130 likes | 135 Vues
Securing IPv6. Ken Renard WareOnEarth Communications, Inc <kdrenard@wareonearth.com> <kdrenard@hpcmo.hpc.mil>. Commercial Security Tools. “IPv6 support” has a wide spectrum of meaning “We support IPv6 and all its components per RFCs” “If you throw an IPv6 packet at us, we won’t crash”
E N D
Securing IPv6 Ken Renard WareOnEarth Communications, Inc <kdrenard@wareonearth.com> <kdrenard@hpcmo.hpc.mil>
Commercial Security Tools • “IPv6 support” has a wide spectrum of meaning • “We support IPv6 and all its components per RFCs” • “If you throw an IPv6 packet at us, we won’t crash” • IPv6 is low priority with most vendors • Firewall support has been slow • Major vendors are now stepping up to the plate • Limited tunneling support • VPN products (IPsec-based) • Yet to seen one that supports or even acknowledges IPv6
Commercial Security Tools • Operating Systems • More Unixes are starting to support IPsec for IPv6 • Need to perform careful evaluation • Few vendors have practical IPv6 experience or environment • Products will mature as IPv6 adoption increases • Obtain practical experience and discover full set of requirements • Prepare yourself for growing pains
IPv6 Security -- Site Deployment • Most sites set up test bed networks first • Cannot get authorization to run on production networks • Sites have valid security concerns • Political • “My agency requires brand-X firewall -- will it do v6?” • Can I get system accredited? • Technical • Want to have full suite of IPv4 security tools for IPv6 • Need to monitor and police IPv6 traffic (Firewalls & IDS)
IPv6 SecurityThings to Look Out For... • Increased use of tunneling • Transition mechanisms • 6to4, Teredo, ISATAP, etc... • IPsec (IPv4, IPv6, VPN products) • Potential back-door to internal network • May bypass perimeter defenses (firewall, IDS, etc) • Replicate perimeter defenses at tunnel endpoint • Covert Channels • IPv6 options have a wealth of covert channel opportunities • Neighbor Discovery vulnerabilities • An ARP by any other name...
Application SecurityIPv6-enabling Applications • Another Y2K exercise? • Larger addresses all the way through • From socket to log file -- make sure there’s enough space! • Access Control Lists • Harder to maintain IP-based ACLs (don’t use IP ACLs) • Increased reliance on DNS • IPv6 in DNS -- more prone to error? (don’t use DNS ACLs) • Applications may not know about IPsec • User-level security still required
IPv6 SecurityOn the Increased Availability of IPsec • “IPv6 is secure” -- most IPv6 literature • Mostly based on requirement for IPsec • “End-to-End security” at the Network Layer • Departure from popular “perimeter defense” strategy • IPsec is not a silver bullet. IPsec is not a silver bullet. IPsec... • IPsec is more widely available for IPv4 today • Are we using it? • Are we using it wisely? • End-to-End security requires... • Authentication infrastructure (PKI?) • Shift from perimeter defense model or re-define perimeter
IPv6 SecurityOn the Increased Availability of IPsec • IPsec is complex • Policy generation can be tough • IPsec tools are less than intuitive • Vary greatly across OS • Selecting appropriate mechanisms is daunting • Encryption types, authentication types, modes, etc • “Interoperable” implementations are just barely interoperable • IPsec is a node-to-node security mechanism • Do not try to solve user-level security with IPsec • Applications may be unaware of IPsec protection
IPv6 SecurityOn the Increased Availability of IPsec • IPsec can be very useful... • For securing routing protocol communication • Host-level applications such as NFS • Creating enclaves of securely-connected networks • Generic remote access solution • A “must” for IPv6 mobility • Recommendations • Authentication is VERY important -- do not ignore • Authorization -- IPsec can bypass perimeter defenses • IKEv2 promises reduced complexity
IPv6 Tools in the DREN • Intrusion Detection Systems • DoD Intrusion Detection made IPv6-aware • snort-2.1.1 with IPv6 capabilities • Authentication infrastructure • Kerberos from MIT • Secure Shell & PuTTY • Other tools • ssldump, kx509, libnids, tunnel detection
IPv6 SecurityTo-Do List • As a community, we need to improve IPv6 security tools and practices • Product evaluation • Share results and lots of details (http://www.moonv6.com/) • IPv6-enabling security tools • IDS, firewalls, authentication mechanisms • Security scanners (Nessus, SAINT, etc) • Make IPsec easier to use • Educate ourselves and our people • Refine policies to include IPv6 and possible shift in security paradigm
IPv6 SecurityTo-Do List • As a community, we need to improve IPv6 security tools and practices (continued) • SeND -- Secure Neighbor Discovery • Applications Security • Mobile IPv6 • Authentication Infrastructure • Multicast security