IPv6 Threats<br />Slides from June 2011 webcast<br />
2<br />View the recorded webcast on SlideShare at… <br />http://www.slideshare.net/Commtouch/commtouch-ipv6-threats<br />o...
Eyal OrgilMarketing DirectorCommtouch<br />Welcome to Part 2IPv6 Informational Series<br />
IPv6 Informational Series<br />Part 1: An Introduction to IPv6<br />on<br />Eyal OrgilMarketing DirectorCommtouch<br />htt...
IPv6 Informational Series<br />Part 1: An Introduction to IPv6<br />Part 2: IPv6 Security Threats<br />Eyal OrgilMarketing...
Speakers<br />Asaf GreinerVP ProductsCommtouch<br />Gabriel M. MizrahiVP TechnologiesCommtouch<br />
Have a question? <br />Send questions to: IPv6@commtouch.com<br />Responses posted: http://blog.commtouch.com<br />
Is the Change to IPv6 aSignificant Security Event?<br />
Is IPv6 a Significant Event<br />Move to IPv6 a transition, not an event<br />Taking place for several years<br />Will con...
Is IPv6 a Significant Event<br />Many IPv4 threats not applicable to IPv6<br />Care must be taken when using dual-networks...
Is IPv6 a Significant Event<br />Many IPv6 users today are experts and enthusiasts<br />IPv6 is not yet in widespread usag...
Is IPv6 a Significant Event<br />Hackers will utilize IPv6 when it will bring them value<br />Not deployed widely enough i...
The Hype About IPv6 – Is it Just Another Y2K Scare?<br />
Is IPv6 Another Y2K?<br />Don’t be scared of IPv6, but don’t take lightly <br />IPv6 is a technology which offers:<br />Ne...
Is IPv6 Another Y2K?<br />Expect many mission critical infrastructures to remain IPv4<br />Enough IPv4 addresses for these...
Top Security Issues with IPv6<br />
IPv6 Security Issues<br />Top three security related issues IPv6:<br />Tunneling of IPv6 over IPv4 (6 to 4)<br />Rogue dev...
Threat: IP Tunneling<br />
IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4 Network<br />IPv4<br />IPv4<br />IPv4<br />IPv4 Address<br />...
IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4 Network<br />IPv4<br />IPv4<br />IPv4<br />IPv6 Address<br />...
IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4 Network<br />GW<br />IPv4-to-IPv6<br />Gateway<br />IPv4<br /...
IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4website<br />FW Policy: No Angry Birds<br />IPv4 Network<br />...
IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4website<br />FW Policy: No Angry Birds<br />IPv4 Network<br />...
IPv6 Tunneling Threat<br />Need to be aware that security devices are configured for IPv6<br />For example firewalls<br />...
Threat: Rogue Devices<br />
Rogue Devices<br />
Rogue Devices<br />Rogue Device<br />
Rogue Devices<br />IPv6 Prefix<br />IPv6 Prefix<br />Rogue Device<br />
Rogue Devices<br />Windows 7<br />Windows 7<br />Windows 7<br />IPv4 Network<br />
Rogue Devices<br />Windows 7<br />Windows 7<br />Windows 7<br />IPv6 Network<br />IPv4 Network<br />IPv6 enabledby default...
Rogue Devices<br />Windows 7<br />Windows 7<br />Windows 7<br />Internet?<br />Internet?<br />Internet?<br />IPv6 Network<...
Rogue Devices<br />Windows 7<br />Windows 7<br />Windows 7<br />Internet?<br />Internet?<br />Internet?<br />IPv6 Network<...
Rogue Devices<br />The difference is:<br />IPv4 is used daily<br />If a different allocation is provided, there will be no...
Rogue Devices<br />IPv6 Network<br />Man in the middle<br />Internet<br />IPv6<br />Rogue Device<br />
Rogue Devices<br />IPv6 Network<br />Man in the middle<br />Internet<br />IPv6<br />Rogue Device<br />
Rogue Devices<br />IPv6 Network<br />Man in the middle<br />Internet<br />IPv6<br />Rogue Device<br />
Rogue Devices<br />IPv6 Network<br />Man in the middle<br />Internet<br />IPv6<br />Rogue Device<br />
Rogue Devices<br />Not only a Windows problem<br />An issue with most operating systems<br />IPv6 is defined by default<br...
Threat: IP Reputation<br />
IP Reputation<br />Far more IP addresses in IPv6<br />232 compared to  2128<br />Challenges<br />IP allocation will be dif...
IP Reputation<br />Last 64 bits define the device ID<br />Complicate issue by using randomizer to change 64 bit<br />Every...
IP Reputation<br /><ul><li>IP reputation on 128 bits very difficult
Need other methods to build reputation
Such as subnets
Storing IP information in memory
Vast amount of memory will be needed
No NAT in IPv6
Some believe a security issue
They believe NAT provides a layer of security
IPv6 provides public IPs for all devices</li></li></ul><li>Commtouch Compliancewith IPv6<br />
Commtouch and IPv6<br />Commtouch has been working on IPv6 for some time<br />Making changes to client side and back-end<b...
Commtouch and IPv6<br />Monitoring the Internet <br />Identifying IPv6 threats<br />Classifying threats<br />Currently see...
Recommendations for MinimizingIPv6 threats<br />
Upcoming SlideShare
Loading in …5
×

