Firewalls und IPv6 worauf Sie achten müssen!

Transcription

1 Firewalls und IPv6 worauf Sie achten müssen! Pascal Raemy CTO Asecus AG Asecus AG Asecus AG Security (Firewall, Web-Gateway, Mail-Gateway) Application Delivery (F5 Neworks with BIGIP) IPAM / DNS / DHCP for IPv4 & IPv6 (BlueCat Networks) Pascal Raemy 20 years experience in Network & Security Co-Founder of Asecus AG 15 years experience with Firewall from different vendors Sidewinder / MFE, Fortigate, PaloAlto, etc.. 10 years experience with DNS New comer in IPv6 November

2 Content IPv6 Overview IPv4 / IPv6 with Internet Expectations to an IPv4 / IPv6 Firewall What can be realized today with 3 different top Firewall products? November IPv6 Overview IPv4 was developed in the 1970 ies and wasn t used very much until the 90 ies After the development of Internet, the development of IPv4 increased rapidly (CIDR, NAT, DHCP, VPN, IPSEC, etc..) IPv6 was developed in the 90 ies, to have a solution for the address limitations of IPv4 Because the IPv4 address issue was solved with NAT, the development of IPv6 stagnates Since 10 years we are aware about the reduced availability of IPv4 Networks This increased the development of IPv6 dramatically and you see more and more IPv6 implementation in the products Mobile IPv6, Transition Mechanisms (6rd, NAT64, DNS64, 6to4, etc.., DHCP, etc November

3 IPv6 Overview IP Header Shorter IP Header and fixed length, 40 Bytes No default option Version =6 Traffic Class = QoS Flow Label for real-time datagram and quality of service features Payload Length: Payload + Extension Header Next Header: first Extension Header or next layer Protocol Hop Limit: TTL November IPv6 Overview IP Header Extension Header IPv6 handles options in additional Extension Headers The current IPv6 specification defines 6 Extension Headers: Hop-by-Hop Options Header Routing Header RFC 2460 Fragment Header Destination Options Header Authentication Header RFC 4302 Encrypted Security Payload RFC 4303 Extension Headers have no restriction Can also be misused! November

4 IPv6 Overview Extension Header IPv6 Header Next Header = TCP Value 6 TCP Header and data RFC 2460 IPv6 Header Next H. = Routing Value 43 Routing Header Next H. = TCP Value 6 TCP Header and data IPv6 Header Next H. = Routing Value 43 Routing Header Next H. = Fragment Value 44 Fragment Header Next H. = TCP Value 6 TCP Header and data November IPv6 Overview ICMPv6 ICMPv6: the most important protocol ICMPv6 messages are transported by IPv6 packets in which the IPv6 Next Header value is set to Hex-3a (58) IPv6 Header Next H. = ICMPv6 Value Hex 3a Type Code Checksum Message Body ICMPv6 messages may be classified into two categories error messages (Type 0-127), i.e 1 = Destination Unreachable 3 = Time Exceeded information messages (Type ), i.e. 128, 129 = Echo request / reply = Multicast Listener (Query Report Done) 133, 134 = Router Solicitation / Advertisement 135, 136 = Neighbor Solicitation / Advertisement 137 = Redirect Message November

5 IPv6 Overview ICMPv6 & ND The ICMPv6 messages from 133 to 137 are used by Neighbor discovery to do for example: Stateless Address Auto Configuration (SLAAC) Detect duplicate IP (DAD) Discovery of IP Router Also the following options can be transmitted during ND processes: Router Link Local Address Router Life Time MTU-Size Hop Limit Prefix, i.e. 2001:470:26:84D:: always /64 November IPv6 Overview IPv6 Address IPv6 Address 128 Bits in Form: fe80:0000:0000:0000:0230:48ff:fedb:ac6d/64 or fe80:0:0:0:230:48ff:fedb:ac6d/64 or fe80::230:48ff:fedb:ac6d/64 General always /64 Subnet Address Type Link Local Unicast: fe80::/8 Default Address of system Unique local Unicast (ULA): fc00::/7 (incl. fd00::/8) Only locally significant (analog to RFC 1918 Address, not routable in Internet) Global Unicast: 2000::/3 Officially routable Address November

6 IPv6 and Firewall Firewalls are the interface between the internal network and the Internet Firewalls support many interfaces and also different IP- Stacks (dual stack) How can Firewalls work in heterogenic environment, where IPv4 and IPv6 should communicate together? Do Firewalls secure IPv6 connections and control the content? November IPv6 - IPv4 Intra-Network Connection between same type of networks IPv4 <-> IPv4 No problem IPv6 <-> IPv6 No problem Depending of the product and the service, we have different security level Connection between diffente type of networks IPv4 <-> IPv6 Only possible if the firewall acts as Translator November

7 IPv6 & Internet Customers with IPv6 LAN and IPv4 Internet ISP Firewall establishes an IPv4 Tunnel to an IPv4/IPv6 Gateway Provider like: Sixxs Hurricane Electric Gogo6 November IPv6 & Internet Customers with IPv4 LAN and IPv6 Internet ISP Firewall establishes an IPv6 Tunnel to an IPv6/IPv4 Gateway Provider November

