Securing the Transition Mechanisms

Similar documents
IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

IPv4/IPv6 Transition Mechanisms. Luka Koršič, Matjaž Straus Istenič

Real World IPv6 Migration Solutions. Asoka De Saram Sr. Director of Systems Engineering, A10 Networks

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

ITL BULLETIN FOR JANUARY 2011

CMPT 471 Networking II

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

Linux Network Security

Building a Systems Infrastructure to Support e- Business

Vulnerabili3es and A7acks

Firewall Firewall August, 2003

Security implications of the Internet transition to IPv6

Packet Sniffing on Layer 2 Switched Local Area Networks

VMware vcloud Air Networking Guide

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Firewalls und IPv6 worauf Sie achten müssen!

Proxy Server, Network Address Translator, Firewall. Proxy Server

464XLAT in mobile networks

Strategies for Getting Started with IPv6

IPv6 deployment status & Migration Strategy

Basic IPv6 WAN and LAN Configuration

EXPEDITING ACCESS TO V6 SERVICES: GETTING WEB CONTENT AVAILABLE OVER IPV6 QUICKLY AND AT LOW COST

IPv6 for AT&T Broadband

Chapter 8 Security Pt 2

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

IPv6 Hardening Guide for Windows Servers

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Carrier Grade NAT. Requirements and Challenges in the Real World. Amir Tabdili Cypress Consulting

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Chapter 4 Customizing Your Network Settings

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

ΕΠΛ 674: Εργαστήριο 5 Firewalls

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

GregSowell.com. Mikrotik Basics

IPv6 Fundamentals: A Straightforward Approach

Chapter 4 Firewall Protection and Content Filtering

TR-296 IPv6 Transition Mechanisms Test Plan

Lab Configuring Access Policies and DMZ Settings

Security Technology: Firewalls and VPNs

Firewalls and Intrusion Detection

WAN Traffic Management with PowerLink Pro100

The Truth about IPv6 Security

IPv6 The Big Picture. Rob Evans, Janet

464XLAT: Breaking Free of IPv4. APRICOT 2014

ICSA Labs Network Protection Devices Test Specification Version 1.3

Security of IPv6 and DNSSEC for penetration testers

Overview. Firewall Security. Perimeter Security Devices. Routers

Protecting and controlling Virtual LANs by Linux router-firewall

Multi-Homing Dual WAN Firewall Router

464XLAT: Breaking Free of IPv4. T-Mobile.com NANOG 61 June 2014

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

I've applied for a goipv6 account and received my password via but I cannot log into my account. What should I do?

Chapter 15. Firewalls, IDS and IPS

Implementing Cisco IOS Network Security

1. Introduction to DirectAccess. 2. Technical Introduction. 3. Technical Details within Demo. 4. Summary

Guideline on Firewall

Residential IPv6 IPv6 a t at S wisscom Swisscom a, n an overview overview Martin Gysi

Actuality of SMBRelay in Modern Windows Networks

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Centre Environments & SIIT-DC: Dual Translation Mode

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

IPv6 Tunneling Over IPV4

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

IMPLEMENTATION OF INTELLIGENT FIREWALL TO CHECK INTERNET HACKERS THREAT

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

WHITE PAPER. Best Practices for Deploying IPv6 over Broadband Access

IINS Implementing Cisco Network Security 3.0 (IINS)

Chapter 12 Supporting Network Address Translation (NAT)

Use Domain Name System and IP Version 6

Network Agent Quick Start

Implementing Secure Converged Wide Area Networks (ISCW)

About Firewall Protection

Firewalls, IDS and IPS

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

CS5008: Internet Computing

Personal Firewall Default Rules and Components

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Transcription:

Securing the Transition Mechanisms CRC/ITU/APNIC IPv6 Security Workshop 29 th June 1 st July 2015 Ulaanbaatar Last updated 13 July 2014 1

Where did we leave off? p We ve just covered the current strategies for making the transition to IPv6. p Now we look at some of the security risks associated with these strategies as well as some we haven t covered. 2

Strategies available for Service Providers p p p Do nothing n n Wait and see what competitors do Business not growing, so don t care what happens Extend life of IPv4 n n Force customers to NAT Buy IPv4 address space on the marketplace Deploy IPv6 n n n n n Dual-stack infrastructure IPv6 and NATed IPv4 for customers 6rd (Rapid Deploy) with native or NATed IPv4 for customers DS-Lite or 464XLAT with native IPv6 and NATed IPv4 for customers Or other combinations of IPv6, IPv4 and NAT 3

