IPv4 vs. IPv6    The Shifting Security ParadigmJoe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma…                  ...
Scope of the CyberSecurity problem  What is the cost of Cybercrime ?  Number of records compromised ?  Number of System...
Classes of Attack - Targeted  Inbound Directed    Flaws in technology    Flaws in governance    Flaws in people    Fl...
Verizon - 2012 DATA BREACHINVESTIGATIONS REPORT          Reference: http://securityblog.verizonbusiness.com/
What We Know About TodaySecurity measures?“The best companies aren’t the ones who stop attacks, – that’s    important – it...
Our Current Security ModelSource: http://www.photographersdirect.com/buyers/stockphoto.asp?imageid=2249700
Two Models of Survivability  “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, D...
The Human Body Uses Both “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA...
Trust Network Model (RFC 1918)| IPv4Everyone           All nodes and routers trust each other that:                All de...
Trust Node Model (RFC 3756) | IPv6Everyone               Corporate Internet: “Blind Trust”      X           All authenti...
Survivability model | Resilience/Agility  Preparing for, preventing, or otherwise resisting an adverse   event;  Absorbi...
Techniques for Resilience/AgilityAdaptive                            Integrity                                   Pro-activ...
Why is your Internet Edge Scanned? ISRWhy?  Money  Pre-Attack Preparation  ResearchHow:  Inbound – Packets against you...
Attackers Assumption  One address per physical Interface  Inbound addresses = Outbound addresses  Device addresses say ...
Problems in IPv4  Even a Script Kiddie can do it!    Destination – Your Network       Densely Populated, ‘Fast’ brute-f...
Detecting | Impact of Host Density - 2006IPv4 Brute Force Attack -Internet Survival Time                                  ...
IPv6 Brute Force Attack - Internet Survival   TimeIPv4 Internet:                                                          ...
Smart Targeting IPv6Identify end devices based on IPv4 address (Dual-Stack)     • Scan IPv4 Range, obtain host names.domai...
Static Addresses | Use of Deception  In A Record    Insert host names which do not exist with AAAA records  Impact:   ...
Survivability model | IPv6 Abundance  Summary:    Little noise based on scanning – easier to ID attackers    IPv6 devic...
Evolving IPv6 Defensive Tool Kit – Can’t         be done on IPv4!    Large Local Segments    Large Network    Non Routa...
Take away  Security methods have failed  Resilience and Agility provides a solution  IPv6 is not about the numbers, but...
IPv4 vs. IPv6    The Shifting Security ParadigmJoe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma…                  ...
Where do attackers findvulnerabilities?  All systems have vulnerabilities  1.  Design and Architecture Phase (RFC, IEEE, ...
Upcoming SlideShare
Loading in …5
×

IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference

1,021 views

Published on

gogo6 IPv6 Video Series. Event, presentation and speaker details below:

EVENT
gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com
November 12 – 14, 2012 at San Jose State University, California
Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp

PRESENTATION
IPv6 Security
Abstract: http://www.gogo6.com/forum/topics/speaking-on-ipv6-security-at-gogo6-live
Presentation video: http://www.gogo6.com/video/ipv4-vs-ipv6-the-shifting-security-paradigm-by-joe-klein-at
Interview video: http://www.gogo6.com/video/interview-with-joe-klein-at-gogonet-live-3-ipv6-conference

SPEAKER
Joe Klein - Cyber Security Principal Architect, QinetiQ
Bio/Profile: http://www.gogo6.com/profile/JoeKlein749

MORE
Learn more about IPv6 on the gogoNET social network
http://www.gogo6.com
Get free IPv6 connectivity with Freenet6
http://www.gogo6.com/Freenet6
Subscribe to the gogo6 IPv6 Channel on YouTube
http://www.youtube.com/subscription_center?add_user=gogo6videos
Follow gogo6 on Twitter
http://twitter.com/gogo6inc
Like gogo6 on Facebook
http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,021
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference

