Your SlideShare is downloading. ×
0
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet

772

Published on

Einbrüche, Viren, Trojaner, machen auch unter IPv6 nicht Halt. Als Marktführer im Bereich Unified-Threat-Management (UTM) entwickelt Fortinet umfassende Sicherheitslösungen zur Bekämpfung solcher …

Einbrüche, Viren, Trojaner, machen auch unter IPv6 nicht Halt. Als Marktführer im Bereich Unified-Threat-Management (UTM) entwickelt Fortinet umfassende Sicherheitslösungen zur Bekämpfung solcher Bedrohungen - für IPv4 und IPv6 Netzwerke. Der Workshop orientierte Vortrag zeigt die Notwendigkeit von umfassenden Security Lösungen bei der Migration zu IPv6 auf.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
772
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IPv4 HighwayFortinetIPv6 SecurityJune 8th, 2011Rainer Baeder Fortinet Confidential
  • 2. Drivers for IPv6 • Basic Demand Drivers • More network appliances but lack of IPv4 addresses to support • Control OpEx for network and IT • Elimination of complex NAT networks • Strong intrinsic security • Better support for mobility applications • Greater flexibility and simplicity • New Opportunities to Improve Business Performance Business process improvements • New business opportunities • More addresses for objects – enhanced automation and productivity • Machine-to-Machine (M2M) telematics / *Internet of Things* • IPv6 connection to anything2
  • 3. IPv6 – its time for preparing the step ... and basically – we run out of IPv4 addresses to stay competitive, we must open the door for IPv6 and use its foremost Snapshot June 3rd 2011
  • 4. Migration ComplexitiesDeployment Considerations • Compatibility issues between IPv4 and IPv6 • Vendor interoperability issues with IPv6 • Potential security issues • Network management considerations • Existing hardware may not handle IPv6 traffic efficiently • Router memory and CPU limitations may preclude IPv6 deployment • Technology refresh cycles can be exploited to deploy IPv6 capabilities • Global public routing practices continue to evolve4
  • 5. The most important targets of IPv6• Larger IP address space • IP Adresses are 128 bits (instead of 32 bits)• Advanced header structure • Improved processing capability thru Subsegmenting of essential and optional headerfields (in ExtensionHeaders)• Different IPv6 Addresses • Public IPv4 addresses correspond with Global Unicast Addresses • Private IPv4 addresses correspond with Site Local Unicast Addresses • Special Address types for usage of IPv4 and IPv6 in parallel• Support of autoconfiguration • Should follow Plug-and-Play principle• Improved security • 2 additional ExtensionHeaders are foreseen (Encapsulation Security Payload Header und Authentication Header) • Both can be used in IPv4 as well
  • 6. Principle Design Consideration • “Dual stack when you can – Tunnel when you must – Translate when no other option works” • Create a virtual team of IT representatives from every L9 Religious area of IT to ensure coverage for OS, Apps, Network L8 and Operations/Management Political L7 • Now is your time to build a network your way – don’t Application carry the IPv4 mindset forward with IPv6 unless it L6 Presentation makes sense L5 Session • Design Consistency with IPv4 L4 Transport • Design should work across all WAN clouds, LAN, L3 Enterprises, Data Center, Campus, etc Network L2 • Deploy it – at least in a lab – IPv6 won’t bite Data Link L1 • Consider the human factor, keep it simple! Physical6
