Firewalls und IPv6 worauf Sie achten müssen!



Similar documents
Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

IPv6 Fundamentals: A Straightforward Approach

Introduction to IP v6

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

About the Technical Reviewers

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.

Telematics. 9th Tutorial - IP Model, IPv6, Routing

Firewall. FortiOS Handbook v3 for FortiOS 4.0 MR3

About Me. Work at Jumping Bean. Developer & Trainer Contact Info: mark@jumpingbean.co.za

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Vicenza.linux.it\LinuxCafe 1

Discovering IPv6 with Wireshark. presented by Rolf Leutert

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Firewall Defaults and Some Basic Rules

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Internetworking. Problem: There is more than one network (heterogeneity & scale)

IPv6 Associated Protocols

Getting started with IPv6 on Linux

Network layer: Overview. Network layer functions IP Routing and forwarding

IPv6 Opportunity and challenge

IPv6 Advantages. Yanick Pouffary.

Chapter 3 LAN Configuration

unisys ClearPath Enterprise Servers TCP/IP Implementation and Operations Guide ClearPath MCP 16.0 April

ERserver. iseries. Networking TCP/IP setup

Tomás P. de Miguel DIT-UPM. dit UPM

Multi-Homing Security Gateway

Feature Brief. FortiGate TM Multi-Threat Security System v3.00 MR5 Rev. 1.1 July 20, 2007

8.2 The Internet Protocol

IPv6 Addressing. Awareness Objective. IPv6 Address Format & Basic Rules. Understanding the IPv6 Address Components

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Personal Firewall Default Rules and Components

How To Connect Ipv4 To Ipv6 On A Ipv2 (Ipv4) On A Network With A Pnet 2.5 (Ipvin4) Or Ipv3 (Ip V6) On An Ipv5

Router Security Configuration Guide Supplement - Security for IPv6 Routers

IP Address Classes (Some are Obsolete) Computer Networking. Important Concepts. Subnetting Lecture 8 IP Addressing & Packets

Chapter 12 Supporting Network Address Translation (NAT)

IP addressing and forwarding Network layer

IPv6 Fundamentals Ch t ap 1 er I : ntroducti ti t on I o P IPv6 Copyright Cisco Academy Yannis Xydas

Interconnecting IPv6 Domains Using Tunnels

EVALUATING STANDARD AND CUSTOM APPLICATIONS IN IPV6 WITHIN A SIMULATION FRAMEWORK. Brittany Michelle Clore

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

Chapter 9. IP Secure

ProCurve Networking IPv6 The Next Generation of Networking

IETF IPv6 Request for Comments (RFCs) Updated

Security of IPv6 and DNSSEC for penetration testers

3URMHFW1XPEHU /DERUDWRULHV2YHU1H[W *HQHUDWLRQ1HWZRUNV 3URMHFW7LWOH IST / PTIN /WP2.1/DS/P/1/01 &(&'HOLYHUDEOH1XPEHU

What communication protocols are used to discover Tesira servers on a network?

Types of IPv4 addresses in Internet

IPv6 Hardening Guide for Windows Servers

CloudEngine Series Switches. IPv6 Technical White Paper. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

IPv6 Basics Share Anaheim Session 14497

Windows 7 Resource Kit

IP - The Internet Protocol

Ranch Networks for Hosted Data Centers

Technical Support Information Belkin internal use only

Network Security TCP/IP Refresher

UIP1868P User Interface Guide

IPV6 DEPLOYMENT GUIDELINES FOR. ARRIS Group, Inc.

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

SSVVP SIP School VVoIP Professional Certification

About Firewall Protection

LAN TCP/IP and DHCP Setup

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

How will the Migration from IPv4 to IPv6 Impact Voice and Visual Communication?

Strategies for Getting Started with IPv6

Chapter 3 Configuring Basic IPv6 Connectivity

Linux as an IPv6 dual stack Firewall

Using VDOMs to host two FortiOS instances on a single FortiGate unit

We Are HERE! Subne\ng

SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres. Tore Anderson Redpill Linpro AS RIPE69, London, November 2014

Guideline for setting up a functional VPN

TR-296 IPv6 Transition Mechanisms Test Plan

IPv6.marceln.org.

