IPv6 Security. Scott Hogg. Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610
|
|
- Anthony Lynch
- 8 years ago
- Views:
Transcription
1
2 IPv6 Security Scott Hogg Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610
3 IPv6 Security Latent Threat Even if you haven t started using IPv6 yet, you probably have some IPv6 running on your networks already and didn t know it. Do you use Linux, Mac OS X, BSD, or Microsoft Windows 7/8/Win2K8/Win2012 systems in your environment? They all come with IPv6 capability enabled by default and prefer IPv6 connectivity They may try to use IPv6 first and then fall-back to IPv4 (+ -Happy Eyeballs, RFC 6555) Or they may create IPv6-in-IPv4 tunnels to Internet resources to reach IPv6 content Some of these techniques take place regardless of user input or configuration If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist
4 IPv6 Security Tools THC IPv6 Attack Toolkit SI6 Networks IPv6 Toolkit Evil FOCA Metasploit Nmap halfscan6, Scan6, CHScanner Scapy, SendIP, ISIC6, Packit, Spak6 6tunneldos, 4to6ddos, imps6-tools
5 Reconnaissance Ping sweeps, port scans, application vulnerability scans are problematic given the large IPv6 address space. Brute-force scanning even a single /64 is not practical. There are methods of speeding up reconnaissance on LAN. ping6 -I eth0 ff02::1 [root@hat ~]#./alive6 eth0 ff02::1 Node Information Queries (RFC 4620) in BSD Scanning for specific EUI-64 addresses using specific OUIs Scanning IPv4 and getting IPv6 info MetasploitFramework ipv6_neighbor" auxiliary module can leverage IPv4 to find IPv6 hosts Scanning 6to4, ISATAP, Teredo with embedded IPv4 addresses Find one node and leverage the neighbor cache to find other nodes DHCPv6 logs, DNS servers, server logs, NMSs, Google Hacking
6 LAN Threats IPv6 uses ICMPv6 for many LAN operations Stateless auto-configuration (SLAAC) Neighbor Discovery Protocol (NDP) IPv6 equivalent of IPv4 ARP same attack types Spoofed RAs can renumber hosts or launch a MITM attack Forged NA/NS messages to confuse NDP Redirects same as ICMPv4 redirects Forcing nodes to believe all addresses are on-link These attacks presume the attacker is on-net or has compromised a local computer (Big Requirement!)
7 IPv6 MITM Example Evil FOCA is a weaponizedwin.exe that can perform dual-protocol MITM and DOS attacks and DNS Hijacking (Released at DEFCON21) Sends ICMPv6 RA on LAN (SLAAC) Activates IPv6 on local dual-protocol nodes Evil FOCA becomes active default gateway Sends ICMPv6 NA to spoof local nodes Sets up rogue DHCPv6 server Performs WPAD attack and sets up proxy Performs DNS Hijack Can perform RA flood resulting in DOS Internet Download at: Demo on YouTube:
8 Evil FOCA IPv6 MITM Attack
9 Evil FOCA IPv6 RA DOS C:\Users\Me>ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix. : IPv6 Address : 15c2:8297:e614:f45:bc4a:58b9:e948:33c6... (100 of these in Windows 7) IPv6 Address : fcae:a581:9bcb:e6bc:bc4a:58b9:e948:33c6 Temporary IPv6 Address : 15c2:8297:e614:f1f:1ce1:d49d:2ec8:e (100 of these in Windows 7) Temporary IPv6 Address : fcae:a581:9bcb:e6bc:1ce1:d49d:2ec8:e924 Link-local IPv6 Address..... : fe80::bc4a:58b9:e948:33c6%10 IPv4 Address : Subnet Mask : Default Gateway : fe80::7888:860e:5352:5fec%10 fe80::8d99:1bc3:6f7a:5cf9%10... fe80::a0cf:f7ad:821b:3343% C:\Users\Me>
10 THC IPv6 Attack Toolkit THC IPv6 Attack Toolkit contains fake_router6 Generates rogue RA to become default router Option H adds a hop-by-hop header fake_router6 H eth0 2001:db8:11:11::/64 Option F adds a one-shot-fragmentation header fake_router6 F eth0 2001:db8:11:11::/64 Flood_router26 floods RAs to create DOS flood_router26 eth0 fake_router26 -E H -A 2001:db8:1:1::/64 eth0 fake_router26 -E 1 -A 2001:db8:1:1::/64 eth0 Download at:
11 Methods of Preventing Rogue RAs Prevent unauthorized LAN access (armed guards, malware defenses) Disable unused switch ports Network Access Control (NAC), Network Admission Control (NAC) IEEE 802.1AE (MACsec), Cisco TrustSec IEEE 802.1X RA Guard (RFC 6105) NDPMon Ramond Kame rafixd ipv6mon 6Guard addrwatch Port Security Cisco Port-based ACL (PACL) Block Incoming RA Message Allow Sending RAs Allow Incoming RA Message
