Your SlideShare is downloading. ×

Michael De Leo Global IPv6 Summit México 2009

1,232

Published on

IPv6 Security …

IPv6 Security
Threats and
Mitigations
Michael De Leo
Office of the CTO
mdeleo@cisco.com

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,232
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. IPv6 Security Threats and Mitigations Michael De Leo Office of the CTO mdeleo@cisco.com Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Session Objectives   IPv6 vs. to IPv4 from a threat and mitigation perspective   Advanced IPv6 security topics like transition options and dual stack environments   Requirements: basic knowledge of the IPv6 and IPSec protocols as well as IPv4 security best practices Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2 © 2006, Cisco Systems, Inc. All rights reserved. 1 Presentation_ID.scr
  • 2. For Your For Reference Slides Reference   There are more slides in the hand-outs than presented during the class   Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3 Agenda   Shared Issues by IPv4 and IPv6   Specific Issues for IPv6 IPsec everywhere, dual-stack, tunnels and 6VPE   IPv6 Security Best Common Practice   Enforcing a Security Policy in IPv6 ACL, Firewalls and Host IPS   Enterprise Secure Deployment Secure IPv6 transport over public network Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4 © 2006, Cisco Systems, Inc. All rights reserved. 2 Presentation_ID.scr
  • 3. IPv4 Vul. IPv6 Vul. Shared Issues Security Issues Shared by IPv4 and IPv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Reconnaissance in IPv6 Scanning Methods Are Likely to Change   Default subnets in IPv6 have 264 addresses 10 Mpps = more than 50 000 years   Public servers will still need to be DNS reachable ⇒ More information collected by Google...   Increased deployment/reliance on dynamic DNS => More information will be in DNS   Administrators may adopt easy-to-remember addresses (:: 10,::20,::F00D, ::C5C0 or simply IPv4 last octet for dual stack)   By compromising hosts in a network, an attacker can learn new addresses to scan Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6 © 2006, Cisco Systems, Inc. All rights reserved. 3 Presentation_ID.scr
  • 4. Scanning Made Bad for CPU   Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Built-in rate limiter but no option to tune it   Using a /64 on point-to-point links => a lot of addresses to scan!   Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done  Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Viruses and Worms in IPv6   Viruses and email, IM worms: IPv6 brings no change   Other worms: IPv4: reliance on network scanning IPv6: not so easy (see reconnaissance) => will use alternative techniques   Worm developers will adapt to IPv6   IPv4 best practices around worm detection and mitigation remain valid   Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8 © 2006, Cisco Systems, Inc. All rights reserved. 4 Presentation_ID.scr
  • 5. IPv6 Privacy Extensions (RFC 3041) /23 /32 /48 /64 2001 Interface ID   Temporary addresses for IPv6 host client application, e.g. web browser Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9 L3 Spoofing in IPv6 uRPF Remains the Primary Tool for Protecting Against L3 Spoofing uRPF Loose Mode Inter-Networking Device with uRPF Enabled Access Layer X IPv6 Intranet/ Internet Spoofed IPv6 No Route to Src Addr prefix Source Address => Drop uRPF Strict Mode Inter-Networking Device with uRPF Enabled Access Layer X IPv6 Intranet/ Internet Spoofed IPv6 No Route to Src Addr prefix out the Source Address packet inbound interface => Drop IP Source Guard does not exist yet (see further slides) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10 © 2006, Cisco Systems, Inc. All rights reserved. 5 Presentation_ID.scr