Strategy One Do Nothing 4

IPv4 only p The common thinking about securing IPv4 only is just to apple Best Current Operational Practice for IPv4 network security. p BUT p Even if you decide to do nothing, that doesn t mean that the world won t change around you. p IPv6 Transition technologies can be deployed without your knowledge or control. 5

The ones we didn t talk about p There were a number of transition technologies which we didn t cover in the previous section. p Primarily because they are deprecated, or industry doesn t consider them a viable long term option. p The problem is they are still around and can have a significant security impact. 6

ISATAP p Like most non-encrypted, nonauthenticated tunneling mechanism ISATAP is vulnerable to traffic injection and unauthorised use. p Some protection using Unicast RPF 7

ISATAP p Some dual stack machines are preconfigured to use isatap.<domainname> to contact an isatap tunnel server. p If you belong to the example.com domain this means the machines will attempt to contact isatap.example.com as an isatap tunnel server. 8

ISATAP p p p p p The attacker poisons the DNS cache of the victim Attacker changes the DNS name isatap.example.com to the attacker s IPv4 address. All communication from the victim to any IPv6-only or dualstack hosts will be directed through the ISATAP tunnel terminated at the attackers host This host could be be located outside the organisation s perimeter firewall if the firewall permits protocol 41 packets. This is a classic man-in-the-middle insertion, and the malicious user can then sniff all the data or drop packets. 9

ISATAP Risk mitigation strategies p Associate the DNS isatap.example.com name with the IPv4 loopback address 127.0.0.1. p Use an IPv4 VLAN ACL to block IP protocol 41. p Deploy a native IPv6 network n Because this allows network managers to monitor and secure the IPv6 traffic with a firewall and an intrusion prevention system (IPS). 10

Teredo p Designed to build dynamic tunnels from within a private network, through a NAT or firewall device. p What could go wrong? p Who ever though that was a good idea? 11

12

Teredo p Named after Teredo navalis p Burrows holes in the hulls of ships 13

Teredo p Some Windows versions have Teredo enabled by default. p Ships partly configured. p Installing some third party applications can inadvertently complete the configuration. p Installing one of these applications on a device can provide a non-firewalled IPv6 tunnel to the Internet. p To you firewall this will look like IPv4 UDP packets. 14

Teredo p Once this tunnel is configured an attacker can use the same mechanism to connect back to the device, bypassing IPv4 firewalls and NIDSs 15

Teredo Improvements over time p Teredo is now disabled on Windows systems unless a personal firewall is enabled p Teredo is restricted to connect to IPv6 only end nodes. n If a remote server has an IPv4 and IPv6 address, Teredo is never used. p Teredo is disabled on machines which are part of an Active Directory domain n Means that a lot of enterprise environments are not vulnerable. 16

Teredo Risk mitigation strategies p Deploy a native IPv6 network n Teredo is only used when there is no native IPv6 network available. p Block all UDP packets at the network perimeter n With the exception of well-known ports such as DNS and NTP (maybe) p Explicitly block Teredo UDP packets n Hard because while port 3544 is the default, this can be set to any UDP port by the user. 17

IPv6 Latent Threats Against IPv4 Networks p If IPv6 is enabled by default on devices then IPv6 defences must be in place even on IPv4 only networks. 18

IPv6 Latent Threats Against IPv4 Networks p Even if a network is IPv4 only a device could: n Roam to an IPv6-enabled wireless hotspot n Receive a forged RA message n Use a routable IPv4 address and enable 6to4 tunneling n Detect a DNS name for isatap.example.org and use ISATAP n Toredo tunnel to connect to an IPv6-only node 19

Latent IPv6 Threat Risk Mitigation Strategies p Be aware of IPv6 Security p Configure existing host security products for IPv6 p Replace legacy host security products without IPv6 p Make a conscious network decision whether to deploy native IPv6 p Disable the IPv6 protocol stack in hosts (or at least on all interfaces) p Attempt to block IPv6 traffic 20

Lesson: p Just because you didn t decide to run a protocol, doesn t mean that your users (or operating system vendor) won t think it s a good idea. p Be prepared. 21

Strategy Two Extend IPv4 22

Strategy Two Extend IPv4 p SP NAT in IPv4 only Network p IPv4 Subnet Trading 23

SP NAT in IPv4 only Network p As we ve seen in the previous section, the majority of the transition technologies use some form of NAT p NAT44 p NAT64 p NAT46 p Etc p They all suffer from much the same issues 24