12 IPv6 First Hop Security Cisco C3750X switch running IOS version 15.2(1)S ipv6 nd cache interface-limit 3 log 15 ipv6 nd raguard policy HOST! ipv6 snooping logging packet drop ipv6 snooping logging resolution-veto ipv6 snooping policy ND limit address-count 10 data-glean log-only destination-glean log-only! ipv6 dhcp guard policy HOST ipv6 destination-guard policy destination ipv6 mld snooping
13 IPv6 First Hop Security (Cont.) Cisco C3750X switch running IOS version 15.2(1)S interface GigabitEthernet2/0/1 switchport access vlan 1200 switchport mode access ipv6 nd raguard attach-policy HOST ipv6 dhcp guard attach-policy HOST! interface Vlan1200 ip address ipv6 enable ipv6 nd cache interface-limit 3 log 15! ipv6 neighbor binding logging ipv6 neighbor binding max-entries 100 ipv6 neighbor binding vlan :DB8:12::/64
14 IPv6 First Hop Security Results Switch successfully blocked RAs and rogue DHCPv6 Mar 30 06:37:31.743: %SISF-4-PAK_DROP: Message dropped A=FE80::AC7F:B2F8:DCB8:F739 G=- V=1200 I=Gi2/0/2 P=NDP::RA Reason=Packet not authorized on port Mar 30 06:38:06.572: %SISF-4-PAK_DROP: Message dropped A=FE80::1EDF:FFF:FEBB:8944 G=- V=1200 I=Gi2/0/2 P=NDP::NA Reason=Packet accepted but not forwarded Mar 30 06:23:35.902: %SISF-4-PAK_DROP: Message dropped A=2001:DB8:1:3::1 G=- V=1200 I=Gi2/0/1 P=NDP::NA Reason=Address limit per policy reached Mar 30 06:38:06.572: %SISF-6-ENTRY_CREATED: Entry created A=FE80::1EDF:FFF:FEBB:8944 V=1200 I=Gi2/0/2 P=0005 M=5CFF.340A.F93D Mar 30 06:19:38.370: %SISF-6-ENTRY_MAX_ORANGE: Reaching 80% of max adr allowed per policy (10) V=1200 I=Gi2/0/1 M=3C97.0E86.74AD! Mar 30 06:38:42.201: %SISF-4-PAK_DROP: Message dropped A=FE80::45B4:32FF:FE67:53 G=- V=100 I=Et0/0 P=NDP::NA Reason=Advertise while TENTATIVE Mar 30 06:38:45.923: %SISF-6-ENTRY_CREATED: Entry created A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/0 P=0005 M= Mar 30 06:38:52.523: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/0 P=0005 M= Mar 30 06:38:58.471: %SISF-6-ENTRY_CHANGED: Entry changed A=FE80::45B4:32FF:FE67:53 V=100 I=Et0/3 P=0005 M=45B
15 IPv6 First Hop Security Results Switch successfully blocked RAs and rogue DHCPv6 Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/2 Received messages on Gi2/0/2: Protocol Protocol message NDP RA[14734] DHCPv6 SOL[191] ADV[1] Bridged messages from Gi2/0/2: Protocol Protocol message NDP DHCPv6 SOL[191] Dropped messages on Gi2/0/2: Feature Protocol Msg [Total dropped] DHCP Guard DHCPv6 ADV [1] reason: Message type is not authorized by the policy on this port, device-role mismatch [1] RA guard NDP RA [14734] reason: Message unauthorized on port [14734] Switch-1#
16 IPv6 First Hop Security Results Switch successfully blocked RAs and rogue DHCPv6 Switch-1# show ipv6 snoop counter interface gigabitethernet 2/0/1 Received messages on Gi2/0/1: Protocol Protocol message NDP RS[11] RA[2794] NS[51] NA[7031] DHCPv6 SOL[142] Bridged messages from Gi2/0/1: Protocol Protocol message NDP RS[11] NS[50] NA[15] DHCPv6 SOL[142] Dropped messages on Gi2/0/1: Feature Protocol Msg [Total dropped] RA guard NDP RA [2794] reason: Message unauthorized on port [2794] Snooping NDP NS [1] reason: Packet accepted but not forwarded [1] NA [7016] reason: Address limit per policy reached [7007] reason: Packet accepted but not forwarded [9] Switch-1#
17 IPv6 FHS with IPv6 ACL If you don t have RA Guard on your switch you might be able to configure a Cisco IPv6 Port-based ACL (PACL) ipv6 access-list IPV6_PACL remark Deny Rogue DHCPv6 deny udp any eq 547 any eq 546 remark Deny Rogue RA deny icmp any any router-advertisement permit ipv6 any any! interface GigabitEthernet 1/2 ipv6 traffic-filter IPV6_PACL in
18 Extension Headers There are rules for the frequency and order of various extension headers Hop-by-Hop and Destination Options Header Manipulation Crafted Packets Large chains of extension headers Separate payload into second fragment Consume resources - DoS Invalid Extension Headers DoS Routing Headers Type 0 source routing Routers can be configured to block RH0 This is now the default on newer routers Firewalls, Windows, Linux and MacOSall block RH0 by default