  • 6. ICMPv4 vs. ICMPv6   Significant changes   More relied upon ICMP Message Type ICMPv4 ICMPv6 Connectivity Checks X X Informational/Error Messaging X X Fragmentation Needed Notification X X Address Assignment X Address Resolution X Router Discovery X Multicast Group Management X Mobile IPv6 Support X   => ICMP policy on firewalls needs to change Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11 For Your Equivalent ICMPv6 Reference Border Firewall Transit Policy* Internal Server A Internet ICMPv6 ICMPv6 Action Src Dst Name Type Code Permit Any A 128 0 Echo Reply Permit Any A 129 0 Echo Request Permit Any A 1 0 No Route to Dst. Permit Any A 2 0 Packet Too Big Time Exceeded— Permit Any A 3 0 TTL Exceeded Permit Any A 4 0 Parameter Problem *RFC 4890 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12 © 2006, Cisco Systems, Inc. All rights reserved. 6 Presentation_ID.scr
  • 7. For Your Potential Additional ICMPv6 Reference Border Firewall Receive Policy* Internal Server A Firewall B Internet ICMPv6 ICMPv6 Action Src Dst Name Type Code Permit Any B 2 0 Packet too Big Permit Any B 130–132 0 Multicast Listener Neighbor Solicitation Permit Any B 133/134 0 and Advertisement Permit Any B 4 0 Parameter Problem *RFC 4890 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13 IPv6 Routing Header   An extension header   Processed by the listed intermediate routers   Two types Type 0: similar to IPv4 source routing (multiple intermediate routers) Type 2: used for mobile IPv6 Next Header = 43 IPv6 Basic Header Routing Header Routing Header Routing Header Next Header Ext Hdr Length RH Type Routing Type Segments Left Routing Header Data Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14 © 2006, Cisco Systems, Inc. All rights reserved. 7 Presentation_ID.scr
  • 8. Type 0 Routing Header Issue #2: Amplification Attack   What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A ....   Packet will loop multiple time on the link R1-R2   An amplification attack! A B Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Preventing Routing Header Attacks   Apply same policy for IPv6 as for Ipv4: Block Routing Header type 0   Prevent processing at the intermediate nodes no ipv6 source-route Windows, Linux, MacOS: default setting   At the edge With an ACL blocking routing header   RFC 5095 (Dec 2007) RH0 is deprecated Default IOS will change in 12.5T Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16 © 2006, Cisco Systems, Inc. All rights reserved. 8 Presentation_ID.scr
  • 9. ARP Spoofing is now NDP Spoofing: Threats   ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones   Stateless Address Autoconfiguration rogue RA (malicious or not) All nodes badly configured DoS Traffic interception (Man In the Middle Attack)   Attack tools exist (from THC – The Hacker Choice) Parasit6 Fakerouter6 ... Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17 ARP Spoofing is now NDP Spoofing: Mitigation Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18 © 2006, Cisco Systems, Inc. All rights reserved. 9 Presentation_ID.scr
  • 10. Quick Reminder IPv4 Broadcast Amplification: Smurf 160.154.5.0 ICMP REPLY D=172.18.1.2 S=160.154.5.14 Attempt to Overwhelm WAN ICMP REPLY D=172.18.1.2 S=160.154.5.15 Link to Destination ICMP REPLY D=172.18.1.2 S=160.154.5.16 ICMP REPLY D=172.18.1.2 S=160.154.5.17 172.18.1.2 ICMP REPLY D=172.18.1.2 S=160.154.5.18 ICMP REPLY D=172.18.1.2 S=160.154.5.19 Belgian ICMP REQ D=160.154.5.255 S= 172.18.1.2 Schtroumpf Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19 IPv6 and Broadcasts   There are no broadcast addresses in IPv6   Broadcast address functionality is replaced with appropriate link local multicast addresses Link Local All Nodes Multicast—FF02::1 Link Local All Routers Multicast—FF02::2 Link Local All mDNS Multicast—FF02::FB Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot masquerade as his victim http://iana.org/assignments/ipv6-multicast-addresses/ Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20 © 2006, Cisco Systems, Inc. All rights reserved. 10 Presentation_ID.scr
