Skeeve Stevens
IPv6 Security
CEO Director
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• This talk to to help people understand the security implications of
migrating to IP...
INET Colombo, May 2011
IPv6 Security
• If you are new to IPv6 - do not implement it in a production
environment until you ...
INET Colombo, May 2011
IPv6 Security
• Enabling IPv6 leaves you wide open - immediately
Key Issues to Consider
Tuesday, 24...
INET Colombo, May 2011
IPv6 Security
• Every aspect of security that you have in IPv4 needs to be
replicated to IPv6
• SSH...
INET Colombo, May 2011
IPv6 Security
• IPv4 vs. IPv6
• They are totally separate protocols and essentially do not
interact...
INET Colombo, May 2011
IPv6 Security
• Does your equipment treat v6 the same as v4?
• Routers, Layer 3 switches, Firewalls...
INET Colombo, May 2011
IPv6 Security
• IPv6 address space is huge.Attackers scanning a network range is
unwieldy. Example ...
INET Colombo, May 2011
IPv6 Security
• Filter unneeded or potentially dangerous communications
Examples:
• Routing Header ...
INET Colombo, May 2011
IPv6 Security
One key difference:
The key area where v6 is different from v4 is that v6 packets use...
INET Colombo, May 2011
IPv6 Security
• IPv6 is not automatically more secure than IPv4
• IPv6 is just layer 3... above or ...
INET Colombo, May 2011
IPv6 Security
Does this mean that I should avoid v6?
It sounds complicated.
Who will help me?
PRACT...
INET Colombo, May 2011
IPv6 Security
Thanks....
Questions?
Thanks to Kurt Bales, Jeff Doyle and Grant Moerschel for conten...
Upcoming SlideShare
Loading in …5
×

IPv6 Security

459 views

Published on

IPv6 Security - delivered at INET Colombo, Sri Lanka - May 2011

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
459
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