8 IPv6 / IPv4 Dual-Stack Allow step by step Migration to IPv6 Support of dual-stack interface for Firewall and specially clients Native Internet IPv4 & IPv6 November IPv6 & Firewall When you start with a new firewall technology like IPv6, first check the base functionalities like Connection, Policy, Content control, etc. In a second step, look deeper and search for specialties like Tunnel capabilities Router Advertisement And what about Security like Controlling Multicast (all nodes, all routers, all DHCP servers) Controlling Header Extension Controlling ICMPv6 Packet November

9 IPv6 & Firewall Asecus has a partnership with 3 firewall manufacturers All of them support IPv6 but how? Asecus tested the following firewalls: Fortigate (v. 4.0 MR3 ( 3.0)) Global activation of IPv6 to get IPv6 Menu McAfee Firewall Enterprise (Sidewinder) (v (7.0.1)) Activation of IPv6 when turn on IPv6 on Interface PaloAlto (4.1.0 (3.1)) Global activation of IPv6 to get IPv6 Menu The implementation of IPv6 shows some similarities but also some differences November IPv6 & Fortigate Supports IPv6 since 2007 Supports dual stack IPv4 / IPv6 IP configuration using GUI Support Router Advertisement (CLI) (with and without Prefix) Support 6in4 Tunnel (CLI) Separate Policy for IPv6 All UTM Features AV, URL, IPS,DLP Application Control To also control Extension Header Control ICMPv6 config ipv6 set autoconf enable set ip6-address 2001:470:26:84d::155/64 set ip6-allowaccess ping https ssh set ip6-default-life 1800 set ip6-hop-limit 0 set ip6-link-mtu 0 set ip6-manage-flag disable set ip6-max-interval 600 set ip6-min-interval 198 set ip6-other-flag disable set ip6-reachable-time 0 set ip6-retrans-time 0 set ip6-send-adv enable end November

10 IPv6 & Fortigate The following feature are also supported Bandwidth Management (Shaping, QoS) IPSec: Site-2-Site and Dial-UP DNS (AAAA Record) SIP ALG (Application Gateway) DHCPs for IPv6 SSL VPN over IPv6 SNMP Traps over IPv6 User-Authentication (Identity based Policy) Dynamic Routing, OSPF / RIP / BGP Management (ssh, http, https) Logging and Reporting of Traffic. Reporting in FortiAnalyzer November IPv6 & Fortigate Experience Firewall is ready for IPv6 implementation CLI knowledge needed to setup Router Advertisement For SLAAC CLI needed to configure 6in4 tunnel Support of dual-stack with 6in4 Tunnel allow PC to connect to IPv4 and IPv6 Internet Web Server No need to have native IPv6 Trouble Shooting with tcpdump & ping6 To be improved Possibility to setup Router Advertisement and Tunnel using the GUI Roadmap Policy-based Routing for IPv6 Communication between Fortigate component Explicit HTTP Web Proxy for IPv6 (Clients & Server) NAT64, 6to6 NAT (SNAT/DNAT) November

11 IPv6 & McAfee Firewall Enterprise Support IPv6 since 2008 Support dual-stack IPv4 / IPv6 IP configuration in GUI Support Router Advertisement Single View for for IPv4 / IPv6 Policy Rules Support protocol translation for HTTP connection from IPv4 to IPv6 Using non-transparent http proxy Control of IPv6 Header Extension November IPv6 & McAfee Firewall Enterprise The following features are also supported Support of Application Defense only for HTTP URL, AV Spilt DNS Server for IPv4 / IPv6 IPS Dynamic Routing Protocol OSPF IPSec: Site-2-Site November

12 IPv6 & McAfee Firewall Enterprise Experience Firewall is ready for IPv6 implementation Most of the Proxy not implemented => not the same security as for IPv4 Support of dual-stack allow PC to connect to IPv4 and IPv6 Internet Web Server You need to have native IPv6 Trouble Shooting with tcpdump & ping6 To be improved Support to manage Firewall over IPv6 Support of Application defense for all other Proxies https, ftp, ssh, etc.. Roadmap Support for 6in4 Tunnel November IPv6 & PaloAlto Support IPv6 since 2009 Support dual-stack IPv4 / IPv6 IP configuration in GUI Single view for IPv4 / IPv6 Policy Rules Control IPv6 Multicast or Anycast for Zone Protection ON & OFF All UTM Features (AV, URL, IPS) Control of IPv6 Header Extension November

13 IPV6 & PaloAlto The following features are also supported Application Control User Identification Management using https, ssh November IPv6 & PaloAlto Experience Firewall is ready for IPv6 implementation Support of dual-stack allow PC to connect to IPv4 and IPv6 Internet Web Server You need to have native IPv6 Trouble Shooting with tcpdump & ping6 To be improved Support for 6in4 Tunnel IPSec Roadmap NA November

14 IPv6 Conclusion All three firewalls support IPv6 as Standard All three firewalls support dual stack technology All three firewalls can be setup to control Extension Headers Two firewalls offer full protection for IPv6 traffic today Only one firewall supports IPv6 to IPv4 translation Only one firewall supports 6in4 Tunnel Only one firewall supports control over ICMPv6 packets Go IPv6! Do not hesitate, start using IPv6 today! November