DHCP, ICMP, IPv6. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley DHCP. DHCP UDP IP Eth Phy

SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Centre Environments & SIIT-DC: Dual Translation Mode

Applications that Benefit from IPv6

EXPLORER. TFT Filter CONFIGURATION

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

Basic IPv6 WAN and LAN Configuration

Proxy Server, Network Address Translator, Firewall. Proxy Server

IPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič

Implementing DHCPv6 on an IPv6 network

Learn About Differences in Addressing Between IPv4 and IPv6

This tutorial will help you in understanding IPv6 and its associated terminologies along with appropriate references and examples.

Technology Brief IPv6 White Paper.

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

Networking 4 Voice and Video over IP (VVoIP)

IPv6 Fundamentals, Design, and Deployment

GregSowell.com. Mikrotik Basics

APNIC IPv6 Deployment

IPv6 Diagnostic and Troubleshooting

Transcription:

Firewalls und IPv6 worauf Sie achten müssen! Pascal Raemy CTO Asecus AG pascal.raemy@asecus.ch Asecus AG Asecus AG Security (Firewall, Web-Gateway, Mail-Gateway) Application Delivery (F5 Neworks with BIGIP) IPAM / DNS / DHCP for IPv4 & IPv6 (BlueCat Networks) Pascal Raemy 20 years experience in Network & Security Co-Founder of Asecus AG 15 years experience with Firewall from different vendors Sidewinder / MFE, Fortigate, PaloAlto, etc.. 10 years experience with DNS New comer in IPv6 November 2011 2

Content IPv6 Overview IPv4 / IPv6 with Internet Expectations to an IPv4 / IPv6 Firewall What can be realized today with 3 different top Firewall products? November 2011 3 IPv6 Overview IPv4 was developed in the 1970 ies and wasn t used very much until the 90 ies After the development of Internet, the development of IPv4 increased rapidly (CIDR, NAT, DHCP, VPN, IPSEC, etc..) IPv6 was developed in the 90 ies, to have a solution for the address limitations of IPv4 Because the IPv4 address issue was solved with NAT, the development of IPv6 stagnates Since 10 years we are aware about the reduced availability of IPv4 Networks This increased the development of IPv6 dramatically and you see more and more IPv6 implementation in the products Mobile IPv6, Transition Mechanisms (6rd, NAT64, DNS64, 6to4, etc.., DHCP, etc November 2011 4

IPv6 Overview IP Header Shorter IP Header and fixed length, 40 Bytes No default option Version =6 Traffic Class = QoS Flow Label for real-time datagram and quality of service features Payload Length: Payload + Extension Header Next Header: first Extension Header or next layer Protocol Hop Limit: TTL November 2011 5 IPv6 Overview IP Header Extension Header IPv6 handles options in additional Extension Headers The current IPv6 specification defines 6 Extension Headers: Hop-by-Hop Options Header Routing Header RFC 2460 Fragment Header Destination Options Header Authentication Header RFC 4302 Encrypted Security Payload RFC 4303 Extension Headers have no restriction Can also be misused! November 2011 6

IPv6 Overview Extension Header IPv6 Header Next Header = TCP Value 6 TCP Header and data RFC 2460 IPv6 Header Next H. = Routing Value 43 Routing Header Next H. = TCP Value 6 TCP Header and data IPv6 Header Next H. = Routing Value 43 Routing Header Next H. = Fragment Value 44 Fragment Header Next H. = TCP Value 6 TCP Header and data November 2011 7 IPv6 Overview ICMPv6 ICMPv6: the most important protocol ICMPv6 messages are transported by IPv6 packets in which the IPv6 Next Header value is set to Hex-3a (58) IPv6 Header Next H. = ICMPv6 Value Hex 3a Type Code Checksum Message Body ICMPv6 messages may be classified into two categories error messages (Type 0-127), i.e 1 = Destination Unreachable 3 = Time Exceeded information messages (Type 128 255), i.e. 128, 129 = Echo request / reply 130 132 = Multicast Listener (Query Report Done) 133, 134 = Router Solicitation / Advertisement 135, 136 = Neighbor Solicitation / Advertisement 137 = Redirect Message November 2011 8