19 Layer-3/4 Spoofing Spoofing of IPv6 packets is easy IPv6 BOGON (Martians) Filtering is required Filter traffic from unallocated space and filter router advertisements of bogus prefixes Permit Legitimate Global Unicast Addresses Unicast Reverse Path Forwarding (Unicast-RPF) Don t block FF00::/8 and FE80::/10 these will block NDP (NS/NA) Hierarchical addressing and ingress/egress filtering can catch packets with forged source addresses Tracebacksmay prove to be easier with IPv6
20 Transition Mechanism Threats Dual Stack is the preferred transition method. You are only as strong as the weakest of the two stacks. Running dual stack will give you at least twice the number of vulnerabilities and require almost twice the work to secure. IPv4 IPv6
21 Threats Against Translation Manual Tunnels Preferred over dynamic tunnels Filter tunnel source/destination and use IPsec If spoofing, return traffic is not sent to attacker Dynamic Tunnels 6to4 Relay routers are open relays Attackers can guess 6to4 addresses easily ISATAP can have potential MITM attacks Attackers can spoof source/dest IPv4/v6 addresses Translation techniques are susceptible to DoS attacks NAT prevents IPsec, DNSSEC, Geolocationand other applications from working Consuming connection state (CPU resource consumption attack on ALG) Consuming public IPv4 pool and port numbers (pool depletion attack)
22 IPv6 Firewalls Don t just use your IPv4 policy for your IPv6 policy. Don t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpoints Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicast. IPv6 firewalls may not have all the same full features as IPv4 firewalls UTM/DPI/IPS/WAF/content filtering features may only work for IPv4.
23 IPv6 Intrusion Prevention Few signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset values. IPSs should send out notifications when non-conforming IPv6 packets are observed having faulty parameters, bad extension headers, source address is a multicast address. Many IPSs don t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite). IPv6 support varies greatly in modern IPS systems. Talk with your vendor about what you need.
24 Summary of BCPs Perform IPv6 filtering at the perimeter (RFC2827 filtering and Unicast RPF checks). Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used. Use common access-network security measures (IPv6 FHS techniques, RA-Guard, 802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec). Strive to achieve equal protections for IPv6 as with IPv4. Continue to let vendors know what you expect in terms of IPv6 security features.
25 RTFM Read This Fine Manuscript IPv6 Security, By Scott Hogg and Eric Vyncke, Cisco Press, ISBN-10: ISBN-13:
26 Questions and Answers Scott Hogg Network World Blog Rocky Mountain IPv6 Task Force
IPv6 Infrastructure Security
IPv6 Infrastructure Security 2013 North American IPv6 Summit Jeffrey L Carrell Network Conversions Network Security Consultant IPv6 SME/Trainer 1 Agenda IPv6 address fundamentals Operating Systems support
More informationSECURITY IN AN IPv6 WORLD MYTH & REALITY. SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann
SECURITY IN AN IPv6 WORLD MYTH & REALITY SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann WHO AM I? DO Director @ Internet Society CO ISOC Founding Chair NANOG PC RMv6TF Board NANOG-BCOP Founder
More informationIPv6 Infrastructure Security
TXv6TF 2013 Summit IPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant IPv6 SME/Trainer 1 Agenda IPv6 address fundamentals Operating Systems support ICMPv6 -
More informationIPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant, IPv6 SME/Trainer
IPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant, IPv6 SME/Trainer 1 IPv6 Infrastructure Security v1.1 - Copyright 2013 Jeffrey L. Carrell Agenda IPv6 address
More informationIP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.
IP(v6) security Matěj Grégr Brno University of Technology, Faculty of Information Technology Slides adapted from Ing. Tomáš Podermański What is IP security? Encryption? Authentication? Authorization? Surveillance?
