v1.0 Test of IPv6 in firewalls DNSSEC and IPv6 deployment workshop 2008 hakan.lindberg@b3it.se, tomas_gilsa@yahoo.se
Agenda Tomas Gilså freelance journalist What, how and why? Hakan Lindberg B3IT Test and results Hakan Nohre Cisco Ola Holmberg 3COM Juniper Q & A
What did we test? This was a gentle test. We asked the companies that sell firewalls ls in Sweden if they wanted to participate in a small test about Firewalls with support for IPv6. Out of around 25 vendors we ended up with six machines from five different vendors. Why did we test it? To see the status of IPv6-readiness among the vendors and to document what works today. TheSwedish foundation for Internet Infrastrucure (IIS) that runs the top level domain.se wanted this as a part of the conference Internetdagarna in Stockholm October 20-22, 22, 2008 Who paid for this? The vendors and some ISP:s volunteered machines and time. IIS paid for project management, setup and documentation.
Why IPv6? We are running out of IPv4 addresses. The current use of DHCP, NAT and such is good for privacy but sometimes bad for security. With IPv6 addresses each machine on the net can have a unique address. This makes it easier to block individual computers and open up services for individual computers. Why now? Several ISP:s sell IPv6 connectivity. Windows Vista, Windows Server 2008, Mac OS X and All Linux distributions have good support for IPv6. Windows XP can basically do it all except DNS-queries over IPv6. So IIS wanted to see how the hardware were doing IPv6-wise.
What did we learn? In IPv6 the addresses should be handled by machines. A great deal of project management to gather suppliers Hard to get the IPv6 hardware Suppliers initially said they were on and then jumped off the tests The devil is in the details. When things are set up correctly things work as intended. Who won? We didn t t test that way. We even deliberately mixed apples and oranges. One reason was that there just isn t t that many IPv6- Firewalls available. Another reason was to get more of a survey and show that you can run IPv6 in both big and small machines today.
Tested: 3Com MSR 50 Cisco ASA 5505 (replaces the PIX) 2800 with IOS 12.4 Halon SX101 Juniper ISG 2000 Monowall 1.3b14 (on Soekris hardware) (SnapGear SG650) (D-link DIR-615, 524)
Positive from the beginning but Checkpoint / FW-1 Extreme Networks Fortinet Initially declined Clavister Netgear Sonicwall Watchguard and a few others
What is a firewall?
Do we need firewalls with IPv6? Will it differ between large enterprises via small offices to the home market? We have a possibility to build firewalls nice and clean without NAT. But still: it s s a firewall there + centralized security function, VPN-concentrator + policy or standard like PCI + In Sweden home networks are popular. One address would be a step backwards. - False sense of security. We can still download evil code! - NAT/masquerading. Security by obscurity NAT was not standardized (same with masquerading?)
When are we IPv6 ready? About 350 products have the IPv6-ready logo E.g. D-link DI-524 and DIR-615 has the logo. So we bought them (WLAN equipment with NAT, not explicitly a firewall). No IPv6-support in the tested equipment. D-link is not shipping the IPv6 release in the EU.
SSAC Typically looks like:
SSAC One of three firewalls has IPv6-support Limited support for advanced IPv6-firewall functions in the segment SOHO, SMB Suppliers say that the demand for IPv6 is limited The SSAC survey results do suggest that an organization that adopts IPv6 today may not be able to duplicate IPv4 security feature and policy support Our result from the tests: It is definitely good enough to start testing and for (limited) operation
A A Profile for IPv6 in the U.S. Government from NIST Item 6.12 is interesting and handles Network Protection Devices (firewalls, IDS, IPS) They put Application firewalls in a chapter of its own. Inspiration we got from the report: Persistence (power drop-out) out) Management Several levels? Logging Good quotes like Firewalls MUST perform properly up to their design load; in circumstances which exceed this load or otherwise result t in operational degradation or failure, they MUST fail in such a manner ner as not to allow unauthorized access.
S1 S2 IPv6 Test network Tele2 Cisco 7600 IPv6 Internet 2a00:801:f2:1/64 ::3 Ubuntu Linux eth0 eth1 ::3 2a00:801:f2:2 /64 IPv6 native (no dual stack) ::5 ::3 2a00:801:f2:3 /64 ::6 A B 2a00:801:f2:1000 /56 2a00:801:f2:2000 /56 IPv4 for config. C1 (Win Vista) C2 (Mac OS)
Test results 1 (2) Preliminary Equipment Cisco ASA 5505 Cisco 2800 w/ IOS 12.4 Juniper ISG 2000 C1 can reachipv6 resources (DNS, HTTP, SMTP) C1 could ping (ICMP) * Filtering of addresses Filtering of networks Filtering ICMP Up/down [Mbps] OK OK OK OK OK 65/ 80 OK OK OK OK OK OK 65/80 OK OK OK OK OK OK 75/90 OK Monowall OK OK OK OK OK 70/85 OK Filtering and logging reject, local log
Test results 2 (2) Preliminary Equipment C1 can reachipv6 resources (DNS, HTTP, SMTP) C1 could ping (ICMP) * Filtering of addresses Halon OK OK Problems with filtering DNS Filtering of networks same as address Filtering ICMP Hard. Must know ICMP type and code Up/down [Mbps] 60/ 75 OK 3COM * OK OK OK OK OK 75/85 OK Snapgear Basic 6to4 - - - - - - Filtering and logging reject, local log *) basically no SPI, only ACL
Test results Start testing now. Ready for 1st phase operation Get used to addresses, prefixes, rules Bad performance of IPv6-packets is a myth (or an old thruth) Logging and administration worked better than expected E.g. HTTP over IPv6 and SSH over IPv6 did work We did not send logs to remote hosts ICMP is tricky since it is used differently in IPv6 (e.g. Neighbor Discovery). If we accept ICMP echo reply we might implicitly reject other ICMP packets ICMPv4 rules cannot be applied DNS: since DNS-packets are bigger with IPv6 (> 512 byte) you may need to adjust rules
Further testing that could be done: Header extensions Fragmentation Intentionally to fool firewalls. IPsec We will test LAN-LAN IPsec the 21 and 22 Masquerading Applications above IPv6 Tunneling Prefix delegation
Further reading We will present the test in a report by the 22th of Nov. Check the IIS website. SAC report 021 ICANN Security and Stability Advisory Committe Survey of IPv6 Support in Commercial Firewalls October 2007 NIST National Institute of Standard and Technology A Profile for IPv6 in the U.S.Government Draft from Feb 2007 and later