  • 7. IPv6 Transition Methodologies MPLS-Based IP-Tunnel NAT-Based Solutions Approaches Solutions Configured Configured IPv4 to IPv4 IPv4 to IPv6 6PE 6VPE Tunnels Tunnels (Mitigation) (Interworking) GRE 6to4 NAT44 NAT464 L2TP 6RD NAT444 NAT64 Dual Stack GFP ISATAP DS-Lite NAT-TCP IP Teredo NAT-UDP DS-Lite NAT-ICMP7
  • 8. IPv6 Protocol Vulnerability • IPv6 Header • Extension Header • Header Manipulation • EHeader Filtering • Protocol Fuzzing • EHeader Fuzzing • ICMPv6 • Router Header Attacks • ICMPv6 Filtering • Fragmentation Header • ICMPv6 Attacks • Unknown Header • Node Survey • Protocol Layer Header • Scanning • Higher Layer Spoofing • Improved/Smart Scanning • Generic Malware • Multicast techiques • Router Protocol Security • Sniffing • Flooding / (d)DoS and Packet • Multicast8
  • 9. IPv6 Address Types – well-known Multicast • Interface-local scope • Link-local scope • FF01::1 all-nodes • FF02::1 all-nodes • FF01::2 all-routers • FF02::2 all-routers • Site-local scope • FF02::5 OSPFIGP • FF05::1:3 all-routers • FF02::9 RIP-routers • FF05::1:3 all DHCP servers • FF02::B Mobile Agents • FF02::6A all snoopers • FF02::1:2 all DHCP agents • FF01::101 / all-NTP Server on the same node as sender • FF02::101 / all-NTP Server on the same link as sender • FF05::101 / all-NTP Server on the same site as sender • FF0E::101 / all-NTP Server in the internetGlobal Unicast Addresses correspond with Public IPv4 addressesSite Local Unicast Addresses correspond with Private IPv4 addresses 9
  • 10. IPv6 Firewalling • IPv6 Addressing • DHCPv6 Threats • Unallocated Addresses • Endpoint Security • IPv6 Headers allowance • IPv6, IPSec and Firewalls • L2 FW • Management • IPv6 and NAT • Routing Security • Neigbor Discovery allowance • RIPng, OSPFv3 (NDP) • QoS Threats • Duplicate Address Detection Issue • Tunneled Traffic Inspection • Redirect Issue • Unwanted Tunnels • SEcure Neigbor Discovery • Mobile IPv6 (MIPv6) (SEND)10
  • 11. Fortinet IPv6 Strategy• Feature Parity on all function with IPv4 and IPv6 on higher layers • Application unaware weather it runs on IPv4 or IPv6• IPv6 Firewalling 3+ years integrated• Stepwise extension to a complete functionality on IPv6 • Almost completed now
  • 12. Today implemented for IPv4 & IPv6 • Stateful Firewalling and Routing • Serviceobjects (eg ICMPv6), IPv6 Addressobjects • Dynamic Routing, OSPF / RIP / BGP • AntiVirus Scanning • http(s), ftp, smtp(s), imap(s), pop3(s), Instant-Messaging, nntp • Intrusion Prevention • Signature based IPS/IDS and DoS-Protection • URL Filtering • Data Leak Prevention • Management of the device via IPv6 • eg SSH or https via IPv6 for devicemanagement12
  • 13. Today implemented for IPv4 & IPv6 • Bandwidth Management • Shaping, QoS • IPSec (IKEv1 & IKEv2) • DNS (AAAA Record) • IPv4 over IPv6 Tunneling • IPv6 over IPv4 Tunneling (eg Tunnelbroker like SixXS) • SIP ALG (Application Gateway) • Carrier-grade SIP-ALG. SIP-Fuzzing Protection, Pinholing, Rate-Control etc. • Application Control • Logging and Reporting of Datatraffic, Reporting on FortiAnalyzer13
  • 14. Protection on all Layers - UTM• Combined Methods on different layers• Allow, but don’t trust all application• Content of the application• Support for IPv4 und IPv614
  • 15. Forehand Planning is the key • Vision for the business or the adoption driver • IPv6 Training • IP architecture that supports the vision -> IPv6 addressing scheme + design • Evaluate infrastructure readiness to support the IPv6 implementation of the architecture • Drive requirements and define purchasing strategy • Align with other initiatives to accelerate readiness • Define timeline Overnight Adoption is Limiting and Expensive15
  • 16. Thank You.

×