  • 11. IPv6 and Other Amplification Vectors   IOS implements correctly RFC 4443 ICMPv6 No ping-pong on a physical point-to-point link Section 3.1 No ICMP error message should be generated in response to a packet with a multicast destination address Section 2.4 (e.3) Exceptions for Section 2.4 (e.3) –  packet too big message –  the parameter problem message • Rate Limit egress ICMP Packets • Rate limit ICMP messages generation • Secure the multicast network (source specific multicast) • Note: Implement Ingress Filtering of Packets with IPv6 Multicast Source Addresses Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21 Preventing IPv6 Routing Attacks Protocol Authentication   BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update   OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec   RIPng, PIM also rely on IPSec   IPv6 routing attack best practices Use traditional authentication mechanisms on BGP and IS-IS Use IPSec to secure protocols such as OSPFv3 and RIPng Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22 © 2006, Cisco Systems, Inc. All rights reserved. 11 Presentation_ID.scr
  • 12. IPv6 Attacks with Strong IPv4 Similarities   Sniffing Without IPSec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4   Application layer attacks Even with IPSec, the majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent   Rogue devices Rogue devices will be as easy to insert into an IPv6 network as in IPv4   Man-in-the-Middle Attacks (MITM) Without IPSec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4   Flooding Flooding attacks are identical between IPv4 and IPv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23 IPv6 Stack Vulnerabilities   IPv6 stacks are new and could be buggy   Some examples CVE-2008-2476 Oct 2008 FreeBSD Lack of validation of NDP OpenBSD messages NetBSD and others CVE-2008-2136 May 2008 Linux DoS caused by memory leak in IPv6 tunnels CVE-2008-1153 Mar 2008 IOS Cisco IOS dual-stack router IPv6 DoS CVE-2007-4689 Nov 2007 Apple Mac OS X Packet processing double-free memory corruption CVE-2007-3038 Aug 2007 Microsoft Microsoft Windows Vista Teredo interface firewall bypass Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24 © 2006, Cisco Systems, Inc. All rights reserved. 12 Presentation_ID.scr
  • 13. By the Way: It Is Real  IPv6 Hacking Tools Let the Games Begin   Sniffers/packet capture   Scanners Snort IPv6 security scanner TCPdump Halfscan6 Sun Solaris snoop Nmap COLD Strobe Wireshark Netcat Analyzer   DoS Tools Windump 6tunneldos WinPcap 4to6ddos Imps6-tools   Packet forgers Scapy6 SendIP Packit Spak6   Complete tool http://www.thc.org/thc-ipv6/ Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25 IPv4 Vul. IPv6 Vul. Specific IPv6 Issues Issues Applicable only to IPv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26 © 2006, Cisco Systems, Inc. All rights reserved. 13 Presentation_ID.scr
  • 14. The IPsec Myth: IPsec End-to-End will Save the World Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets. Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27 IPv4 to IPv6 Transition Challenges   16+ methods, possibly in combination   Dual stack Consider security for both protocols Cross v4/v6 abuse Resiliency (shared resources)   Tunnels Bypass firewalls (protocol 41 or UDP) Can cause asymmetric traffic (hence breaking stateful firewalls) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28 © 2006, Cisco Systems, Inc. All rights reserved. 14 Presentation_ID.scr
  • 15. Dual Stack Host Considerations IPv4 IPsecVPN with No Split Tunneling Dual Stack Client IPv6 HDR IPv6 Exploit Does the IPsec Client Stop an Inbound IPv6 Exploit? Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29 Dual Stack with Enabled IPv6 by Default   Your host: IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)   Your network: Does not run IPv6   Your assumption: I’m safe   Reality You are not safe Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack   => Probably time to think about IPv6 in your network Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30 © 2006, Cisco Systems, Inc. All rights reserved. 15 Presentation_ID.scr
  • 16. L3-L4 Spoofing in IPv6 When Using IPv6 over IPv4 Tunnels   Most IPv4/IPv6 transition mechanisms have no authentication built in   => an IPv4 attacker can inject traffic if spoofing on IPv4 and IPv6 addresses IPv6 ACLs Are Ineffective Since IPv4 & IPv6 Is Spoofed Tunnel Termination Forwards the Inner IPv6 Packet IPv4 IPv6 Public IPv4 Internet IPv6 Network IPv6 Network IPv6 in IPv4 Tunnel Tunnel Tunnel Termination Termination Server A Server B Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31 6to4/ISATAP Tunnels Bypass ACL IPv6 6to4 relay Internet ACL IPv4 tunnel 6to4 6to4 router router Direct tunneled traffic ignores hub ACL Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6to4 router 32 © 2006, Cisco Systems, Inc. All rights reserved. 16 Presentation_ID.scr