Slides from IPv6 Threats

1,860 views

Published on

The Internet industry is undergoing a fundamental change as it transitions from IPv4 to IPv6. These slides are from the June 2011 webcast which provided an overview of IPv6 Threats, recommendations on how to stay protected during the transition to IPv6 as well as information on what Commtouch is doing to ensure its solutions are IPv6 compliant.

The webcast features Commtouch security experts Asaf Greiner and Gabriel M. Mizrahi. You can view the webcast on the Commtouch Slideshare page.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,860
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
95
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Slides from IPv6 Threats

  1. 1. IPv6 Threats<br />Slides from June 2011 webcast<br />
  2. 2. 2<br />View the recorded webcast on SlideShare at… <br />http://www.slideshare.net/Commtouch/commtouch-ipv6-threats<br />on<br />
  3. 3. Eyal OrgilMarketing DirectorCommtouch<br />Welcome to Part 2IPv6 Informational Series<br />
  4. 4. IPv6 Informational Series<br />Part 1: An Introduction to IPv6<br />on<br />Eyal OrgilMarketing DirectorCommtouch<br />http://www.slideshare.net/Commtouch<br />or at<br />www.commtouch.com/introduction-ipv6<br />
  5. 5. IPv6 Informational Series<br />Part 1: An Introduction to IPv6<br />Part 2: IPv6 Security Threats<br />Eyal OrgilMarketing DirectorCommtouch<br />
  6. 6. Speakers<br />Asaf GreinerVP ProductsCommtouch<br />Gabriel M. MizrahiVP TechnologiesCommtouch<br />
  7. 7. Have a question? <br />Send questions to: IPv6@commtouch.com<br />Responses posted: http://blog.commtouch.com<br />
  8. 8. Is the Change to IPv6 aSignificant Security Event?<br />
  9. 9. Is IPv6 a Significant Event<br />Move to IPv6 a transition, not an event<br />Taking place for several years<br />Will continue for many more years<br />There will be security implications<br />During the transition period<br />After fully implemented<br />Many threats same as IPv4<br />Especially while dual-stacks are in use<br />
  10. 10. Is IPv6 a Significant Event<br />Many IPv4 threats not applicable to IPv6<br />Care must be taken when using dual-networks<br />Many existing security solutions can protect against IPv6 threats<br />But, must be properly configured<br />Many threats related to transition to IPv6, not new threats<br />
  11. 11. Is IPv6 a Significant Event<br />Many IPv6 users today are experts and enthusiasts<br />IPv6 is not yet in widespread usage<br />Still see minimal usage of IPv6<br />Wider adoption of IPv6 depends on readiness of network infrastructures<br />Currently no big incentive to move to IPv6<br />
  12. 12. Is IPv6 a Significant Event<br />Hackers will utilize IPv6 when it will bring them value<br />Not deployed widely enough in order to invest time<br />As IPv6 grows it will appear on the Hacker radar<br />Transition a long process, not a one day event<br />Advise that you learn and adjust<br />
  13. 13. The Hype About IPv6 – Is it Just Another Y2K Scare?<br />
  14. 14. Is IPv6 Another Y2K?<br />Don’t be scared of IPv6, but don’t take lightly <br />IPv6 is a technology which offers:<br />New opportunities<br />New challenges<br />No date for IPv6<br />Will take years for IPv6 to become the main protocol<br />