IPv6 Security

  1. 1. Skeeve Stevens IPv6 Security CEO Director Tuesday, 24 May 2011
  2. 2. INET Colombo, May 2011 IPv6 Security • This talk to to help people understand the security implications of migrating to IPv6 • Highlights some key areas for you to consider • Explain the differences between IPv6 and IPv4 • Technical Difficulty - 2 out of 10 (some slides higher) • If you know what IPv6 is, then you will understand (mostly) this presentation • IPv6 - I LIKE! It’s NICE What is this talk about? Tuesday, 24 May 2011
  3. 3. INET Colombo, May 2011 IPv6 Security • If you are new to IPv6 - do not implement it in a production environment until you understand the security implications • If you do IPv6 without considering security then you WILL get hacked - and quickly. Would you leave your house unlocked? • CPE’s (modem/router) barely understand IPv6 - initial security is weak - choose the right product! IPv6 Firewalls are coming! • Use someone who ACTUALLY knows what they are talking about - not just someone who just says they know! • Security through obscurity = security through stupidity - they WILL find your v6 address! IPv6 Security? Oh oh Tuesday, 24 May 2011
  4. 4. INET Colombo, May 2011 IPv6 Security • Enabling IPv6 leaves you wide open - immediately Key Issues to Consider Tuesday, 24 May 2011
  5. 5. INET Colombo, May 2011 IPv6 Security • Every aspect of security that you have in IPv4 needs to be replicated to IPv6 • SSH,Telnet,Access Lists, SNMP, CoPP – All are immediately open and accessible when you turn on IPv6 - all IPv4 security is immediately bypassed! • It isn’t hard to do the security – you just HAVE to do it – or else • Nothing has changed with the basic tenants of security – just all new commands for some platforms – and often in strange places • The only new important consideration is that IPv6 requires ICMP for PMTU (Path MTU Discovery) – disabling it WILL break things (in ways that you can’t easily troubleshoot) Key Issues to Consider Tuesday, 24 May 2011
  6. 6. INET Colombo, May 2011 IPv6 Security • IPv4 vs. IPv6 • They are totally separate protocols and essentially do not interact at any point - even on the same router and/or switch • IPv6 is a completely new version - there is no backward compatibility at all - just some translation methods • It is a perfect time for you re-evaluate all your security policies and procedures • Zone flow • Device lock down policies and Host build procedures • User restriction • Source/destination control • Inter-departmental security - often ignored Key Issues to Consider Tuesday, 24 May 2011
  7. 7. INET Colombo, May 2011 IPv6 Security • Does your equipment treat v6 the same as v4? • Routers, Layer 3 switches, Firewalls, IPS & IDS,VPN Services • Equipment • Plan for equipment upgrades if needed • Does it process v6 in hardware or software • SW may not be fast enough for your application • May cause DoS situations • Recommendations • Talk to your vendors about stable versions • Use test gear or lab kit where possible • Monitor sites posting vulnerabilities and respond quickly Equipment Considerations Tuesday, 24 May 2011
  8. 8. INET Colombo, May 2011 IPv6 Security • IPv6 address space is huge.Attackers scanning a network range is unwieldy. Example - NMAP doesn’t let you scan IPv6 ranges • Attackers will look for other ways to find their targets • Take precautions to protect systems that are caches for addresses • DHCP servers (reservations) • DNS (DNS harvesting),Web Log harvesting • Neighbour caches (like ARP cache) • Don’t simple replicate your IPv4 last octet in IPv6 chazwazza* Make attackers work if they really want a hosts address! • Inject randomisation in your addressing to make it less obvious - but don’t make life too hard for yourself * http://www.urbandictionary.com/define.php?term=chazwazza Tactics Tuesday, 24 May 2011
  9. 9. INET Colombo, May 2011 IPv6 Security • Filter unneeded or potentially dangerous communications Examples: • Routing Header 0 vulnerabilities (sort of like IPv4 source routing). Deprecated by RFC 5095 but still dangerous since it can let an attacker control hop flow. • If certain internal IPv6 address never need to hit the Internet, filter them • ICMP is critical to IPv6. Let certain (but not all) types through hops • Anycast & Multicast unless they are specifically used • Don’t leave yourself open to potential future attacks - Everything you know now will change in the next 5 years. They WILL get smarter, they WILL get faster than ever before. Filtering (More Advanced) Tuesday, 24 May 2011
  10. 10. INET Colombo, May 2011 IPv6 Security One key difference: The key area where v6 is different from v4 is that v6 packets use a concept knows as extension headers which were developed to improve performance by making the packet header structure more simple. Essentially v6 extension headers are optional headers that let you specify certain ways that you can influence the packet to behave such a routing the packet through a certain path on the network, or you might have a fragmentation header that breaks up the packet and then reassembles it. In v4 we had to have all those headers included in one single header but they're optional in v6. Because they're optional, security protocols need to understand a variable set of headers which makes security devices more complex Extension Headers (Even More Advanced) Tuesday, 24 May 2011
  11. 11. INET Colombo, May 2011 IPv6 Security • IPv6 is not automatically more secure than IPv4 • IPv6 is just layer 3... above or below layer 3 will act just the same as they do with v4 - assuming your apps are layer 3 agnostic • IPv6 can be attacked just as easily as IPv4 - what does this mean? • MAC can still be spoofed • Flawed web apps will remain flawed - SQL injections, etc • IPv6 attacks will grow more smarter and more creative as deployments grow • Back in 2002 a Honeypot system caught a hack using IPv6 tunnels to break into sites • Think of the hacks and bugs discovered each month - it is only a matter of time. IPv6 is new - it will have problems Please Remember Tuesday, 24 May 2011
  12. 12. INET Colombo, May 2011 IPv6 Security Does this mean that I should avoid v6? It sounds complicated. Who will help me? PRACTICE SAFE IPV6! So.... Tuesday, 24 May 2011
  13. 13. INET Colombo, May 2011 IPv6 Security Thanks.... Questions? Thanks to Kurt Bales, Jeff Doyle and Grant Moerschel for content and inspiration CONNECT WITH ME Email~ skeeve@eintellego.asia Web~ www.eintellego.asia Facebook~ facebook.com/eintellego - eintellego@facebook.com LinkedIn~ http://au.linkedin.com/in/skeeve Twitter~ @eintellego @networkceoau @skeevestevens CEO Blog~ www.network-ceo.net Tuesday, 24 May 2011

×