More informationIPv6 First Hop Security Protecting Your IPv6 Access Network
IPv6 First Hop Security Protecting Your IPv6 Access Network What You Will Learn This paper provides a brief introduction to common security threats on IPv6 campus access networks and will explain the value
More informationIPv6 Security Best Practices. Eric Vyncke evyncke@cisco.com Distinguished System Engineer
IPv6 Best Practices Eric Vyncke evyncke@cisco.com Distinguished System Engineer security 2007 Cisco Systems, Inc. All rights reserved. Cisco CPub 1 Agenda Shared Issues by IPv4 and IPv6 Specific Issues
More informationIPv6 Security. Scott Hogg, CCIE No. 5133 Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA
IPv6 Security Scott Hogg, CCIE No. 5133 Eric Vyncke Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA Contents Introduction xix Chapter 1 Introduction to IPv6 Security 3 Reintroduction
More informationSecurity of IPv6 and DNSSEC for penetration testers
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions
More informationVulnerabili3es and A7acks
IPv6 Security Vulnerabili3es and A7acks Inherent vulnerabili3es Less experience working with IPv6 New protocol stack implementa3ons Security devices such as Firewalls and IDSs have less support for IPv6
More informationSecuring IPv6. What Students Will Learn:
Securing IPv6 When it comes to IPv6, one of the more contentious issues is IT security. Uninformed analysts, anit-v6 pundits, and security ne're-do-wells have created a mythos that IPv6 is inherently less
More informationOLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS
OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS Eric Vyncke (@evyncke) Cisco Session ID: ARCH W01 Session Classification: Advanced Agenda Status of WorldWide IPv6 Deployment IPv6 refresher:
More informationEric Vyncke, Distinguished Engineer, evyncke@cisco.com. 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Eric Vyncke, Distinguished Engineer, evyncke@cisco.com 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Sometimes,
More informationPresentation_ID. 2001, Cisco Systems, Inc. All rights reserved.
Presentation_ID 2001, Cisco Systems, Inc. All rights reserved. 1 IPv6 Security Considerations Patrick Grossetete pgrosset@cisco.com Dennis Vogel dvogel@cisco.com 2 Agenda Native security in IPv6 IPv6 challenges
More informationEric Vyncke, Distinguished Engineer, evyncke@cisco.com. 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Eric Vyncke, Distinguished Engineer, evyncke@cisco.com 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Sometimes, newer means better and more secure Sometimes, experience IS better
More informationRecent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna. 2010 Marc Heuse <mh@mh-sec.de>
Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna 2010 Marc Heuse Hello, my name is The future is here already Let s start with the basics IPv4 4 octets 4.294.967.296
More informationIPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc. Nalini.elkins@insidethestack.com
1 IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc. Nalini.elkins@insidethestack.com Agenda What has not changed between IPv4 and IPv6 traces What has changed between IPv4 and
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationHow To Protect Your Network From A Malicious Attack On A Vpn 6 Ipv6 Ipvv6 Router From A Rogue Router (Vpn) From A Pwn 6 Attack (Ipv6) From An Ipv 6 Attack From A
IPV6 ATTACKS AND COUNTERMEASURES CDW Advanced Technology Services James Small, Principal Network/Security Consultant 800.800.4239 CDW.com/peoplewhogetit PROBLEMATIC APPROACHES TO IPV6 If I ignore it, nothing
More informationIPv6 Security Analysis
CENTER FOR CONVERGENCE AND EMERGING NETWORK TECHNOLOGIES CCENT School of Information Studies Syracuse University IPv6 Security Analysis TECHNICAL REPORT: T.R. 2014-002 Authored by: Jose Gonzalo Bejar (revised
More informationAbout the Technical Reviewers
About the Author p. xiii About the Technical Reviewers p. xv Acknowledgments p. xvii Introduction p. xix IPv6 p. 1 IPv6-Why? p. 1 IPv6 Benefits p. 2 More Address Space p. 2 Innovation p. 3 Stateless Autoconfiguration
More informationIPv6 Fundamentals: A Straightforward Approach
IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6 Rick Graziani Cisco Press 800 East 96th Street Indianapolis, IN 46240 IPv6 Fundamentals Contents Introduction xvi Part I: Background
More informationIPv6 Security Nalini Elkins, CEO Inside Products, Inc. nalini.elkins@insidethestack.com
1 IPv6 Security Nalini Elkins, CEO Inside Products, Inc. nalini.elkins@insidethestack.com Agenda Hackers are already aware of the security vulnerabilities in IPv6, and there are implications across all
More informationIPv6 Security. Eric Vyncke, Distinguished Engineer evyncke@cisco.com @evyncke. October 2014
IPv6 Security Eric Vyncke, Distinguished Engineer evyncke@cisco.com @evyncke October 2014 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 For Your Reference Debunking IPv6 Myths Shared
