The document discusses challenges and realities of IPv6 deployment based on presentations from a security conference. Key points include: - IPv6 deployments are growing but not yet widespread, with challenges around remote discovery, dual-stack systems, and outdated tools/firewalls. - IPv6 support is required by PCI standards but reduces implementation risks if using new IPv6-prepared infrastructure. - Cloud providers are starting to support IPv6 but full native support will take time and resources to implement across all network devices. - When assessing IPv6 environments, tools need to discover addresses via various methods and monitor related IPv4 and IPv6 addresses/names. - Organizations should evaluate their IPv6 capabilities and prepare a security

1. Session ID:
Session Classification:
TECH-W22
Intermediate
Ron Gula
HD Moore
Wolfgang Kandek
Misha Govshteyn
Alan Shimel
The CISO Group Tenable Network Security
Qualys
Rapid 7
Alert Logic
IPv6Vulnerability Management:FromTheory to Reality
TK Keanini
nCircle

2. Presenter Logo
► We Went In Search of Real Life IPv6 Deployments
► IPv6 Is Real, Just Not There Yet
►
► Will Grow Every Year
► Good News Is There Is Still Time
IPv6: Real But NotThereYet

3. Ron Gula on IPv6 in the Federal
Market

4. Presenter Logo
► IPv6 in the Fed today
► Internet facing email and web are IPv6 enabled today
► CyberScope is primarily an IPv4 exercise
► FISMA & DISA STIGs are agnostic to IPv4/IPv6
► Realizing point scanning won't work for IPv6 and Continuous
Monitoring
► Discovering an unknown IPv6 addr or tunnel in use is just as
important as finding an IPv4
► IPv6 in the Fed tomorrow
► Continuous monitoring requires continuous probing of all IPv6 and
IPv4 addresses
► IPv6 addressing is key for a mobile workforce; but for private
(Intel/DOD) it is irrelevant because of higher security procedures
► An "All-IPv6" SOC (IPS, scanner, SIM, GRC, firewall and console on an
all IPv6 network) might happen in 2013
IPv6 InThe Federal Market

5. HD Moore: IPv6 PenTesting
Challenges

6. Presenter Logo
► Challenges
► Remote discovery of auto-configured IPv6 is still a problem
► Specifically tests of IPv6 can be difficult due to DNS
► Organizations intentionally assign an A and an AAAA to the same system
► Tools need to be tweaked to prefer IPv4 or IPv6 in these cases
► Dual-stack systems are now the rule, not the exception
► External segments and DMZ hosts being assigned global IPv6 addresses
► Internet segments are now dual-stack by default
► Dual-stack external hosts expose neighboring systems
► Global IPv6 interfaces can be used to attack dual-stack neighbors via
link-local
► Firewall rules and monitoring configurations have not kept up
IPv6 PenTesting Reality

7. Wolfgang Kandek: IPv6 and
PCI, DoWe Need It?

8. Presenter Logo
► PCI DSS Applicability to IPv6
► Not explicitly mentioned in Main Standard Body
► NAT suggested, IPv6 ?
► Testbed is IPv4
► QSAs: Applicable
► Scope Reduction
► Eliminate Servers from PCI Scope
► Network Segmentation
► No IPv6 in Payment network
► Is there a market need for IPv6 payment services?
IPv6 and PCI

9. Presenter Logo
► Technical Challenges with IPv6
► Older Operating Systems
► Firewalls
► Internal Logging and Audit Software
► Build New Infrastructure for IPv6 services
► Reduces Implementation Risk
► New IPv6 prepared Infrastructure
► Includes internal Logging, Fraud Detection
► Scales with Time
IPv6 and PCI

10. Misha Govshteyn:IPv6 and the
Cloud

11. Presenter Logo
► IPv6 Availability in the Cloud
► Only 1 out of 3 cloud providers support IPv6 today in some form
► Amazon provides only nominal support via Elastic Load Balancing (no
native IPv6 support on EC2)
► Rackspace, Softlayer provide full dual stack support
► Full IPv6 support is a long process
► Most begin by supporting IPv6 on their
backbones only
► Eventually extend dual-stack connectivity
to customer networks
► Must ensure every network device
fully supports IPv6
IPv6 and the Cloud

12. Presenter Logo
► Rackspace provided guidance to all security vendors that
IPv6 must be supported by mid-2011
► Worked with Alert Logic to ensure all security services
delivered by Rackspace were available to IPv6 customers
► Required significant development resources for over 9 months
► Code changes on every level - appliances, transport agents, event
collectors, analytics engine, databases and UI
IPv6 in the Cloud at Rackspace

13. Presenter Logo
► Simplify search and IPv6 event display for analytics
► Better IPv6 packet representation
► Host discovery for vulnerability assessment in IPv6
environments using a combination of
► Neighbor Discovery Protocol
► DNS zone transfers and DHCPv6 walking
► Network session monitoring and netflow analysis
► ICMP via multi-cast
► Log analysis
IPv6, the Cloud and the Future

14. TK Keanini:IPv6 Is Never Alone

15. Presenter Logo
► Rarely do we ever see a host that is IPv6 only
► Customers would like to see all related addresses (v4&v6) /names reported
► IPv6 address can be changed while an assessment is in
progress
► Rarely do we find IPv6 being inter-networked
IPv6: A Rare, Elusive Bird

16. What ShouldYou Do?

17. Presenter Logo
► In the next 3 months
► Find out what the IPv6 capabilities of your network are today
► Where is IPv6 deployed on your network todayWhat to do to prepare
for IPv6
► In the next 6 months
► Finalize a plan to support IPv6
► Determine what this means for your security
► Work with security vendors to make sure they support
► In the next 12 months
► Begin IPv6 deployment plan
► What IPv6 specific security should you look into
► How are you going to manage vulnerabilities on your IPv6
network?
You Can Still Get Out In Front