  15. 15. Is IPv6 Another Y2K?<br />Expect many mission critical infrastructures to remain IPv4<br />Enough IPv4 addresses for these<br />Unlikely websites will be moved to be IPv6 in near future<br />When a large move occurs, we will know:<br />There is a large user IPv6 base<br />End of transition period is near<br />
  16. 16. Top Security Issues with IPv6<br />
  17. 17. IPv6 Security Issues<br />Top three security related issues IPv6:<br />Tunneling of IPv6 over IPv4 (6 to 4)<br />Rogue devices<br />IP Reputation<br />
  18. 18. Threat: IP Tunneling<br />
  19. 19. IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4 Network<br />IPv4<br />IPv4<br />IPv4<br />IPv4 Address<br />Internal<br />Network<br />Internet<br />
  20. 20. IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4 Network<br />IPv4<br />IPv4<br />IPv4<br />IPv6 Address<br />Internal<br />Network<br />Internet<br />
  21. 21. IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4 Network<br />GW<br />IPv4-to-IPv6<br />Gateway<br />IPv4<br />IPv6<br />IPv4<br />IPv4<br />IPv6<br />IPv6 over IPv4<br />IPv6 Address<br />IPv6 over IPv4 tunnel<br />Internal<br />Network<br />Internet<br />
  22. 22. IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4website<br />FW Policy: No Angry Birds<br />IPv4 Network<br />IPv4<br />IPv4<br />IPv4<br />Internal<br />Network<br />Internet<br />
  23. 23. IPv6 Tunneling Threat<br />IPv4 ConfiguredFirewall<br />IPv4website<br />FW Policy: No Angry Birds<br />IPv4 Network<br />GW<br />IPv4-to-IPv6<br />Gateway<br />IPv6website<br />IPv6<br />IPv4<br />IPv6<br />IPv4<br />IPv4<br />IPv6 over IPv4<br />Bypass firewall policy<br />Internal<br />Network<br />Internet<br />
  24. 24. IPv6 Tunneling Threat<br />Need to be aware that security devices are configured for IPv6<br />For example firewalls<br />Another example – IDS (Intrusion Detection System) <br />Can inspect IPv6, but you need to enable it<br />If not, you won’t be enforcing the policy on IPv6<br />
  25. 25. Threat: Rogue Devices<br />
  26. 26. Rogue Devices<br />
  27. 27. Rogue Devices<br />Rogue Device<br />
  28. 28. Rogue Devices<br />IPv6 Prefix<br />IPv6 Prefix<br />Rogue Device<br />
  29. 29. Rogue Devices<br />Windows 7<br />Windows 7<br />Windows 7<br />IPv4 Network<br />
  30. 30. Rogue Devices<br />Windows 7<br />Windows 7<br />Windows 7<br />IPv6 Network<br />IPv4 Network<br />IPv6 enabledby default<br />
  31. 31. Rogue Devices<br />Windows 7<br />Windows 7<br />Windows 7<br />Internet?<br />Internet?<br />Internet?<br />IPv6 Network<br />IPv4 Network<br />IPv6 searchesfor accessto the Internet<br />
  32. 32. Rogue Devices<br />Windows 7<br />Windows 7<br />Windows 7<br />Internet?<br />Internet?<br />Internet?<br />IPv6 Network<br />IPv4 Network<br />IPv6 Prefix<br />IPv6 Prefix<br />Internet<br />IPv6<br />Rogue Device<br />
  33. 33. Rogue Devices<br />The difference is:<br />IPv4 is used daily<br />If a different allocation is provided, there will be noticeable effects<br />With IPv6, the insertion of a rogue device may go unnoticed<br />
  34. 34. Rogue Devices<br />IPv6 Network<br />Man in the middle<br />Internet<br />IPv6<br />Rogue Device<br />
  35. 35. Rogue Devices<br />IPv6 Network<br />Man in the middle<br />Internet<br />IPv6<br />Rogue Device<br />
  36. 36. Rogue Devices<br />IPv6 Network<br />Man in the middle<br />Internet<br />IPv6<br />Rogue Device<br />
  37. 37. Rogue Devices<br />IPv6 Network<br />Man in the middle<br />Internet<br />IPv6<br />Rogue Device<br />
