1 / 13

Securing IPv6

Securing IPv6. Ken Renard WareOnEarth Communications, Inc <kdrenard@wareonearth.com> <kdrenard@hpcmo.hpc.mil>. Commercial Security Tools. “IPv6 support” has a wide spectrum of meaning “We support IPv6 and all its components per RFCs” “If you throw an IPv6 packet at us, we won’t crash”

patriciaward
Télécharger la présentation

Securing IPv6

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing IPv6 Ken Renard WareOnEarth Communications, Inc <kdrenard@wareonearth.com> <kdrenard@hpcmo.hpc.mil>

  2. Commercial Security Tools • “IPv6 support” has a wide spectrum of meaning • “We support IPv6 and all its components per RFCs” • “If you throw an IPv6 packet at us, we won’t crash” • IPv6 is low priority with most vendors • Firewall support has been slow • Major vendors are now stepping up to the plate • Limited tunneling support • VPN products (IPsec-based) • Yet to seen one that supports or even acknowledges IPv6

  3. Commercial Security Tools • Operating Systems • More Unixes are starting to support IPsec for IPv6 • Need to perform careful evaluation • Few vendors have practical IPv6 experience or environment • Products will mature as IPv6 adoption increases • Obtain practical experience and discover full set of requirements • Prepare yourself for growing pains

  4. IPv6 Security -- Site Deployment • Most sites set up test bed networks first • Cannot get authorization to run on production networks • Sites have valid security concerns • Political • “My agency requires brand-X firewall -- will it do v6?” • Can I get system accredited? • Technical • Want to have full suite of IPv4 security tools for IPv6 • Need to monitor and police IPv6 traffic (Firewalls & IDS)

  5. IPv6 SecurityThings to Look Out For... • Increased use of tunneling • Transition mechanisms • 6to4, Teredo, ISATAP, etc... • IPsec (IPv4, IPv6, VPN products) • Potential back-door to internal network • May bypass perimeter defenses (firewall, IDS, etc) • Replicate perimeter defenses at tunnel endpoint • Covert Channels • IPv6 options have a wealth of covert channel opportunities • Neighbor Discovery vulnerabilities • An ARP by any other name...

  6. Application SecurityIPv6-enabling Applications • Another Y2K exercise? • Larger addresses all the way through • From socket to log file -- make sure there’s enough space! • Access Control Lists • Harder to maintain IP-based ACLs (don’t use IP ACLs) • Increased reliance on DNS • IPv6 in DNS -- more prone to error? (don’t use DNS ACLs) • Applications may not know about IPsec • User-level security still required

  7. IPv6 SecurityOn the Increased Availability of IPsec • “IPv6 is secure” -- most IPv6 literature • Mostly based on requirement for IPsec • “End-to-End security” at the Network Layer • Departure from popular “perimeter defense” strategy • IPsec is not a silver bullet. IPsec is not a silver bullet. IPsec... • IPsec is more widely available for IPv4 today • Are we using it? • Are we using it wisely? • End-to-End security requires... • Authentication infrastructure (PKI?) • Shift from perimeter defense model or re-define perimeter

  8. IPv6 SecurityOn the Increased Availability of IPsec • IPsec is complex • Policy generation can be tough • IPsec tools are less than intuitive • Vary greatly across OS • Selecting appropriate mechanisms is daunting • Encryption types, authentication types, modes, etc • “Interoperable” implementations are just barely interoperable • IPsec is a node-to-node security mechanism • Do not try to solve user-level security with IPsec • Applications may be unaware of IPsec protection

  9. IPv6 SecurityOn the Increased Availability of IPsec • IPsec can be very useful... • For securing routing protocol communication • Host-level applications such as NFS • Creating enclaves of securely-connected networks • Generic remote access solution • A “must” for IPv6 mobility • Recommendations • Authentication is VERY important -- do not ignore • Authorization -- IPsec can bypass perimeter defenses • IKEv2 promises reduced complexity

  10. IPv6 Tools in the DREN • Intrusion Detection Systems • DoD Intrusion Detection made IPv6-aware • snort-2.1.1 with IPv6 capabilities • Authentication infrastructure • Kerberos from MIT • Secure Shell & PuTTY • Other tools • ssldump, kx509, libnids, tunnel detection

  11. IPv6 SecurityTo-Do List • As a community, we need to improve IPv6 security tools and practices • Product evaluation • Share results and lots of details (http://www.moonv6.com/) • IPv6-enabling security tools • IDS, firewalls, authentication mechanisms • Security scanners (Nessus, SAINT, etc) • Make IPsec easier to use • Educate ourselves and our people • Refine policies to include IPv6 and possible shift in security paradigm

  12. IPv6 SecurityTo-Do List • As a community, we need to improve IPv6 security tools and practices (continued) • SeND -- Secure Neighbor Discovery • Applications Security • Mobile IPv6 • Authentication Infrastructure • Multicast security

  13. Discussion...

More Related