  • 17. TEREDO?   Teredo navalis A shipworm drilling holes in boat hulls   Teredo Microsoftis IPv6 in IPv4 punching holes in NAT devices Source: United States Geological Survey Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33 Teredo Tunnels (1/3) Without Teredo: Controls Are in Place   All outbound traffic inspected: e.g., P2P is blocked   All inbound traffic blocked by firewall IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall IPv4 Intranet Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34 © 2006, Cisco Systems, Inc. All rights reserved. 17 Presentation_ID.scr
  • 18. Teredo Tunnels (2/3) No More Outbound Control Teredo threats—IPv6 over UDP (port 3544)   Internal users wants to get P2P over IPv6   Configure the Teredo tunnel (already enabled by default!)   FW just sees IPv4 UDP traffic (may be on port 53)   No more outbound control by FW IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall IPv4 Intranet Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35 Teredo Tunnels (3/3) No More Outbound Control Once Teredo Configured   Inbound connections are allowed   IPv4 firewall unable to control   IPv6 hackers can penetrate   Host security needs IPv6 support now IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall IPv4 Intranet Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36 © 2006, Cisco Systems, Inc. All rights reserved. 18 Presentation_ID.scr
  • 19. Is it real? May be uTorrrent 1.8 (released Aug 08) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37 Can We Block Rogue Tunnels?   Rogue tunnels by naïve users: Sure, block IP protocol 41 and UDP/3544 In Windows: netsh interface 6to4 set state state=disabled undoonstop=disabled netsh interface isatap set state state=disabled netsh interface teredo set state type=disabled   Really rogue tunnels (covert channels) No easy way... Teredo will run over a different UDP port of course Network devices can be your friend (more to come)   Deploying native IPv6 (including IPv6 firewalls and IPS) is probably a better alternative   Or disable IPv6 on Windows through GPO or CSA 6.0 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38 © 2006, Cisco Systems, Inc. All rights reserved. 19 Presentation_ID.scr
  • 20. SP Transition Mechanism: 6VPE   6VPE: the MPLS-VPN extension to also transport IPv6 traffic over a MPLS cloud and IPv4 BGP sessions v4 only VPN v4 only VPN 10.1.1.0/24 10.1.2.0/24 PE1 PE3 VRF v4 and v6 VPN IPv4 only MPLS VRF v4 and v6 VPN VRF 2001:db8:1:1:/64 Dual-Stack 2001:db8:1:2:/64 Dual-Stack IPv4-IPv6 10.1.1.0/24 IPv4-IPv6 10.1.2.0/24 PE Routers PE Routers VRF v6 VPN VRF v6 VPN PE4 VRF PE2 2001:db8:1:1:/64 2001:db8:1:2:/64 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 39 6VPE Security Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40 © 2006, Cisco Systems, Inc. All rights reserved. 20 Presentation_ID.scr
  • 21. IPv6 Security Best Common Practice Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41 For Your Candidate Best Practices Reference   Train your network operators and security managers on IPv6   Selectively filter ICMP (RFC 4890)   Implement RFC 2827-like filtering   Block Type 0 Routing Header at the edge   Determine what extension headers will be allowed through the access control device   Deny IPv6 fragments destined to an internetworking device when possible   Use traditional authentication mechanisms on BGP and IS-IS   Use IPsec to secure protocols such as OSPFv3 and RIPng   Document procedures for last-hop traceback Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 42 © 2006, Cisco Systems, Inc. All rights reserved. 21 Presentation_ID.scr
