan around it Find 5, Scan 1-4 & 5-9Pronounceable Search DEAD, BEEF, DEED, ABED,…Pattern Search Based on an identified pattern 1, 10, 100, 1000, …Ports Search 53, 80, 25, etcBased on function Routers .1, .2 Smart Target Scanning is indicator of “Interest” Detectable at Firewall and DNS Server?
    • Static Addresses | Use of Deception  In A Record   Insert host names which do not exist with AAAA records  Impact:   Additional scanning of the address shows intention   Poisons attackers current and future targeting list  Insert HoneyPot   Linked to all AAAA addresses listed in AAAA deception record   Detect attempts at compromise  Management   Addresses assigned and AAAA records - IPAM
    • Survivability model | IPv6 Abundance  Summary:   Little noise based on scanning – easier to ID attackers   IPv6 devices with obscure names and random addresses are undiscoverable for inbound connections   Separating inbound and outbound connections breaks attacker preconceptions   Use of dual stack improves the target list for attackers   Techniques exist to provide pre-attack
    • Evolving IPv6 Defensive Tool Kit – Can’t be done on IPv4!  Large Local Segments  Large Network  Non Routable Addresses (aka RFC 1918) via ULA  Secure Neighbor Discovery (SEND) - Crypto-Generated Address (CGA)  IPSEC (AH & ESP) H-G | G-G | H-H | Tunnel & Transport   With Extension Headers | H-G-G-H  Server Enclave Domain Isolation (SEDI)  Common Architecture Label IPv6 Security Option (CALIPSO)  DHCPv6 – Multi-Interface setup & signed  Multicast NTPv4 with Autokey public key authentication  Leverage DNSSec to storage or public Keys of registered devices  Leverage DNSSec with ‘split-brain’ to limit disclosure  Multicast Signature and Security Information – “Parallel Push”  Fast Address Maneuvering  Attribution  Infrastructure Hiding
    • Take away  Security methods have failed  Resilience and Agility provides a solution  IPv6 is not about the numbers, but about bringing resilience and agility tools to the defender  Many resilience techniques have yet to be implemented by vendors, ask for them repeatedly or call me  Enjoy the remainder of the conference!
    • IPv4 vs. IPv6 The Shifting Security ParadigmJoe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x, “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” JSKlein@gmail.com Voice: 703-594-1419 Blog: http://scientifichooligan.me/
    • Where do attackers findvulnerabilities?  All systems have vulnerabilities 1.  Design and Architecture Phase (RFC, IEEE, WC3, ITU, etc) 2.  Development Phase (Coding) 3.  Architecting, Implementation and Deployment (Staff, Procedures, Governance, etc) 4.  Management (Patching, Configuration Management, etc) 5.  End of Life, Refresh & Replacement