IPv6 Security. Scott Hogg, CCIE No. 5133 Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA



Similar documents
IPv6 Fundamentals, Design, and Deployment

IPv6 Fundamentals: A Straightforward Approach

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

About the Technical Reviewers

Securing IPv6. What Students Will Learn:

Vulnerabili3es and A7acks

CCIE Security Written Exam ( ) version 4.0

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Cisco Certified Security Professional (CCSP)

Securing Networks with Cisco Routers and Switches 1.0 (SECURE)

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

3.5 IPv6 Forum Certified Security Course, Engineer, Trainer & Certification (GOLD)

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

IINS Implementing Cisco Network Security 3.0 (IINS)

IPv6 Hardening Guide for Windows Servers

SECURITY IN AN IPv6 WORLD MYTH & REALITY. SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann

CISCO IOS NETWORK SECURITY (IINS)

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

CIRA s experience in deploying IPv6

Designing and Developing Scalable IP Networks

Implementing Secured Converged Wide Area Networks (ISCW) Version 1.0

SNRS. Securing Networks with Cisco Routers and Switches. Length 5 days. Format Lecture/lab

MPLS VPN Security BRKSEC-2145

Implementing Cisco IOS Network Security

IPv6 Security from point of view firewalls

ITL BULLETIN FOR JANUARY 2011

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

IPv6 Security. Eric Vyncke, Distinguished October 2014

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

IPv6 Security. Scott Hogg. Global Technology Resources, Inc. Director of Technology Solutions CCIE #5133, CISSP #4610

IPv6 Security 111 Short Module on Security

IPv6 Integration in Federal Government: Adopt a Phased Approach for Minimal Disruption and Earlier Benefits

Chapter 1 The Principles of Auditing 1

IPv6 First Hop Security Protecting Your IPv6 Access Network

Cisco ASA, PIX, and FWSM Firewall Handbook

BUY ONLINE AT:

Securing Cisco Network Devices (SND)

C)PTC Certified Penetration Testing Consultant

IPV6 流 量 分 析 探 讨 北 京 大 学 计 算 中 心 周 昌 令

: Interconnecting Cisco Networking Devices Part 2 v1.1

IMPLEMENTING CISCO IP ROUTING V2.0 (ROUTE)

Table of Contents. Introduction

Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Why Is MPLS VPN Security Important?

CCNA Security. IINS v2.0 Implementing Cisco IOS Network Security ( )

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Firewalls und IPv6 worauf Sie achten müssen!

Building VPNs. Nam-Kee Tan. With IPSec and MPLS. McGraw-Hill CCIE #4307 S&

Router Security Configuration Guide Supplement - Security for IPv6 Routers

(d-5273) CCIE Security v3.0 Written Exam Topics

"Charting the Course...

IP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.

Cisco IPv6 update (in <=5minutes) TF-NGN meeting, Brussels

Cisco Certified Network Expert (CCNE)

IPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Securing the Transition Mechanisms

How To Learn Cisco Cisco Ios And Cisco Vlan

MPLS Security Considerations

Security of IPv6 and DNSSEC for penetration testers

IPv6 Security:Threats and solutions

1. Cyber Security. White Paper Data Communication in Substation Automation System (SAS) Cyber security in substation communication network

FIREWALLS & CBAC. philip.heimer@hh.se

Security Toolsets for ISP Defense

Network Access Security. Lesson 10

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

IETF IPv6 Request for Comments (RFCs) Updated

Review: Lecture 1 - Internet History

Tomás P. de Miguel DIT-UPM. dit UPM

Linux Network Security

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Cisco. Patrick Grossetete Cisco Systems Cisco IOS IPv6 Product Manager pgrosset@cisco.com

Course Contents CCNP (CISco certified network professional)

Cisco Announces IPv6 Licensing Parity with IPv4 for Cisco Catalyst Series Switches

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

White Paper. Cisco MPLS based VPNs: Equivalent to the security of Frame Relay and ATM. March 30, 2001

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Certified Penetration Testing Consultant

Campus LAN at NKN Member Institutions

Security with IPv6 Explored. U.S. IPv6 Summit Renée e Esposito Booz Allen Hamilton Richard Graveman RFG Security

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

ProCurve Networking IPv6 The Next Generation of Networking

MPLS VPN Security in Service Provider Networks. Peter Tomsu Michael Behringer Monique Morrow

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

CCNP: Implementing Secure Converged Wide-area Networks

Interconnecting Cisco Networking Devices Part 2

How To Make A Network Secure

How Cisco IT Protects Against Distributed Denial of Service Attacks

Introducing Basic MPLS Concepts

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

How To Compare Ipv6 And Ipv4 To Ipv5 (V1.2.0)

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Migrating to IPv6 Opportunity or threat for network security?