  • 22. For Your Candidate Best Practices (Cont.) Reference   Implement privacy extensions carefully   Filter internal-use IPv6 addresses & ULA at the border routers   Filter unneeded services at the firewall   Maintain host and application security   Use cryptographic protections where critical   Implement ingress filtering of packets with IPv6 multicast source addresses   Use static tunneling rather than dynamic tunneling   Implement outbound filtering on firewall devices to allow only authorized tunneling endpoints Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 43 Enforcing a Security Policy Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44 © 2006, Cisco Systems, Inc. All rights reserved. 22 Presentation_ID.scr
  • 23. Cisco IOS IPv6 Extended Access Control Lists   Very much like in IPv4 Filter traffic based on Source and destination addresses Next header presence Layer 4 information Implicit deny all at the end of ACL Empty ACL means traffic allowed Reflexive and time based ACL   Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned until: Layer 4 header found Unknown extension header is found   Side note for 7600 & other switches: No VLAN ACL Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (end 2009), Cat 6K (mid 2010) Long extension headers chain force a software switching Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 45 IOS IPv6 Extended ACL   Can match on Upper layers: TCP, UDP, SCTP port numbers TCP flags SYN, ACK, FIN, PUSH, URG, RST ICMPv6 code and type Traffic class (only six bits/8) = DSCP Flow label (0-0xFFFFF)   IPv6 extension header routing matches any RH, routing-type matches specific RH mobility matches any MH, mobility-type matches specific MH dest-option matches any, dest-option-type matches specific destination options auth matches AH Can skip AH (but not ESP) since IOS 12.4(20)T   fragments keyword matches Non-initial fragments (same as IPv4) And the first fragment if the L4 protocol cannot be determined   undetermined-transport keyword matches (only for deny) Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46 © 2006, Cisco Systems, Inc. All rights reserved. 23 Presentation_ID.scr
  • 24. Cisco IOS IPv6 ACL A Trivial Example Filtering inbound traffic to one specific destination address 2001:db8:2c80:1000::1 others ipv6 access-list MY_ACL remark basic anti-spoofing IPv6 Internet deny 2001:db8:2c80:1000::/64 any permit any 2001:db8:2c80:1000::1/128 interface Serial 0 ipv6 traffic-filter MY_ACL in Serial 0 Prefix: 2001:db8:2c80:1000::/64 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47 Example: Rogue RA & DHCP Port ACL ipv6 access-list ACCESS_PORT remark Block all traffic DHCP server -> client deny udp any eq 547 any eq 546 remark Block Router Advertisements deny icmp any any router-advertisement permit any any Interface gigabitethernet 1/0/1 switchport ipv6 traffic-filter ACCESS_PORT in Note: PACL replaces RACL for the interface In May 2009, only on Nexus-7000 and Cat 3750 12.2(46)SE Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48 © 2006, Cisco Systems, Inc. All rights reserved. 24 Presentation_ID.scr
  • 25. For Your IPv6 ACL to Protect VTY Reference ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49 Cisco IOS Firewall IPv6 Support   Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP, ICMP and FTP traffic   IOS 12.3(7)T (released 2005)   Stateful inspection of IPv4/IPv6 packets   IPv6 DoS attack mitigation   Recognizes IPv6 extension headers IPv6 Router with IPv4 Cisco IOS Firewall IPv6 Router with Site 3 Cisco IOS Firewall IPv6 IPv6 Router with Cisco IOS Firewall Dual Stack Site 1 Router IPv6 Internet IPv6 Site 2 IPv6 (IPv4) IPv6 Router with Cisco IOS Firewall Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 50 © 2006, Cisco Systems, Inc. All rights reserved. 25 Presentation_ID.scr
  • 26. ASA Firewall IPv6 Support   Since version 7.0 (April 2005)   Dual-stack, IPv6 only, IPv4 only   Extended IP ACL with stateful inspection   Application awareness HTTP, FTP, telnet, SMTP, TCP, SSH, UDP   uRPF and v6 Frag guard   IPv6 header security checks   Management access via IPv6 Telnet, SSH, HTTPS   ASDM support (ASA 8.2)   Routed & transparent mode (ASA 8.2)   Caveat: no fail-over support Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51 Cisco Security Agent and IPv6   IPv6 support for Windows in CSA 6.0.1 (June 2008) deny – IPv6 ACL (only on Vista) – Disable IPv6 (XP and Vista) to any IPv6 addresses Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52 © 2006, Cisco Systems, Inc. All rights reserved. 26 Presentation_ID.scr