IPv6 Overview ICMPv6 & ND The ICMPv6 messages from 133 to 137 are used by Neighbor discovery to do for example: Stateless Address Auto Configuration (SLAAC) Detect duplicate IP (DAD) Discovery of IP Router Also the following options can be transmitted during ND processes: Router Link Local Address Router Life Time MTU-Size Hop Limit Prefix, i.e. 2001:470:26:84D:: always /64 November 2011 9 IPv6 Overview IPv6 Address IPv6 Address 128 Bits in Form: fe80:0000:0000:0000:0230:48ff:fedb:ac6d/64 or fe80:0:0:0:230:48ff:fedb:ac6d/64 or fe80::230:48ff:fedb:ac6d/64 General always /64 Subnet Address Type Link Local Unicast: fe80::/8 Default Address of system Unique local Unicast (ULA): fc00::/7 (incl. fd00::/8) Only locally significant (analog to RFC 1918 Address, not routable in Internet) Global Unicast: 2000::/3 Officially routable Address November 2011 10

IPv6 and Firewall Firewalls are the interface between the internal network and the Internet Firewalls support many interfaces and also different IP- Stacks (dual stack) How can Firewalls work in heterogenic environment, where IPv4 and IPv6 should communicate together? Do Firewalls secure IPv6 connections and control the content? November 2011 11 IPv6 - IPv4 Intra-Network Connection between same type of networks IPv4 <-> IPv4 No problem IPv6 <-> IPv6 No problem Depending of the product and the service, we have different security level Connection between diffente type of networks IPv4 <-> IPv6 Only possible if the firewall acts as Translator November 2011 12

IPv6 & Internet Customers with IPv6 LAN and IPv4 Internet ISP Firewall establishes an IPv4 Tunnel to an IPv4/IPv6 Gateway Provider like: Sixxs Hurricane Electric Gogo6 November 2011 13 IPv6 & Internet Customers with IPv4 LAN and IPv6 Internet ISP Firewall establishes an IPv6 Tunnel to an IPv6/IPv4 Gateway Provider November 2011 14

IPv6 / IPv4 Dual-Stack Allow step by step Migration to IPv6 Support of dual-stack interface for Firewall and specially clients Native Internet IPv4 & IPv6 November 2011 15 IPv6 & Firewall When you start with a new firewall technology like IPv6, first check the base functionalities like Connection, Policy, Content control, etc. In a second step, look deeper and search for specialties like Tunnel capabilities Router Advertisement And what about Security like Controlling Multicast (all nodes, all routers, all DHCP servers) Controlling Header Extension Controlling ICMPv6 Packet November 2011 16

IPv6 & Firewall Asecus has a partnership with 3 firewall manufacturers All of them support IPv6 but how? Asecus tested the following firewalls: Fortigate (v. 4.0 MR3 ( 3.0)) Global activation of IPv6 to get IPv6 Menu McAfee Firewall Enterprise (Sidewinder) (v.8.2.0 (7.0.1)) Activation of IPv6 when turn on IPv6 on Interface PaloAlto (4.1.0 (3.1)) Global activation of IPv6 to get IPv6 Menu The implementation of IPv6 shows some similarities but also some differences November 2011 17 IPv6 & Fortigate Supports IPv6 since 2007 Supports dual stack IPv4 / IPv6 IP configuration using GUI Support Router Advertisement (CLI) (with and without Prefix) Support 6in4 Tunnel (CLI) Separate Policy for IPv6 All UTM Features AV, URL, IPS,DLP Application Control To also control Extension Header Control ICMPv6 config ipv6 set autoconf enable set ip6-address 2001:470:26:84d::155/64 set ip6-allowaccess ping https ssh set ip6-default-life 1800 set ip6-hop-limit 0 set ip6-link-mtu 0 set ip6-manage-flag disable set ip6-max-interval 600 set ip6-min-interval 198 set ip6-other-flag disable set ip6-reachable-time 0 set ip6-retrans-time 0 set ip6-send-adv enable end November 2011 18