  38. 38. Rogue Devices<br />Not only a Windows problem<br />An issue with most operating systems<br />IPv6 is defined by default<br />IPv6 could run in the background without anyone’s knowledge<br />Security risk also in IPv4 with DHCP<br />Make sure unauthorized devices cannot connect to your network<br />
  39. 39. Threat: IP Reputation<br />
  40. 40. IP Reputation<br />Far more IP addresses in IPv6<br />232 compared to 2128<br />Challenges<br />IP allocation will be different from IPv4<br />Anyone can get a large IP allocation<br />Any person can get a 64 bit allocation (264)<br />The entire Internet today is 232<br />
  41. 41. IP Reputation<br />Last 64 bits define the device ID<br />Complicate issue by using randomizer to change 64 bit<br />Every spam message could be sent from different IP<br />From IP address: wwww<br />From IP address: xxxx<br />From IP address: yyyy<br />264 DifferentIP Addresses<br />Internet<br />From IP address: zzzz<br />
  42. 42. IP Reputation<br /><ul><li>IP reputation on 128 bits very difficult
  43. 43. Need other methods to build reputation
  44. 44. Such as subnets
  45. 45. Storing IP information in memory
  46. 46. Vast amount of memory will be needed
  47. 47. No NAT in IPv6
  48. 48. Some believe a security issue
  49. 49. They believe NAT provides a layer of security
  50. 50. IPv6 provides public IPs for all devices</li></li></ul><li>Commtouch Compliancewith IPv6<br />
  51. 51. Commtouch and IPv6<br />Commtouch has been working on IPv6 for some time<br />Making changes to client side and back-end<br />Client side will be transparent<br />Focus has been on the back-end<br />GlobalView Mail Reputation transparently supports more IPs addresses<br />Still single query of an IP address but data storage more efficient<br />
  52. 52. Commtouch and IPv6<br />Monitoring the Internet <br />Identifying IPv6 threats<br />Classifying threats<br />Currently seeing minor IPv6 spam activity<br />Believe spammers experimenting with IPv6<br />Too noticeable today to send spam via IPv6 when there is very little email on this network<br />
  53. 53. Recommendations for MinimizingIPv6 threats<br />
  54. 54. Gabriel Mizrahi’s IPv6 Recommendations<br />Make sure you have mapped all devices on your network<br />Implement IPv6 step-by-step<br />Have a written procedure of how you will introduce IPv6<br />Plan to implement a dual stack as a first stage<br />
  55. 55. Asaf Greiner’s IPv6 Recommendations<br />Get educated about IPv6<br />Everyone should go back to networking fundamentals<br />Understand what’s implemented on our network today, and why<br />Then look at what needs to remain or change<br />Learn from others<br />What mistakes and successes other have experienced<br />
  56. 56. Asaf Greiner’s IPv6 Recommendations<br />Lockdown from IPv6 as a start<br />Then implement staged plan to roll out IPv6<br />Take care to avoid configuration errors<br />
  57. 57. Thank you to<br />Asaf Greiner<br />Commtouch VP Products<br />Gabriel M. MizrahiCommtouch VP Technologies<br />
  58. 58. 51<br />View the recorded webcast on SlideShare at… <br />http://www.slideshare.net/Commtouch/commtouch-ipv6-threats<br />on<br />
  59. 59. Have a question? <br />Send questions to: IPv6@commtouch.com<br />Responses posted: http://blog.commtouch.com<br />
  60. 60. Please check back for future informational webcasts<br />

×