  1. 1. IPv4 vs. IPv6 The Shifting Security ParadigmJoe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x, “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” JSKlein@gmail.com Voice: 703-594-1419 Blog: http://scientifichooligan.me/
  2. 2. Scope of the CyberSecurity problem  What is the cost of Cybercrime ?  Number of records compromised ?  Number of Systems/Networks/Applications Compromised ? Millions? Billions? Trillions? Estimates?
  3. 3. Classes of Attack - Targeted  Inbound Directed   Flaws in technology   Flaws in governance   Flaws in people   Flaws in adequate funding & staffing  Insiders   Disgruntled   Opportunistic   Untrained  Vendors   Supply Chain
  4. 4. Verizon - 2012 DATA BREACHINVESTIGATIONS REPORT Reference: http://securityblog.verizonbusiness.com/
  5. 5. What We Know About TodaySecurity measures?“The best companies aren’t the ones who stop attacks, – that’s important – it’s the companies that can spot intrusions quickly and respond to them in ways that limit the damage.” “This idea that you can stop intrusions… just isn’t going to hold up against certain kinds of threats.” - Richard Bejtlich – TaoSecurity Blog,
  6. 6. Our Current Security ModelSource: http://www.photographersdirect.com/buyers/stockphoto.asp?imageid=2249700
  7. 7. Two Models of Survivability “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
  8. 8. The Human Body Uses Both “What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
  9. 9. Trust Network Model (RFC 1918)| IPv4Everyone All nodes and routers trust each other that:   All devices behave correctly X   Layer 2 (MAC) and Layer 3 (IP)   Hosts always provide true information   Routers always provide true information Behind the NAT: “Blind Trust behind the NAT”   All devices behave correctly   Layer 2 (MAC) and Layer 3 (IP)   Hosts always provide true information   Internal communications   Outbound Initiated communications trusted   Inbound Initiated communications trusted   Routers always provide true informationNo one NETWORK CENTERIC – Fortress Model
  10. 10. Trust Node Model (RFC 3756) | IPv6Everyone   Corporate Internet: “Blind Trust” X   All authenticated nodes and routers trust each other to:   Behave correctly at the IP layer   Not to send any network discovery message that contains false information   Not to send router discovery message that contains false information   Public wireless: “Trust transit, trust but verify nodes”   Router is trusted by the other nodes in the network to: X   Be a legitimate router   Faithfully route packets between the local network   Faithfully route packets to any connected external networks   The router is trusted to:   Behave correctly at the IP layer   Not to send any network discovery messages that contain false information   Not to send router discovery messages that contain false information. X   Ad hoc network: - “Trust but Verify hosts and transit”   Nodes do not directly trust each other at the IP layer nor trust routersNo one HOST CENTERIC – Organism Model
  11. 11. Survivability model | Resilience/Agility  Preparing for, preventing, or otherwise resisting an adverse event;  Absorbing, withstanding, or maintaining essential functions in the face of the event;  Recovering from the event; and  Adapting to (changing processes, systems, or training based on) the event, its consequences, and its implications for the future. This must be done as close to real-time as possible! Reference: www.cyber.st.dhs.gov/wp-content/.../Dr_Steven_King-_ASD_RE.pdf
  12. 12. Techniques for Resilience/AgilityAdaptive Integrity Pro-activeContainment Isolation Randomness and unpredictabilityCyber Modeling Least Privilege ReconstitutionDeception Monitoring RedundancyDetection Cyber Maneuver Topology HidingDistributedness Precedence AttributionDiversity Prioritization IPv6 Features mapped to Resilience Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures Workshop Oct 29, 2010
  13. 13. Why is your Internet Edge Scanned? ISRWhy?  Money  Pre-Attack Preparation  ResearchHow:  Inbound – Packets against your infrastructure  Outbound – Outbound Queries & CookiesSteps:  Intelligence – Footprinting   Data retrieved ‘Third Party Sources’  Surveillance – Scanning   Directly or In-directly (services)   Layer 3-7, 8-10  Reconnaissance – Enumeration   Directly or In-directly (services)   Layer 3-7, 8-10 Our Focus is layer 3-7
