Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IPv6 Security - Workshop mit Live Demo


Published on

Einbrüche, Viren, Trojaner, machen auch unter IPv6 nicht Halt. Als Marktführer im Bereich Unified-Threat-Management (UTM) entwickelt Fortinet umfassende Sicherheitslösungen zur Bekämpfung solcher Bedrohungen - für IPv4 und IPv6 Netzwerke. Der Workshop orientierte Vortrag zeigt die Notwendigkeit von umfassenden Security Lösungen bei der Migration zu IPv6 auf.

Published in: Education
  • Be the first to comment

  • Be the first to like this

IPv6 Security - Workshop mit Live Demo

  1. 1. IPv4 HighwayFortinetIPv6 SecurityJune 8th, 2011Rainer Baeder Fortinet Confidential
  2. 2. Drivers for IPv6 • Basic Demand Drivers • More network appliances but lack of IPv4 addresses to support • Control OpEx for network and IT • Elimination of complex NAT networks • Strong intrinsic security • Better support for mobility applications • Greater flexibility and simplicity • New Opportunities to Improve Business Performance Business process improvements • New business opportunities • More addresses for objects – enhanced automation and productivity • Machine-to-Machine (M2M) telematics / *Internet of Things* • IPv6 connection to anything2
  3. 3. IPv6 – its time for preparing the step ... and basically – we run out of IPv4 addresses to stay competitive, we must open the door for IPv6 and use its foremost Snapshot June 3rd 2011
  4. 4. Migration ComplexitiesDeployment Considerations • Compatibility issues between IPv4 and IPv6 • Vendor interoperability issues with IPv6 • Potential security issues • Network management considerations • Existing hardware may not handle IPv6 traffic efficiently • Router memory and CPU limitations may preclude IPv6 deployment • Technology refresh cycles can be exploited to deploy IPv6 capabilities • Global public routing practices continue to evolve4
  5. 5. The most important targets of IPv6• Larger IP address space • IP Adresses are 128 bits (instead of 32 bits)• Advanced header structure • Improved processing capability thru Subsegmenting of essential and optional headerfields (in ExtensionHeaders)• Different IPv6 Addresses • Public IPv4 addresses correspond with Global Unicast Addresses • Private IPv4 addresses correspond with Site Local Unicast Addresses • Special Address types for usage of IPv4 and IPv6 in parallel• Support of autoconfiguration • Should follow Plug-and-Play principle• Improved security • 2 additional ExtensionHeaders are foreseen (Encapsulation Security Payload Header und Authentication Header) • Both can be used in IPv4 as well
  6. 6. Principle Design Consideration • “Dual stack when you can – Tunnel when you must – Translate when no other option works” • Create a virtual team of IT representatives from every L9 Religious area of IT to ensure coverage for OS, Apps, Network L8 and Operations/Management Political L7 • Now is your time to build a network your way – don’t Application carry the IPv4 mindset forward with IPv6 unless it L6 Presentation makes sense L5 Session • Design Consistency with IPv4 L4 Transport • Design should work across all WAN clouds, LAN, L3 Enterprises, Data Center, Campus, etc Network L2 • Deploy it – at least in a lab – IPv6 won’t bite Data Link L1 • Consider the human factor, keep it simple! Physical6
  7. 7. IPv6 Transition Methodologies MPLS-Based IP-Tunnel NAT-Based Solutions Approaches Solutions Configured Configured IPv4 to IPv4 IPv4 to IPv6 6PE 6VPE Tunnels Tunnels (Mitigation) (Interworking) GRE 6to4 NAT44 NAT464 L2TP 6RD NAT444 NAT64 Dual Stack GFP ISATAP DS-Lite NAT-TCP IP Teredo NAT-UDP DS-Lite NAT-ICMP7
  8. 8. IPv6 Protocol Vulnerability • IPv6 Header • Extension Header • Header Manipulation • EHeader Filtering • Protocol Fuzzing • EHeader Fuzzing • ICMPv6 • Router Header Attacks • ICMPv6 Filtering • Fragmentation Header • ICMPv6 Attacks • Unknown Header • Node Survey • Protocol Layer Header • Scanning • Higher Layer Spoofing • Improved/Smart Scanning • Generic Malware • Multicast techiques • Router Protocol Security • Sniffing • Flooding / (d)DoS and Packet • Multicast8
  9. 9. IPv6 Address Types – well-known Multicast • Interface-local scope • Link-local scope • FF01::1 all-nodes • FF02::1 all-nodes • FF01::2 all-routers • FF02::2 all-routers • Site-local scope • FF02::5 OSPFIGP • FF05::1:3 all-routers • FF02::9 RIP-routers • FF05::1:3 all DHCP servers • FF02::B Mobile Agents • FF02::6A all snoopers • FF02::1:2 all DHCP agents • FF01::101 / all-NTP Server on the same node as sender • FF02::101 / all-NTP Server on the same link as sender • FF05::101 / all-NTP Server on the same site as sender • FF0E::101 / all-NTP Server in the internetGlobal Unicast Addresses correspond with Public IPv4 addressesSite Local Unicast Addresses correspond with Private IPv4 addresses 9
  10. 10. IPv6 Firewalling • IPv6 Addressing • DHCPv6 Threats • Unallocated Addresses • Endpoint Security • IPv6 Headers allowance • IPv6, IPSec and Firewalls • L2 FW • Management • IPv6 and NAT • Routing Security • Neigbor Discovery allowance • RIPng, OSPFv3 (NDP) • QoS Threats • Duplicate Address Detection Issue • Tunneled Traffic Inspection • Redirect Issue • Unwanted Tunnels • SEcure Neigbor Discovery • Mobile IPv6 (MIPv6) (SEND)10
  11. 11. Fortinet IPv6 Strategy• Feature Parity on all function with IPv4 and IPv6 on higher layers • Application unaware weather it runs on IPv4 or IPv6• IPv6 Firewalling 3+ years integrated• Stepwise extension to a complete functionality on IPv6 • Almost completed now
  12. 12. Today implemented for IPv4 & IPv6 • Stateful Firewalling and Routing • Serviceobjects (eg ICMPv6), IPv6 Addressobjects • Dynamic Routing, OSPF / RIP / BGP • AntiVirus Scanning • http(s), ftp, smtp(s), imap(s), pop3(s), Instant-Messaging, nntp • Intrusion Prevention • Signature based IPS/IDS and DoS-Protection • URL Filtering • Data Leak Prevention • Management of the device via IPv6 • eg SSH or https via IPv6 for devicemanagement12
  13. 13. Today implemented for IPv4 & IPv6 • Bandwidth Management • Shaping, QoS • IPSec (IKEv1 & IKEv2) • DNS (AAAA Record) • IPv4 over IPv6 Tunneling • IPv6 over IPv4 Tunneling (eg Tunnelbroker like SixXS) • SIP ALG (Application Gateway) • Carrier-grade SIP-ALG. SIP-Fuzzing Protection, Pinholing, Rate-Control etc. • Application Control • Logging and Reporting of Datatraffic, Reporting on FortiAnalyzer13
  14. 14. Protection on all Layers - UTM• Combined Methods on different layers• Allow, but don’t trust all application• Content of the application• Support for IPv4 und IPv614
  15. 15. Forehand Planning is the key • Vision for the business or the adoption driver • IPv6 Training • IP architecture that supports the vision -> IPv6 addressing scheme + design • Evaluate infrastructure readiness to support the IPv6 implementation of the architecture • Drive requirements and define purchasing strategy • Align with other initiatives to accelerate readiness • Define timeline Overnight Adoption is Limiting and Expensive15
  16. 16. Thank You.