Cisco Network Foundation Protection Overview

Protocol Specification & Design. The Internet and its Protocols. Course Outline (trivia) Introduction to the Subject Teaching Methods

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Transcription:

IPv6 Security Scott Hogg, CCIE No. 5133 Eric Vyncke Cisco Press Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA

Contents Introduction xix Chapter 1 Introduction to IPv6 Security 3 Reintroduction to IPv6 3 IPv6 Update 6 IPv6 Vulnerabilities 7 Hacker Experience 8 IPv6 Security Mitigation Techniques 9 Summary 12 Recommended Readings and Resources 13 Chapter 2 IPv6 Protocol Security Vulnerabilities 15 The IPv6 Protocol Header 16 ICMPv6 17 ICMPv6 Functions and Message Types 18 ICMPv6 Attacks and Mitigation Techniques 20 Multicast Security 22 Extension Header Threats 24 Extension Header Overview 24 Extension Header Vulnerabilities 28 Hop-by-Hop Options Header and Destination Options Header 29 IPv6 Extension Header Fuzzing 33 Router Alert Attack 33 Routing Headers 36 RHO Attack 36 Preventing RHO Attacks 40 Additional Router Header Attack Mitigation Techniques 42 Fragmentation Header 43 Overview of Packet Fragmentation Issues 43 Fragmentation Attacks 45 Preventing Fragmentation Attacks 47 Virtual Fragment Reassembly 49 Unknown Option Headers 52 Upper-Layer Headers 55 Reconnaissance on IPv6 Networks 55 Scanning and Assessing the Target 56 Registry Checking 56 Automated Reconnaissance 56

X Speeding Up the Scanning Process 58 Leveraging Multicast for Reconnaissance 59 Automated Reconnaissance Tools 61 Sniffing to Find Nodes 61 Neighbor Cache 62 Node Information Queries 62 Protecting Against Reconnaissance Attacks 63 Layer 3 and Layer 4 Spoofing 65 Summary 69 References 70 Chapter 3 IPv6 Internet Security 73 Large-Scale Internet Threats 74 Packet Flooding 74 Internet Worms 77 Worm Propagation 78 Speeding Worm Propagation in IPv6 78 Current IPv6 Worms 79 Preventing IPv6 Worms 80 Distributed Denial of Service and Botnets 80 DDoS on IPv6 Networks 81 Attack Filtering 81 Attacker Traceback 82 Black Holes and Dark Nets 84 Ingress/Egress Filtering 85 Filtering IPv6 Traffic 85 Filtering on Allocated Addresses 85 Bogon Filtering 87 Bogon Filtering Challenges and Automation 90 Securing BGP Sessions 90 Explicitly Configured BGP Peers 92 Using BGP Session Shared Secrets 92 Leveraging an IPsec Tunnel 93 Using Loopback Addresses on BGP Peers 93 Controlling the Time-to-Live (TTL) on BGP Packets 94 Filtering on the Peering Interface 97 Using Link-Local Peering 97 Link-Local Addresses and the BGP Next-Hop Address 99 Drawbacks of Using Link-Local Addresses 101 Preventing Long AS Paths 102 Limiting the Number of Prefixes Received 103 Preventing BGP Updates Containing Private AS Numbers 103

