IPv6 Security

289 views
233 views

Published on

Presented on 6 September 2013 in a seminar organised by Progreso Training.

Sign up for free seminars at http://progresotraining.eventbrite.sg or http://www.progreso.com.sg/training/event_view_all.php for an overview of IPv6 Security.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
289
On SlideShare
0
From Embeds
0
Number of Embeds
48
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

IPv6 Security

  1. 1. www.progreso.com.sg1 IPv6 Cyber Security: What Security Issues have you Missed Out? 6 September 2013
  2. 2. www.progreso.com.sg2 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  3. 3. www.progreso.com.sg3 Myth on Increased Security  IPv6 is more secure than IPv4, since security was considered during the design of the protocol and not as an afterthought.
  4. 4. www.progreso.com.sg4 Myth on End-to-end Principle  IPv6 will return the end-to-end principle to the Internet, hence security architectures will switch from the network to the hosts.
  5. 5. www.progreso.com.sg5 Myth on NAT  IPv6 networks will be NAT-free.
  6. 6. www.progreso.com.sg6 Myth on Host Reconnaissance  The massive IPv6 address space will make host scanning unfeasible.
  7. 7. www.progreso.com.sg7 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  8. 8. www.progreso.com.sg8 The New Cyber Landscape - Multiple threat vectors
  9. 9. www.progreso.com.sg9 Attack Vectors on IPv6  IPv6 addressing architecture  Network reconnaissance  Spoofing and smurf attacks  Worms and viruses  Main packet header + extension header issues  IPv6 layer-2 and layer-3 security compromises  Security on the routing infrastructure  Vulnerabilities in transition mechanisms
  10. 10. www.progreso.com.sg10 Hacking Groups Script kiddies Political Hacktivists Crime Rings State Sponsored Teams
  11. 11. www.progreso.com.sg11 Kiddie Scripts
  12. 12. www.progreso.com.sg12 Nmap Scanning
  13. 13. www.progreso.com.sg13 Vulnerability Scanning using Nessus
  14. 14. www.progreso.com.sg14 Packet Crafting
  15. 15. www.progreso.com.sg15 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  16. 16. www.progreso.com.sg16 Dissecting an IPv6 Address Global Routing Prefix (length = a) Subnet ID (length = b) Interface ID (length = 128 - a – b)
  17. 17. www.progreso.com.sg17 Methods of Generating the IID  EUI-64: Embedding the MAC  Employ low-byte addresses  Embed IPv4 address  “Wordy” address  Privacy or temporary address  Transition/Coexistence mechanisms
  18. 18. www.progreso.com.sg18 EUI-64 IEEE OUI ff-fe Lower 24 bits of MAC Known/searchable (24 bits) Fixed (16 bits) Unknown (24 bits) 264 224
  19. 19. www.progreso.com.sg19 Low-Byte Addresses 2001:db8:1234:5678:0000:0000:0000:1234 2001:db8:1234:5678:0000:0000:0000:0001 2001:db8:1234:5678:0000:0000:0000:8888 264 216 or 28
  20. 20. www.progreso.com.sg20 Embedded IPv4 Addresses 2001:db8:1234:5678:0000:0000:c0a8:0101 2001:db8:1234:5678:0000:0000:0808:0808 264 232 8.8.8.8 192.168.1.1
  21. 21. www.progreso.com.sg21 Wordy Addresses 264 232 2001:db8:1234:5678:dec:1ded:c0:ffee Dictionary-based scanning 2a03:2880:2110:3f02:face:b00c::
  22. 22. www.progreso.com.sg22 Privacy/Temporary Addresses  RFC 4941 2001:db8:1234:5678:e24a:71c:d93f:7b0 2001:db8:1234:5678:0000:0000:0000:8888 Host is still compromised!
  23. 23. www.progreso.com.sg23 Transition/Coexistence Technologies 6to4 = 2002:c0a1:c0fe:1:2e0:18ff:fefb:7a25/48 ISATAP = fe80::5efe:c0a1:c0fe NAT64 = 64:ff9b::c0a1:c0fe
  24. 24. www.progreso.com.sg24 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  25. 25. www.progreso.com.sg25 IPv6 Education and Training
  26. 26. www.progreso.com.sg26 Upgrade Security Tools
  27. 27. www.progreso.com.sg27 Additional Configurations
  28. 28. www.progreso.com.sg28 Risks of Tunneling Protocols
  29. 29. www.progreso.com.sg29 New Features Adds Complexity
  30. 30. www.progreso.com.sg30 Agenda  IPv6 Security Myths  IPv6 Security Compromises  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  31. 31. www.progreso.com.sg31 Transitions and Cybersecurity
  32. 32. www.progreso.com.sg32 Apply Rigorous Oversight
  33. 33. www.progreso.com.sg33 Leverage Accredited IPv6 Test Program
  34. 34. www.progreso.com.sg34 Don’t Get Intimidated
  35. 35. www.progreso.com.sg35 Incremental Deployment
  36. 36. www.progreso.com.sg36 Don’t Lose Sleep Over Dual Stacking
  37. 37. www.progreso.com.sg37 Agenda  IPv6 Security Myths  Network Reconnaissance in IPv6  IPv6 for Security Practitioners  Ensuring Cybersecurity in IPv6 Transitions  IPv6 Security Implementations
  38. 38. www.progreso.com.sg38 IPv6 Security Measures  Endpoint security  Standalone firewalls  Packet filters  Data link level security
  39. 39. www.progreso.com.sg39 IPv6 Security Implementation Concerns  IPv6 protocol stack vulnerabilities  Lack of IPv6 exposure and operational experience  Unintentional connectivity via tunneling  Lack of first-hop security features Application TCP UDP IPv4 IPv6 Data Link
  40. 40. www.progreso.com.sg40 Call to Action  IPv6 is the future of the Internet  There are significant differences between IPv4 and IPv6  Don’t lag behind in IPv6 knowledge  Join now to learn more!
  41. 41. www.progreso.com.sg41 Are You Ready?

×