IPv6 & Fortigate The following feature are also supported Bandwidth Management (Shaping, QoS) IPSec: Site-2-Site and Dial-UP DNS (AAAA Record) SIP ALG (Application Gateway) DHCPs for IPv6 SSL VPN over IPv6 SNMP Traps over IPv6 User-Authentication (Identity based Policy) Dynamic Routing, OSPF / RIP / BGP Management (ssh, http, https) Logging and Reporting of Traffic. Reporting in FortiAnalyzer November 2011 19 IPv6 & Fortigate Experience Firewall is ready for IPv6 implementation CLI knowledge needed to setup Router Advertisement For SLAAC CLI needed to configure 6in4 tunnel Support of dual-stack with 6in4 Tunnel allow PC to connect to IPv4 and IPv6 Internet Web Server No need to have native IPv6 Trouble Shooting with tcpdump & ping6 To be improved Possibility to setup Router Advertisement and Tunnel using the GUI Roadmap Policy-based Routing for IPv6 Communication between Fortigate component Explicit HTTP Web Proxy for IPv6 (Clients & Server) NAT64, 6to6 NAT (SNAT/DNAT) November 2011 20

IPv6 & McAfee Firewall Enterprise Support IPv6 since 2008 Support dual-stack IPv4 / IPv6 IP configuration in GUI Support Router Advertisement Single View for for IPv4 / IPv6 Policy Rules Support protocol translation for HTTP connection from IPv4 to IPv6 Using non-transparent http proxy Control of IPv6 Header Extension November 2011 21 IPv6 & McAfee Firewall Enterprise The following features are also supported Support of Application Defense only for HTTP URL, AV Spilt DNS Server for IPv4 / IPv6 IPS Dynamic Routing Protocol OSPF IPSec: Site-2-Site November 2011 22

IPv6 & McAfee Firewall Enterprise Experience Firewall is ready for IPv6 implementation Most of the Proxy not implemented => not the same security as for IPv4 Support of dual-stack allow PC to connect to IPv4 and IPv6 Internet Web Server You need to have native IPv6 Trouble Shooting with tcpdump & ping6 To be improved Support to manage Firewall over IPv6 Support of Application defense for all other Proxies https, ftp, ssh, etc.. Roadmap Support for 6in4 Tunnel November 2011 23 IPv6 & PaloAlto Support IPv6 since 2009 Support dual-stack IPv4 / IPv6 IP configuration in GUI Single view for IPv4 / IPv6 Policy Rules Control IPv6 Multicast or Anycast for Zone Protection ON & OFF All UTM Features (AV, URL, IPS) Control of IPv6 Header Extension November 2011 24

IPV6 & PaloAlto The following features are also supported Application Control User Identification Management using https, ssh November 2011 25 IPv6 & PaloAlto Experience Firewall is ready for IPv6 implementation Support of dual-stack allow PC to connect to IPv4 and IPv6 Internet Web Server You need to have native IPv6 Trouble Shooting with tcpdump & ping6 To be improved Support for 6in4 Tunnel IPSec Roadmap NA November 2011 26

IPv6 Conclusion All three firewalls support IPv6 as Standard All three firewalls support dual stack technology All three firewalls can be setup to control Extension Headers Two firewalls offer full protection for IPv6 traffic today Only one firewall supports IPv6 to IPv4 translation Only one firewall supports 6in4 Tunnel Only one firewall supports control over ICMPv6 packets Go IPv6! Do not hesitate, start using IPv6 today! November 2011 27

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information