Joe Klein, CISSP IPv6 Security Researcher jsklein@gmail.com
Implementation Strategies Accidentally Historical Examples: Unsecured Wireless Access Points Non-Firewalled system/network Starting IT projects without the security guys involved Last minute projects and demos Deliberately Plan - Establish the objectives and processes necessary to deliver results Management and security staff buy in! Do - Implement the new processes Check - Measure the new processes and compare the results against the expected results Act - Analyze the differences, determine their cause, Determine improvement
IPv6 Enable Systems Deployment Date Products V6 Capable V6 Enabled 1996 OpenBSD / NetBSD / FreeBSD Yes Yes Linux 2.1.6 Kernel Yes No 1997 AIX 4.2 Yes No 2000 Window 95/98/ME/NT 3.5/NT 4.0 Yes, Add on No Microsoft 2000 Yes No Solaris 2.8 Yes Yes 2001 Cisco IOS (12.x and Later) Yes No 2002 Juniper (5.1 and Later) Yes Mostly IBM z/os Yes Yes Apple OS/10.3 Yes Yes Microsoft XP Yes No Linux 2.4 Kernel Yes No AIX 6 Yes Yes IBM AS/400 Yes Yes 2006 Linksys Routers (Mindspring) Yes No Cell Phone Many Yes Yes Solaris 2.10 Yes Yes Linux 2.6 Kernel Yes Yes 2007 Apple Airport Extreme Yes Yes Cell Phone BlackBerry Yes No Microsoft Vista Yes Yes HP-UX 11iv2 Yes Yes Open VMS Yes Yes Macintosh OS/X Leopard Yes Yes 2009 Cloud Computing & Embedded systems Yes Yes
IPv6 Security Events 2001 Review of logs, after Honeynet Project announcement 2002 Honeynet Project : Lance Spitzner: Solaris Snort : Martin Roesch : Added then removed IPv6 2003 Worm : W32.HLLW.Raleka : Download files from a predefined location and connect to an IRC server 2005 Trojan : Troj/LegMir-AT : Connect to an IRC server CERT : Covert Channels using IPv6 Teredo Mike Lynn : Blackhat : IOS' handling of IPv6 packets 2006 CAMSECWest : THC IPv6 Hacking Tools RP Murphy : DefCon : IPv6 Covert Channels 2007 Rootkit : W32/Agent.EZM!tr.dldr : TCP HTTP SMTP James Hoagland : Blackhat : Teredo/IPv6-related flaw in Vista 2008 HOPE : IPv6 Mobile Phone Vulnerability November : "Attackers are going to try it or use it as a transport mechanism for botnets. IPv6 has become a problem on the operational side. Arbor Networks
Malware Date Infec*on Name 2001 10/1/2001 DOS bot Ipv4.ipv6.tcp.connec*on 2003 9/26/2003 Worm W32/Raleka!worm 2004 7/6/2004 Worm W32/Sdbot JW 2005 2/18/2005 Worm W32/Sdbot VJ 8/24/2005 Trojan Troj/LegMir AT 9/5/2005 Trojan Troj/LegMir AX 2006 4/28/2006 Trojan W32/Agent.ABU!tr.dldr 2007 1/2/2007 Trojan Cimuz.CS 4/10/2007 Trojan Cimuz.EL 5/4/2007 Trojan Cimuz.FH 11/5/2007 Worm W32/Nofupat 11/15/2007 Trojan Trojan.Astry 12/1/2007 Rootkit W32/Agent.EZM!tr.dldr 12/16/2007 Trojan W32/Agent.GBU!tr.dldr 12/29/2007 Worm W32/VB DYF 2008 4/22/2008 Trojan Troj/PWS ARA 5/29/2008 Trojan Generic.dx!1DAEE3B9
IPv6 Vulnerability Trends 70 Published IPv6 Vulnerabilities over Time 60 50 Vulnerabilities 40 30 Count Sum 20 10 0 2000 2001 2002 2003 2004 2005 2006 2007 2008
IPv6 Vulnerabilities Impacts of Vulnerabilities Published IPv6 Vulnerabilities by Classification CodeExecution 5% Overflow 5% InfoDisclosure 5% Privilege Escalation 2% Other 22% DOS 62%
Core Problems Published IPv6 Vulnerabilities by Technology Application 11% Firewall/Teredo 4% Teredo 6% IPSec/ IKE 4% Network/Firewall 75%
IPv6 Vulnerabilities Product Breakdown Product Breakdown IPv6-specific Software Vulnerabilities 27% Configuration Vulnerabilities 2% Core Problem Other Vulnerabilities 2% Design Bugs/ Vulnerabilities 13% Implementation Vulnerabilities 56%