xi Maximizing BGP Peer Availability 103 Disabling Route-Flap Dampening 104 Disabling Fast External Fallover 104 Enabling Graceful Restart and Route Refresh or Soft Reconfiguration 104 BGP Connection Resets 105 Logging BGP Neighbor Activity 106 Securing IGP 106 Extreme Measures for Securing Communications Between BGP Peers 106 IPv6 over MPLS Security 107 Using Static IPv6 over IPv4 Tunnels Between PE Routers 108 Using 6PE 109 Using 6VPE to Create IPv6-Aware VRFs 109 Customer Premises Equipment 110 Prefix Delegation Threats 113 SLAAC 114 DHCPv6 114 Multihoming Issues 119 Summary 122 References 122 Chapter 4 IPv6 Perimeter Security 127 IPv6 Firewalls 128 Filtering IPv6 Unallocated Addresses 128 Additional Filtering Considerations 133 Firewalls and IPv6 Headers 133 Inspecting Tunneled Traffic 134 Layer 2 Firewalls 135 Firewalls Generate ICMP Unreachables 136 Logging and Performance 136 Firewalls and NAT 136 Cisco IOS Router ACLs 138 Implicit IPv6 ACL Rules 142 Internet ACL Example 143 IPv6 Reflexive ACLs 147 Cisco IOS Firewall 149 Configuring IOS Firewall 150 IOS Firewall Example 153 IOS Firewall Port-to-Application Mapping for IPv6 157 Cisco PIX/ASA/FWSM Firewalls 158

xii Configuring Firewall Interfaces 159 Management Access 161 Configuring Routes 162 Security Policy Configuration 164 Object Group Policy Configuration 168 Fragmentation Protection 172 Checking Traffic Statistics 173 Neighbor Discovery Protocol Protections 174 Summary 177 References 177 Chapter 5 Local Network Security 181 Why Layer 2 Is Important 181 ICMPv6 Layer 2 Vulnerabilities for IPv6 182 Stateless Address Autoconfiguration Issues 183 Neighbor Discovery Issues 187 Duplicate Address Detection Issues 190 Redirect Issues 193 ICMPv6 Protocol Protection 195 Secure Neighbor Discovery 196 Implementing CGA Addresses in Cisco IOS 198 Understanding the Challenges with SEND 199 Network Detection of ICMPv6 Attacks 199 Detecting Rogue RA Messages 199 Detecting NDP Attacks 201 Network Mitigation Against ICMPv6 Attacks 201 Rafixd 202 Reducing the Target Scope 203 IETF Work 203 Extending IPv4 Switch Security to IPv6 204 Privacy Extension Addresses for the Better and the Worse 205 DHCPv6 Threats and Mitigation 208 Threats Against DHCPv6 210 Mitigating DHCPv6 Attacks 211 Mitigating the Starvation Attack 211 Mitigating the DoS Attack 211 Mitigating the Scanning 213 Mitigating the Rogue DHCPv6 Server 213 Point-to-Point Link 213 Endpoint Security 215

Summary 215 References 216 Chapter 6 Hardening IPv6 Network Devices 219 Threats Against Network Devices 220 Cisco IOS Versions 220 Disabling Unnecessary Network Services 222 Interface Hardening 223 Limiting Router Access 224 Physical Access Security 224 Securing Console Access 225 Securing Passwords 225 VTY Port Access Controls 226 AAA for Routers 229 HTTP Access 230 IPv6 Device Management 233 Loopback and Null Interfaces 233 Management Interfaces 234 Securing SNMP Communications 235 Threats Against Interior Routing Protocol 239 RIPng Security 241 EIGRPv6 Security 242 IS-IS Security 244 OSPF Version 3 Security 247 First-Hop Redundancy Protocol Security 255 Neighbor Unreachability Detection 255 HSRPv6 257 GLBPv6 260 Controlling Resources 262 Infrastructure ACLs 263 Receive ACLs 265 Control Plane Policing 265 QoS Threats 269 Summary 277 References 277 Chapter 7 Server and Host Security 281 IPv6 Host Security 281 Host Processing of ICMPv6 282

xiv Services Listening on Ports 284 Microsoft Windows 284 Linux 284 BSD 285 Sun Solaris 285 Checking the Neighbor Cache 285 Microsoft Windows 286 Linux 286 BSD 287 Sun Solaris 287 Detecting Unwanted Tunnels 287 Microsoft Windows 287 Linux 290 BSD 291 Sun Solaris 292 IPv6 Forwarding 292 Microsoft Windows 293 Linux 293 BSD 294 Sun Solaris 294 Address Selection Issues 295 Microsoft Windows 296 Linux 297 BSD 297 Sun Solaris 297 Host Firewalls 297 Microsoft Windows Firewall 298 Linux Firewalls 301 BSD Firewalls 303 OpenBSD Packet Filter 304 ipfirewall 306 IPFilter 310 Sun Solaris 312 Securing Hosts with Cisco Security Agent 6.0 313 Summary 316 References 317 Chapter 8 IPsec and SSL Virtual Private Networks 319 IP Security with IPv6 320 IPsec Extension Headers 320 IPsec Modes of Operation 322