More informationExploiting First Hop Protocols to Own the Network. Rocket City TakeDownCon 2015. Paul Coggin Senior Principal Cyber Security Analyst @PaulCoggin
Exploiting First Hop Protocols to Own the Network Rocket City TakeDownCon 2015 Paul Coggin Senior Principal Cyber Security Analyst @PaulCoggin www.dynetics.com V## Goes Here 1 OSI and TCP/IP Model OSI
More informationSecurity Technology White Paper
Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without
More informationIPv6 INFRASTRUCTURE SECURITY WORKSHOP SESSION 10 BUILDING IPv6 INFRASTRUCTURE NETWORK SECURITY
IPv6 INFRASTRUCTURE SECURITY WORKSHOP SESSION 10 BUILDING IPv6 INFRASTRUCTURE NETWORK SECURITY Alastair JOHNSON July 2013 INTRODUCTION This module will cover network infrastructure security relating to:
More informationThe Myth of Twelve More Bytes. Security on the Post- Scarcity Internet
The Myth of Twelve More Bytes Security on the Post- Scarcity Internet IPv6 The Myth of 12 More Bytes HTTP DHCP HTTP TLS ARP TCP UDP Internet Protocol Link Layer Physical Layer ICMP The Myth of 12 More
More informationCIRA s experience in deploying IPv6
CIRA s experience in deploying IPv6 Canadian Internet Registration Authority (CIRA) Jacques Latour Director, Information Technology Ottawa, April 29, 2011 1 About CIRA The Registry that operates the Country
More informationSecurity Assessment of Neighbor Discovery for IPv6
Security Assessment of Neighbor Discovery for IPv6 Fernando Gont project carried out on behalf of UK Centre for the Protection of National Infrastructure LACNIC XV 15 al 20 de Mayo de 2011. Cancún, México
More informationGuide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP
Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe
More informationIPv6 Hardening Guide for Windows Servers
IPv6 Hardening Guide for Windows Servers How to Securely Configure Windows Servers to Prevent IPv6-related Attacks Version: 1.0 Date: 22/12/2014 Classification: Public Author(s): Antonios Atlasis TABLE
More informationIPv6 Network Security. its-security@lsu.edu
IPv6 Network Security its-security@lsu.edu IPv6 Raising awareness about IPv6 IPv6 Basics Windows notes Windows Firewall Demo Linux(RHEL) Firewall Demo [Mac OS 10.7 Lion Firewall Notes] [AAAA record via
More informationIPv6 Security from point of view firewalls
IPv6 Security from point of view firewalls János Mohácsi 09/June/2004 János Mohácsi, Research Associate, Network Engineer NIIF/HUNGARNET Contents Requirements IPv6 firewall architectures Firewalls and
More informationIPv6 Security ::/0. Poland MUM Warsaw March, 2012 Eng. Wardner Maia Brazil
IPv6 Security ::/0 Poland MUM Warsaw March, 2012 Eng. Wardner Maia Brazil Introduction Name: Wardner Maia Country: Brazil Electronic/Telecommunications Engineer Internet Service Provider since 1995 Training
More informationHow to securely operate an IPv6 network
How to securely operate an IPv6 network https://tools.ietf.org/html/draft-ietf-opsec-v6-06 LACNIC 23 Enrique Davila enriqued@cisco.com Released: May 2015 Agenda Ø Management Plane Ø Control Plane Routing
More informationIPv6 Associated Protocols
IPv6 Associated Protocols 1 New Protocols (1) New features are specified in IPv6 Protocol -RFC 2460 DS Neighbor Discovery (NDP) -RFC 4861 DS Auto-configuration : Stateless Address Auto-configuration -RFC
More informationSecuring the Transition Mechanisms
Securing the Transition Mechanisms CRC/ITU/APNIC IPv6 Security Workshop 29 th June 1 st July 2015 Ulaanbaatar Last updated 13 July 2014 1 Where did we leave off? p We ve just covered the current strategies
More informationFirewalls und IPv6 worauf Sie achten müssen!
Firewalls und IPv6 worauf Sie achten müssen! Pascal Raemy CTO Asecus AG pascal.raemy@asecus.ch Asecus AG Asecus AG Security (Firewall, Web-Gateway, Mail-Gateway) Application Delivery (F5 Neworks with BIGIP)
More information3.5 IPv6 Forum Certified Security Course, Engineer, Trainer & Certification (GOLD)
3.5 IPv6 Forum Certified Security Course, Engineer, Trainer & Certification (GOLD) The IPv6 Forum Certified Security Program (Security Course, Security Engineer, Security Trainer and Security Degree Exams
More informationINLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN
Indien u hergebruik wenst te maken van de inhoud van deze presentatie, vragen wij u in het kader van auteursrechtelijke bescherming de juiste bronvermelding toe te passen. 17 juni 2014 De Reehorst in Ede
More informationPersonal Firewall Default Rules and Components
Personal Firewall Default Rules and Components The Barracuda Personal Firewall comes with a default access ruleset. The following tables aim to give you a compact overview of the default rules and their
More informationProCurve Networking IPv6 The Next Generation of Networking
ProCurve Networking The Next Generation of Networking Introduction... 2 Benefits from... 2 The Protocol... 3 Technology Features and Benefits... 4 Larger number of addresses... 4 End-to-end connectivity...