  • 27. Cisco IPS 6.2 New IPv6 Engine Rules to block traffic Drop Malware traffic ASA 8.2 transfert IPv6 traffic To Sensor Engine Drop Internet ASA IPv6 malware traffic   Safe Traffic   Unselected Traffic  Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 53 Enterprise Deployment: Secure IPv6 Connectivity How to Secure IPv6 over the WAN Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 54 © 2006, Cisco Systems, Inc. All rights reserved. 27 Presentation_ID.scr
  • 28. Secure IPv6 over IPv4/6 Public Internet   No traffic sniffing   No traffic injection   No service theft Public Network Site 2 Site Remote Access  6in4/GRE Tunnels Protected   ISATAP Protected by IPv4 by IPsec RA IPsec  DMVPN 12.4(20)T   SSL VPN Client AnyConnect IPsec VTI 12.4(6)T N/A IPv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 55 Secure Site to Site IPv6 Traffic over IPv4 Public Network with GRE IPsec IPsec protects IPv4 unicast traffic... The encapsulated IPv6 packets IPv6 Network IPv6 Network IPv6 in IPv4 tunnelIPsec IPv4 GRE tunnel can be used to transport both IPv4 and IPv6 in the same tunnel See reference slides for more details Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 56 © 2006, Cisco Systems, Inc. All rights reserved. 28 Presentation_ID.scr
  • 29. Secure Site to Site IPv6 Traffic over IPv4 Public Network with DMVPN Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 57 Secure Site to Site IPv6 Traffic For Your over IPv6 Public Network Reference   Since 12.4(6)T, IPsec also works for IPv6   Using the Virtual Interface interface Tunnel0 no ip address ipv6 address 2001:DB8::2811/64 ipv6 enable tunnel source Serial0/0/1 tunnel destination 2001:DB8:7::2 tunnel mode ipsec ipv6 tunnel protection ipsec profile ipv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 58 © 2006, Cisco Systems, Inc. All rights reserved. 29 Presentation_ID.scr
  • 30. IPv6 for Remote Devices Solutions   Enabling IPv6 traffic inside the Cisco VPN Client tunnel NAT and Firewall traversal support Allow remote host to establish a v6-in-v4 tunnel either automatically or manually ISATAP—Intra Site Automatic Tunnel Addressing Protocol Fixed IPv6 address enables server’s side of any application to be configured on an IPv6 host that could roam over the world   Use of ASA 8.0 and SSL VPN Client AnyConnect Can transfer IPv6 traffic over public IPv4 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 59 Secure RA IPv6 Traffic over IPv4 Public Network: ISATAP in IPSec IPsec protects IPv4 unicast traffic... The encapsulated IPv6 packets IPv6 Network IPsec ISATAP IPv6 PC Enterprise ISATAP IPv4 VPN head-end Tunnel server (ASA, IOS, ...) on dual stack router IPsec with NAT-T can traverse NAT ISATAP encapsulates IPv6 into IPv4 See reference slides for more details Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 60 © 2006, Cisco Systems, Inc. All rights reserved. 30 Presentation_ID.scr
  • 31. Secure RA IPv6 Traffic over IPv4 Public Network: AnyConnect SSL VPN Client IPv6 Network IPv4 and IPv6 Transport in SSL IPv6 PC ASA 8.0 AnyConnect IPv4 SSL VPN Concentrator Dual Stack Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 61 Conclusion Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 62 © 2006, Cisco Systems, Inc. All rights reserved. 31 Presentation_ID.scr
  • 32. Key Take Away Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 63 Is IPv6 in My Network?   Easy to check!   Look inside NetFlow records Protocol 41: IPv6 over IPv4 or 6to4 tunnels IPv4 address: 192.88.99.1 (6to4 anycast server) UDP 3544, the public part of Teredo, yet another tunnel   Look into DNS server log for resolution of ISATAP   Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 64 © 2006, Cisco Systems, Inc. All rights reserved. 32 Presentation_ID.scr
  • 33. Q and A Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 65 Recommended Reading Source: Cisco Press Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 66 © 2006, Cisco Systems, Inc. All rights reserved. 33 Presentation_ID.scr
  • 34. Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 67 © 2006, Cisco Systems, Inc. All rights reserved. 34 Presentation_ID.scr

×