IPv6 SECURITYIntroductionConsiderationsAgendaTraditional IPv4 Edge Security DesignIPv6 Attack Against IPv4AgendaIPv4 and IPv6 Header ComparisonAddress Allocation PolicyAddress TypesIPv6 Addressing per DeviceIPv6 Privacy Extensions (RFC 3041)IPv6 Header Format: Next HeaderExtension HeadersIPv6 Header Options (RFC 2460)ICMPv6AgendaTypes of Threats (1/2)Types of Threats (2/2)AgendaIPv6 and IPv4 Threat ComparisonsReconnaissance in IPv4Reconnaissance in IPv6Reconnaissance in IPv6Reconnaissance in IPv6Reconnaissance IPv6 Best PracticesIPv6 and IPv4 Threat ComparisonsIPv6 and IPv4 Threat ComparisonsUnauthorized Access in IPv4Unauthorized Access in IPv6Privacy Extensions ConsiderationsLocal Unicast FilteringBogon Filtering in IPv6IPsec Filtering ConsiderationsRouting Header Considerations (1/2)Routing Header Considerations (2/2)IPv6 and IPv4 Threat ComparisonsICMPv4 vs. ICMPv6Generic ICMPv4 Border Firewall PolicyEquivalent Comparison ICMPv6 Border Firewall PolicyPotential Additional ICMPv6 Border Firewall PolicyIPv6 and IPv4 Threat ComparisonsMulticast and Transparent FirewallsUnauthorized Access Best PracticesIPv6 and IPv4 Threat ComparisonsHeader ManipulationFragmentation Attacks in IPv4Fragmentation Filtering in IPv4Fragment Header: IPv6IPv6 Fragmentation: Path MTU DiscoveryIPv6 Fragmentation: Still Needs Reassembly in the Firewall and NIDSIPv6 Fragmentation: Issues for Non-Stateful Filtering Devices IPv6Header Manipulation and Fragmentation Best PracticesIPv6 and IPv4 Threat ComparisonsL3–L4 Spoofing in IPv4L3–L4 Spoofing in IPv6L3–L4 Spoofing in IPv6 (via 6to4)L3–L4 Spoofing in IPv6 (via 6to4)IPv6 and IPv4 Threat ComparisonsARP and DHCP Attacks in IPv4Stateless AutoconfigurationNeighbor Discovery: Neighbor SolicitationDAD (Duplicate Address Detection)ARP and DHCP Best PracticesIPv6 and IPv4 Threat ComparisonsSmurf AttackIPv6 and BroadcastsIPv6 and Other Amplification VectorsBest Practices for Amplification AttacksIPv6 and IPv4 Threat ComparisonsIPv4 Routing AttacksIPv6 Routing AttacksIPv6 and IPv4 Threat ComparisonsViruses and Worms in IPv4Viruses and Worms in IPv6IPv6 and IPv4 Threat ComparisonsIPv6 Transition TechniquesIPv6 Translation, Transition, and TunnelingIPv6 Translation, Transition, and Tunneling: Dual-Stack Host ConsiderationsIPv6 Translation, Transition, and Tunneling Summary TableIPv6 and IPv4 Threat ComparisonsIPv6 Attacks with Strong IPv4 SimilaritiesAgendaIPv6 Edge Security DesignCandidate Best Practices (1/2)Candidate Best Practices (2/2)AgendaIPv6 Dual Stack Attack ExampleIPv6 Dual Stack Attack ExampleIPv6 Dual Stack Attack ExampleSummaryReference MaterialsAssociated SessionsRecommended ReadingComplete Your Online Session Evaluation!1© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3IPv6 SECURITYSESSION SEC-2003222© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Introduction• Discussions around IPv6 security have centered on IPsecThough IPsec is mandatory in IPv6, the same issues with IPsec deployment remain from IPv4:Configuration complexityKey managementMany IPv6 stacks do not today support IPsecTherefore, IPv6 will be deployed largely without cryptographic protections of any kind• Security in IPv6 is a much broader topic than just IPsecEven with IPsec, there are many threats which still remain issues in IP networking• This presentation will cover the rest of the things you should understand to consider the security implications of v6 on your network333© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Considerations• IPv6 security is a fairly new area, many of the best practices in this presentation could change as new realities with IPv6 security are uncovered by the communityBest practices presented here should be viewed as candidates• This presentation is focused on IPv6 as a technology, not Cisco’s implementation of IPv6 security features (we’re security geeks, not product managers) • This presentation assumes that IPv4 security is very familiar to you• MIPv6 security is not addressed specifically in this presentation444© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Agenda• IPv4 Best Practices Summary and Attack Example• IPv6 Protocol Summary (Quick, Promise!)• Types of Threats• IPv6 and IPv4 Threat Comparisons (The Meat)• IPv6 Topology and BP Summary• v6/v4 Dual-Stack Attack Example555© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Traditional IPv4 Edge Security DesignEdge Router Stateful FirewallISP RouterPublic ServersInternetInternal Network• This design can be augmented with NIDS, application proxies, and a range of host security controls• The 3-interface FW design as shown here is in use at thousands of locations worldwide• Firewall policies are generally permissive outbound and restrictive inbound• As organizations expand in size, the number of “edges” and the ability to clearly identify them becomes more difficult666© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3IPv6 Attack Against IPv4Edge Router Stateful FirewallPublic ServersIPv4 InternetIPv4 Internal NetworkIPv6 Internet6to4 GatewayRogue Dual Stack Host1. Rogue Device Establishes 6to4 Tunnel to IPv6 Internet2. Firewall PermitsOutbound IP Protocol 413. Attacker Compromises Rogue Host over IPv64. Compromised System Attacks Internal Network over IPv4ISP RouterNote That This Tunneling Can Be Benign in Origin WhereasOther Tunnels (Like GRE) Tend to Require an Active ParticipantInside and Outside777© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3Agenda• IPv4 Best Practices Summary and Attack Example• IPv6 Protocol Summary (Quick, Attend RST-1305 for More)• Types of Threats• IPv6 and IPv4 Threat Comparisons (The Meat)• IPv6 Topology and BP Summary• v6/v4 Dual-Stack Attack Example888© 2004 Cisco Systems, Inc. All rights reserved.SEC-20039735_05_2004_c3IPv4 and IPv6 Header ComparisonProtocolProtocolType of Type of ServiceServicePaddingPaddingHeader Header ChecksumChecksumFragment Fragment OffsetOffsetTotal LengthTotal LengthOptionsOptionsDestination AddressSource AddressTime to LiveTime to LiveFlagsFlagsIdentificationIdentificationIHLIHLVersionIPv4 HeaderVersionTraffic Traffic ClassClassFlow LabelFlow LabelPayload LengthPayload LengthNext Next HeaderHeaderHop Hop LimitLimitSource AddressDestination AddressIPv6 Header—Field’s Name Kept from IPv4 to IPv6—Fields Not Kept in
View Full Document
Unlocking...