More informationAbout Me. Work at Jumping Bean. Developer & Trainer Contact Info: Twitter @mxc4 Twitter @jumpingbeansa mark@jumpingbean.co.za
IPv6 & Linux About Me Work at Jumping Bean Developer & Trainer Contact Info: Twitter @mxc4 Twitter @jumpingbeansa mark@jumpingbean.co.za Goals & Motivation Why? Why IPv6? Why this talk? Information on
More informationTypes of IPv4 addresses in Internet
Types of IPv4 addresses in Internet PA (Provider Aggregatable): Blocks of addresses that may be sub-assigned to other ISPs or to other companies that also may leased the addresses to their customers May
More informationIPv6 Security Assessment and Benchmarking Abstract Test Suite
IPv6 Security Assessment and Benchmarking Abstract Test Suite Version 1.0 2013-01-22 EANTC AG Copyright (C) 2012, 2013 EANTC European Advanced Networking Test Center Aktiengesellschaft This document is
More information19531 - Telematics. 9th Tutorial - IP Model, IPv6, Routing
19531 - Telematics 9th Tutorial - IP Model, IPv6, Routing Bastian Blywis Department of Mathematics and Computer Science Institute of Computer Science 06. January, 2011 Institute of Computer Science Telematics
More informationIPv6 Virtual Labs: How to & Lessons s Learned. IPv6 Virtual Labs:
IPv6 Virtual Labs: How to & Lessons s Learned ed Jeffrey L Carrell Network Conversions Network Consultant IPv6 SME/Trainer jeff.carrell@teachmeipv6.com Twitter: @JeffCarrell_v6 1 IPv6: Build Your Own Lab
More informationStep-by-Step Guide for Setting Up IPv6 in a Test Lab
Step-by-Step Guide for Setting Up IPv6 in a Test Lab Microsoft Corporation Published: July, 2006 Author: Microsoft Corporation Abstract This guide describes how to configure Internet Protocol version 6
More informationHow To Compare Ipv6 And Ipv4 To Ipv5 (V1.2.0)
IPv6 and IPv4 Threat Comparison and Best- Practice Evaluation (v1.0) Sean Convery (sean@cisco.com) Darrin Miller (dmiller@cisco.com) Table of Contents 1 Introduction...2 1.1 Caveats...3 2 Overview of IPv4
More informationIPv6 Secure Neighbor Discovery
IPv6 Secure Neighbor Discovery Andreas Hunkeler January 2015 Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch IPv6
More informationIPv6 Security 111 Short Module on Security
IPv6 Security 111 Short Module on Security IPv6 Security 1 Copy Rights This slide set is the ownership of the 6DEPLOY project via its partners The Powerpoint version of this material may be reused and
More informationTomás P. de Miguel DIT-UPM. dit UPM
Tomás P. de Miguel DIT- 15 12 Internet Mobile Market Phone.com 15 12 in Millions 9 6 3 9 6 3 0 1996 1997 1998 1999 2000 2001 0 Wireless Internet E-mail subscribers 2 (January 2001) Mobility The ability
More informationDiscovering IPv6 with Wireshark. presented by Rolf Leutert
Discovering IPv6 with Wireshark presented by Rolf Leutert Instructor: Rolf Leutert, Network Expert & Trainer Leutert NetServices Troubleshooting & Trainings Zürich-Airport, Switzerland Sniffer certified
More informationIPv6 Security problems and mitigations János Mohácsi (mohacsi@niif.hu) euronog meeting, Budapest 11-12 September 2012
IPv6 Security problems and mitigations János Mohácsi (mohacsi@niif.hu) euronog meeting, Budapest 11-12 September 2012 IPv6 Security 1 NIIF Institute (NREN) and IPv6 Services: Hybrid network Infrastructure
More informationMigrating to IPv6 Opportunity or threat for network security?
Migrating to IPv6 Opportunity or threat for network security? Executive summary Contents 02 Executive summary 03 1. Introduction 03 2. IPv6 security check 03 2.1 Addresses 04 2.2 NAT free operation 05
More informationIPv6 Security - Opportunities and Challenges
IPv6 Security - Opportunities and Challenges Thomas Scheffler Beuth Hochschule Berlin, Germany {scheffler@beuth-hochschule.de} The Basics Agenda 1 The Basics IPv6 Network Security ICMPv6 / Autoconfiguration
More informationThe Truth about IPv6 Security
The Truth about IPv6 Security Fernando Gont UTN/FRH FutureNet: MPLS, Ethernet and Beyond Boston, MA, USA, May 10-13, 2010 Agenda Brief comparision of IPv4 and IPv6 A few myths about IPv6 security Transition
More informationIPv6 Intrusion Detection Research Project
IPv6 Intrusion Detection Research Project Carsten Rossenhövel, EANTC AG Sven Schindler, Universität Potsdam Co-Financed By: Project Goals Independently assess the true, current risks of IPv6 attacks Develop
More informationIntroduction to IP v6
IP v 1-3: defined and replaced Introduction to IP v6 IP v4 - current version; 20 years old IP v5 - streams protocol IP v6 - replacement for IP v4 During developments it was called IPng - Next Generation
More informationSecurity Implications of the Internet Protocol version 6 (IPv6)
Security Implications of the Internet Protocol version 6 (IPv6) Fernando Gont UTN/FRH BSDCan 2010 Ottawa, ON, Canada, May 13-14, 2010 Agenda Ongoing work on IPv6 security at UK CPNI Brief comparision of
More informationDedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.
Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.2 COMPARISONS OF IP HEADER FORMATS 2.3 EXTENSION HEADERS 2.3.1 Options
More informationgianluca.verin verin@libero. @libero.itit Vicenza.linux.it\LinuxCafe 1
gianluca.verin verin@libero. @libero.itit Vicenza.linux.it\LinuxCafe 1 Agenda IPv6 Basics Connecting to 6Bone Why do we need IPv6? IPv6 Introduction-Transition IPv6 and open source community Future applications
More informationBasic IPv6 WAN and LAN Configuration
Basic IPv6 WAN and LAN Configuration This quick start guide provides basic IPv6 WAN and LAN configuration information for the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N. For complete IPv6 configuration
More informationC)PTC Certified Penetration Testing Consultant
C)PTC Certified Penetration Testing Consultant Course Details Course Code: Duration: Notes: C)PTC 4 days This course syllabus should be used to determine whether the course is appropriate for the students,
More informationCconducted at the Cisco facility and Miercom lab. Specific areas examined
Lab Testing Summary Report July 2009 Report 090708 Product Category: Unified Communications Vendor Tested: Key findings and conclusions: Cisco Unified Communications solution uses multilayered security
More informationIPv6 Network Reconnaissance:
IPv6 Network Reconnaissance: Theory & Practice Fernando Gont Overview IPv6 changes the Network Reconnaissance game Brute force address scanning attacks undesirable (if at all possible) Security guys will
More informationIPv6 in Axis Video Products
TECHNICAL NOTE REFERENCE DOCUMENT IPv6 in Axis Video Products Created: 2006-01-31 Last updated: 2006-05-29 TABLE OF CONTENTS DOCUMENT HISTORY... 2 1 IPV6 IN GENERAL... 3 1.1 The IPv6 address... 3 1.1.1
More informationACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0
ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security
More informationIPv6 Fundamentals, Design, and Deployment
IPv6 Fundamentals, Design, and Deployment Course IP6FD v3.0; 5 Days, Instructor-led Course Description The IPv6 Fundamentals, Design, and Deployment (IP6FD) v3.0 course is an instructor-led course that
More informationA Sampling of Internetwork Security Issues Involving IPv6
A Sampling of Internetwork Security Issues Involving IPv6 John Kristoff jtk@cymru.com FIRST 2013 John Kristoff Team Cymru 1 Agenda diff -u ipv4 ipv6 head What is the netsec community working on? How do
More informationIntroduction to Firewalls
Introduction to Firewalls Today s Topics: Types of firewalls Packet Filtering Firewalls Application Level Firewalls Firewall Hardware/Software IPChains/IPFilter/Cisco Router ACLs Firewall Security Enumeration
More informationFIREWALLS & CBAC. philip.heimer@hh.se
FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
More information642 552 Securing Cisco Network Devices (SND)
642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,
More informationFirewall Defaults and Some Basic Rules
Firewall Defaults and Some Basic Rules ProSecure UTM Quick Start Guide This quick start guide provides the firewall defaults and explains how to configure some basic firewall rules for the ProSecure Unified
More informationITL BULLETIN FOR JANUARY 2011
ITL BULLETIN FOR JANUARY 2011 INTERNET PROTOCOL VERSION 6 (IPv6): NIST GUIDELINES HELP ORGANIZATIONS MANAGE THE SECURE DEPLOYMENT OF THE NEW NETWORK PROTOCOL Shirley Radack, Editor Computer Security Division
More informationStrategies for Getting Started with IPv6
Strategies for Getting Started with IPv6 IPv6 Transition Acceleration Options for Web Applications and Services By Scott Hogg GTRI - Director of Technology Solutions CCIE #5133, CISSP #4610 IPv6 Transition
More information100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)
100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) Course Overview This course provides students with the knowledge and skills to implement and support a small switched and routed network.
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationIPv6 Diagnostic and Troubleshooting
8 IPv6 Diagnostic and Troubleshooting Contents Introduction.................................................. 8-2 ICMP Rate-Limiting........................................... 8-2 Ping for IPv6 (Ping6)..........................................