XV Internet Key Exchange (IKE) 322 IKE Version 2 324 IPsec with Network Address Translation 324 IPv6 and IPsec 325 Host-to-Host IPsec 326 Site-to-Site IPsec Configuration 328 IPv6 IPsec over IPv4 Example 329 Configuring IPv6 IPsec over IPv4 329 Verifying the IPsec State 332 Adding Some Extra Security 337 Dynamic Crypto Maps for Multiple Sites 338 IPv6 IPsec Example 339 Configuring IPsec over IPv6 340 Checking the IPsec Status 343 Dynamic Multipoint VPN 349 Configuring DMVPN for IPv6 351 Verifying the DMVPN at the Hub 353 Verifying the DMVPN at the Spoke 359 Remote Access with IPsec 361 SSL VPNs 368 Summary 373 References 374 Chapter 9 Security for IPv6 Mobility 377 Mobile IPv6 Operation 378 MIPv6 Messages 379 Indirect Mode 381 Home Agent Address Determination 381 Direct Mode 382 Threats Linked to MIPv6 385 Protecting the Mobile Device Software 386 Rogue Home Agent 386 Mobile Media Security 386 Man-in-the-Middle Threats 387 Connection Interception 388 Spoofing MN-to-CN Bindings 389 DoS Attacks 390 Using IPsec with MIPv6 390

xvi Filtering for MIPv6 392 Filters at the CN 395 Filters at the MN/Foreign Link 398 Filters at the HA 402 Other IPv6 Mobility Protocols 406 Additional IETF Mobile IPv6 Protocols 407 Network Mobility (NEMO) 409 IEEE 802.16e 411 Mobile Ad-hoc Networks 411 Summary 413 References 413 Chapter 10 Securing the Transition Mechanisms 417 Understanding IPv4-to-IPv6 Transition Techniques 417 Dual-Stack 417 Tunnels 419 Configured Tunnels 420 6to4 Tunnels 423 ISATAP Tunnels 428 Teredo Tunnels 430 6VPE 434 Protocol Translation 437 Implementing Dual-Stack Security 439 Exploiting Dual-Stack Environment 440 Protecting Dual-Stack Hosts 443 Hacking the Tunnels 444 Securing Static Tunnels 447 Securing Dynamic Tunnels 449 6to4 450 ISATAP 453 Teredo 455 Securing 6VPE 459 Attacking NAT-PT 459 IPv6 Latent Threats Against IPv4 Networks 460 Summary 462 References 463 Chapter 11 Security Monitoring 467 Managing and Monitoring IPv6 Networks 467 Router Interface Performance 468

xvii Device Performance Monitoring 469 SNMP MIBs for Managing IPv6 Networks 469 IPv6-Capable SNMP Management Tools 471 NetFlow Analysis 472 Router Syslog Messages 478 Benefits of Accurate Time 481 Managing IPv6 Tunnels 482 Using Forensics 483 Using Intrusion Detection and Prevention Systems 485 Cisco IPS Version 6.1 486 Testing the IPS Signatures 487 Managing Security Information with CS-MARS 489 Managing the Security Configuration 493 Summary 495 References 496 Chapter 12 IPv6 Security Conclusions 499 Index 512 Comparing IPv4 and IPv6 Security 499 Similarities Between IPv4 and IPv6 499 Differences Between IPv4 and IPv6 501 Changing Security Perimeter 501 Creating an IPv6 Security Policy 503 Network Perimeter 504 Extension Headers 504 LAN Threats 505 Host and Device Hardening 505 Transition Mechanisms 506 IPsec 506 Security Management 506 On the Horizon 506 Consolidated List of Recommendations 508 Summary 511 References 511

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information