  14. 14. Attackers Assumption  One address per physical Interface  Inbound addresses = Outbound addresses  Device addresses say the same over time   Inside the same network   With the same local address  If a system is not responding,   Do a port scan to find if it was crashed or now blocked   Check back later to see if it was rebooted IPv4 thinking in an IPv6 Resilient World
  15. 15. Problems in IPv4  Even a Script Kiddie can do it!   Destination – Your Network   Densely Populated, ‘Fast’ brute-force tools, Single Interface Address   Source of scan   Needle in a haystack, Fast vs. Slow, limited context due to address fragmentation   NAT and Tunnels hide true sources   Attribution is hard
  16. 16. Detecting | Impact of Host Density - 2006IPv4 Brute Force Attack -Internet Survival Time   Attacker   Find & compromise an un-patched computer with a Windows operating system.   Less than 6 minutes   5+ min to find   >1min to compromise   Identifying attacker   Noise hides indications of an attack Reference: SANS Institute’s Internet Storm Center
  17. 17. IPv6 Brute Force Attack - Internet Survival TimeIPv4 Internet: 1 Day Internet 298.26162 Days 24 0.02560 Minutes 27 0.00320 Minutes 28 0.00160 MinutesIPv6 Internet: Internet 89,088,482,281,112,800,000,000,000 Millennium 32 20,742,528,671,657,900 Millennium 56 1,236,351,053 Millennium 64 4,829,496 Millennium Assumption: 10,000 Scans per minutes, to identify endpoints, non-optimized, non-distributed scanners Brute Force Target scan is now indicator of an attack Detectable at Firewall and DNS Server
  18. 18. Smart Targeting IPv6Identify end devices based on IPv4 address (Dual-Stack) • Scan IPv4 Range, obtain host names.domains • Query AAAA based on names.domainsIdentify end devices based on IPv6 Address IdentifierLinear search find one device, scan up 1, 2, 3 or a, b, cBracketed Search Find 1 device, scan around it Find 5, Scan 1-4 & 5-9Pronounceable Search DEAD, BEEF, DEED, ABED,…Pattern Search Based on an identified pattern 1, 10, 100, 1000, …Ports Search 53, 80, 25, etcBased on function Routers .1, .2 Smart Target Scanning is indicator of “Interest” Detectable at Firewall and DNS Server?
  19. 19. Static Addresses | Use of Deception  In A Record   Insert host names which do not exist with AAAA records  Impact:   Additional scanning of the address shows intention   Poisons attackers current and future targeting list  Insert HoneyPot   Linked to all AAAA addresses listed in AAAA deception record   Detect attempts at compromise  Management   Addresses assigned and AAAA records - IPAM
  20. 20. Survivability model | IPv6 Abundance  Summary:   Little noise based on scanning – easier to ID attackers   IPv6 devices with obscure names and random addresses are undiscoverable for inbound connections   Separating inbound and outbound connections breaks attacker preconceptions   Use of dual stack improves the target list for attackers   Techniques exist to provide pre-attack
  21. 21. Evolving IPv6 Defensive Tool Kit – Can’t be done on IPv4!  Large Local Segments  Large Network  Non Routable Addresses (aka RFC 1918) via ULA  Secure Neighbor Discovery (SEND) - Crypto-Generated Address (CGA)  IPSEC (AH & ESP) H-G | G-G | H-H | Tunnel & Transport   With Extension Headers | H-G-G-H  Server Enclave Domain Isolation (SEDI)  Common Architecture Label IPv6 Security Option (CALIPSO)  DHCPv6 – Multi-Interface setup & signed  Multicast NTPv4 with Autokey public key authentication  Leverage DNSSec to storage or public Keys of registered devices  Leverage DNSSec with ‘split-brain’ to limit disclosure  Multicast Signature and Security Information – “Parallel Push”  Fast Address Maneuvering  Attribution  Infrastructure Hiding
  22. 22. Take away  Security methods have failed  Resilience and Agility provides a solution  IPv6 is not about the numbers, but about bringing resilience and agility tools to the defender  Many resilience techniques have yet to be implemented by vendors, ask for them repeatedly or call me  Enjoy the remainder of the conference!
  23. 23. IPv4 vs. IPv6 The Shifting Security ParadigmJoe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x, “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” JSKlein@gmail.com Voice: 703-594-1419 Blog: http://scientifichooligan.me/
  24. 24. Where do attackers findvulnerabilities?  All systems have vulnerabilities 1.  Design and Architecture Phase (RFC, IEEE, WC3, ITU, etc) 2.  Development Phase (Coding) 3.  Architecting, Implementation and Deployment (Staff, Procedures, Governance, etc) 4.  Management (Patching, Configuration Management, etc) 5.  End of Life, Refresh & Replacement

×