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationJoe Davies. Principal Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group June 1, 2011
Joe Davies Principal Writer Windows Server Information Experience Presented at: Seattle Windows Networking User Group June 1, 2011 2011 Microsoft Corporation IPv6 addressing and DNS review IPv6 subnetting
More informationIPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date
IPv4 and IPv6 Integration Formation IPv6 Workshop Location, Date Agenda Introduction Approaches to deploying IPv6 Standalone (IPv6-only) or alongside IPv4 Phased deployment plans Considerations for IPv4
More informationIINS Implementing Cisco Network Security 3.0 (IINS)
IINS Implementing Cisco Network Security 3.0 (IINS) COURSE OVERVIEW: Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles and technologies, using
More informationImplementing DHCPv6 on an IPv6 network
Implementing DHCPv6 on an IPv6 network Benjamin Long benlong@iol.unh.edu 8-11-2009 Implementing DHCPv6 on an IPv6 network 2 Table of Contents DHCPv6 Overview...3 Terms used by DHCPv6...3 DHCPv6 Message
More informationConfiguration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Firewall. June 2011 Revision 1.0
Configuration Guide for RFMS 3.0 Initial Configuration XXX-XXXXXX-XX WiNG 5 How-To Guide Firewall June 2011 Revision 1.0 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office.
More informationNetwork Working Group Request for Comments: 4942. Ericsson P. Savola CSC/Funet September 2007. IPv6 Transition/Coexistence Security Considerations
Network Working Group Request for Comments: 4942 Category: Informational E. Davies Consultant S. Krishnan Ericsson P. Savola CSC/Funet September 2007 Status of This Memo IPv6 Transition/Coexistence Security
More informationImplementing Cisco IOS Network Security
Implementing Cisco IOS Network Security IINS v3.0; 5 Days, Instructor-led Course Description Implementing Cisco Network Security (IINS) v3.0 is a 5-day instructor-led course focusing on security principles
More informationPractical Security Assessment of IPv6 Networks and Devices. Fernando Gont
Practical Security Assessment of IPv6 Networks and Devices Fernando Gont About I have done a fair share of IPv6 standardization work I have published and maintain the SI6 Networks IPv6 Toolkit I run the
More informationNICS IPv6 Best Practices Guide
NICS IPv6 Best Practices Guide Recommendations for Deploying IPv6 Version: 1.3 Date: April 22, 2014 scott.hovis@nasa.gov Document Change Log Date Version Change Author Affected Section 1/15/2014 1.0 Scott
More informationSSVVP SIP School VVoIP Professional Certification
SSVVP SIP School VVoIP Professional Certification Exam Objectives The SSVVP exam is designed to test your skills and knowledge on the basics of Networking, Voice over IP and Video over IP. Everything that
More informationNetwork Security IPv4 + IPv6
Network Security IPv4 + IPv6 by Managing Director SuperInternet Overview Confidentiality? Integrity? Availability! IPv6 Issues (Compared with IPv4) Physical Security of the Network Assumptions: Generally
More informationSecuring end devices
Securing end devices Securing the network edge is already covered. Infrastructure devices in the LAN Workstations Servers IP phones Access points Storage area networking (SAN) devices. Endpoint Security
More informationco Characterizing and Tracing Packet Floods Using Cisco R
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
More informationInterconnecting Cisco Network Devices 1 Course, Class Outline
www.etidaho.com (208) 327-0768 Interconnecting Cisco Network Devices 1 Course, Class Outline 5 Days Interconnecting Cisco Networking Devices, Part 1 (ICND1) v2.0 is a five-day, instructorled training course
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationCloudEngine Series Switches. IPv6 Technical White Paper. Issue 01 Date 2014-02-19 HUAWEI TECHNOLOGIES CO., LTD.
Issue 01 Date 2014-02-19 HUAWEI TECHNOLOGIES CO., LTD. 2014. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of
More informationIPv6 Functionality. Jeff Doyle IPv6 Solutions Manager jeff@juniper.net
IPv6 Functionality Jeff Doyle IPv6 Solutions Manager jeff@juniper.net Copyright 2003 Juniper Networks, Inc. Agenda ICMPv6 Neighbor discovery Autoconfiguration Agenda ICMPv6 Neighbor discovery Autoconfiguration
More informationIPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令
IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令 1 内 容 流 量 分 析 简 介 IPv6 下 的 新 问 题 和 挑 战 协 议 格 式 变 更 用 户 行 为 特 征 变 更 安 全 问 题 演 化 流 量 导 出 手 段 变 化 设 备 参 考 配 置 流 量 工 具 总 结 2 流 量 分 析 简 介 流 量 分 析 目 标 who, what, where,
More informationCampus LAN at NKN Member Institutions
Campus LAN at NKN Member Institutions RS MANI rsm@nkn.in 1/7/2015 3 rd Annual workshop 1 Efficient utilization Come from: Good Campus LAN Speed Segregation of LANs QoS Resilient Access Controls ( L2 and
More information