Attack Surfaces IPv4 Native Dual-Stack IPv6 Native Dual-Stack + Tunnels IPv4 + Tunnels IPv6 + Tunnels Tunnels Encapsulation and/or Encryption
7 Layer Target User Interface Chopping of Addresses Bad Libraries Error Handling Coding issues Improper Logging Embedded Addresses Improper Implementation Improper Implementation Operations L2/L3 Mismatch, MTU, etc
Security Tool Stages of IPv6 Compatibility Caveat emptor Buyer Beware Product Marketing Terms Layers of Testing Certified IPv6 Ready Logo Program IPv6 Capable IPv6 Compliant IPv6 Compatible IPv6 Ready IPv6-Ready IPv6 Available IPv6 Enabled IPv6 Tested IPv6 DoD/DISA Ready DoD/DISA Tested JITC IPv6 Certified Conformance Interoperability All Others Third Party All Others Third Party US Government Third Party Performance Security DoD Third Party Phase 1 Host, Router, Special Device for minimum IPv6 Core Protocols http://www.ipv6ready.org/logo_db/approved_list.php Phase 2 Host, Router, Special Device for minimum IPv6 Core Protocols plus IPsec, IKEv2, MIPv6, NEMO, DHCPv6, SIP, MLD, Transition, Management(SNMP-MIBs) http://www.ipv6ready.org/logo_db/approved_list_p2.php NIST Certified 1.0 Host, Router, Network Protection Devices for Routing, Quality of Service, Transition, Link Technology, Addressing, IPsec, Application Environment, Network Management, Multicasting, Mobility http://www.antd.nist.gov/ DoD IPv6 Capable Certified 3.0 Host, Network appliances, Router layer 3 switch, Security device, Advanced server, Application http://jitc.fhu.disa.mil/apl/ipv6.html Third Party Common Criteria http://www.commoncriteriaportal.org/
Compliance What Who Problems FISMA Sarbanes- Oxley Act Gramm-Leach- Bliley Act US Federal Government Executive Branch Publicly Traded Companies Banking, Brokerages and Financial Few IPv6 NIST guidance documents/references Identify Risk Evaluate Controls Risk Management Monitor and test HIPAA Health Care PHI protected from intrusion risk analysis and risk management Payment Card Industry (PCI) Credit Card Requires NAT/PAT and IP Masquerading Base configuration on NIST, SANS and CSI Disable all unnecessary and insecure services and protocols Internal and external network vulnerability scans
Is IPv6 More Secure? Yes & No IPv6 is a bigger toolkit for defense and attack Powerful tools for defense: IPSec (Authentication and Encryption) Secure Neighbor Discovery (SEND) Crypto-generated Address (CGA) Unique Local Addresses (ULAs) Privacy Addresses New Attack Vectors: Automated Tunneling Neighbor Discovery and Autoconfiguration End-to-End (E2E) model Newness and Complexity LACK OF IA GUIDANCE, POLICY, TRAINING, TOOLS
Call To Action Early Security Team Involvement Risk Management, IH/Forensics, Defenders Leverage Procurement Obtain IPv6 Certified Security Products Education At All Levels Security Tools, Processes and Infrastructure Upgrade! Development IPv6 Secure Coding Practices Testing & Validation Use auditors/pen testers that know IPv6
Don t be this guy!
Common Architecture Vulnerability IPv4 IPv6 C:\Users\dbg1.000>ping 68.247.18.13 Pinging 68.247.18.13 with 32 bytes of data: Ping sta*s*cs for 68.247.18.13: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), C:\Users\dbg1.000>tracert 2002:44f7:120d::44f7:120d Tracing route to 2002:44f7:120d::44f7:120d over a maximum of 30 hops 1 4 ms 2 ms 2 ms 2610:f8:c38::1 6 622 ms 389 ms 444 ms 2002:44f7:120d::44f7:120d Nmap Scan showed the following ports were open: 80, 113, 135, 137, 5980 (ephemeral), WAP Push, blackjack, SQL IPv4 68 247 18 13 IPv6 44 F7 12 0d DEFAULT 6to4 Tunnel!
Joe Klein, CISSP IPv6 Security Researcher jsklein@gmail.com