Security Issues with SP NAT p Tracking association of port/address and subscriber, not to mention Lawful Intercept issues, are still under study p State is dangerous DDoS p IP Fragments you drop them you lose, you keep them you lose. p GeoIP Breaks p Myth that you have security behind NAT n NAT Pinning Browser exploits 25

SP-NAT Logging Tracking the 5-tuple p Source IP Address p Destination IP Address p Source port p Destination port p Protocol p All of these need to be associated with the NAT address in use at the time. 26

The burden/obligation of LSN logging p http://www.ietf.org/proceedings/87/ slides/slides-87-behave-6.pdf 27

28

Another illustration In lab testing by CableLabs, it was found that a typical CGN log message was approximately 150 bytes long. A typical household in the US was found to have an average of 33,000 sessions per day. For an ISP with one million subscribers, this will generate approximately 150 terabytes of log data per month or 1.8 petabytes per year (1,800,000,000,000,000 bytes). The logging would require approximately 23 Mbps of bandwidth between the CGN devices and the logging servers. In our conversations with one provider, the ISP indicated that it was impractical to trace back sessions to subscribers. They indicated that they had no intention of trying. 29

The weight of NAT p Are you going to be able to keep that much information around? p What is the cost of that much storage, and the network to carry it around? p Providers are now viewing IPv6 as a way to save them from having to further invest in SP-NAT. p For every ounce of IPv6 you can deploy, you save yourself having to deploy a ton of SP-NAT 30

State is dangerous p Keeping state takes resources. p Whenever a device in your network needs to keep state about connections. p You can cause that device to fail by giving it too many connections p Thus causing it to keep too much state. 31

State is dangerous DDoS p Presentation - http://www.ausnog.net/sites/ default/files/ausnog-05/presentations/ausnog-05- d02p05-roland-dobbins-arbor.pdf p Video - http://www.r2.co.nz/20140130/rolandd.htm 32

IP Fragments you drop them you lose, you keep them you lose. p If you keep fragments around (state) waiting for the rest to turn up then you will be open to being DDoSed p If you drop fragments, large parts of the Internet will stop working. p Feel like this is a no win situation? p You re right 33

GeoIP Breaks p Where are you today? p Some organisations believe that your IP address has something to do with where you re sitting? p What if ALL one million of your customers appeared to come from one location. 34

Myth that you have security behind NAT p Because you have private addresses (RFC-1918 or otherwise) inside the NAT box you are safe p Attackers are not able to initiate connections back into your network p Right? 35

NAT Pinning Browser exploits 1. Attacker lures victim to a website 2. Victim clicks on the URL and opens the page. 3. The page has a hidden form connecting to http:// attacker.com:6667 (IRC port). 4. The client (victim) submits the form without knowing. An HTTP connection is created to the (fake) IRC server. 5. The form also has a hidden value that sends: OPEN DCC CHAT PORT 6. Your router, doing you a favour, sees an "IRC connection" opens a port back through the NAT. 7. The attacker now has a way back into your network. This could also have used the FTP NAT helper instead of IRC 36

SP-NAT Risk Mitigation Strategies p Use less SP-NAT n Ensure that you are doing everything you can to minimise the amount of NAT that you use over time. n Using migration strategies which have a roadmap to native dual-stack helps here n The more IPv6 sessions you have, typically the less IPv4 sessions you need to NAT p Try and ensure that your network is laid out in such a way that your NAT box is not the first box which will come under a 37 DDoS attack.

IPv4 Subnet Trading 38

IPv4 Subnet Trading p It s not cheap p Who had the space before you? p Why are they selling it? 39

What have people been using this space for? Cheap Investment Property!!!!!!! 6 weeks ago the bedroom was being used to manufacture methamphetamine 40

IP address block reputation checking p http://www.borderware.com/lookup.php 41

Why are they selling it? 42

Traffic to 1.0.0.0/24 43

Traffic log for 1.0.0.0/24 44

IPv4 Subnet Trading Risk Mitigation Strategies p Need Less IPv4 n Aggressive movement to native Dual-Stack will ensure that p Before you purchase IPv4 address space, make sure you know the history and current reputation of the address block. n Good IP Address Brokers can help here. 45

Strategy Three IPv4/v6 Coexistence/Transition techniques 46

Dual Stack p Double the network Double the fun. p This is the end goal we want, but it doesn t come without risk. p IPv6 Latent Threats p Attacks against Dual Stack hosts 47

Exploiting Dual-Stack Environment p IPv6 is enabled by default p Administrators might not know what the configuration is. p The IPv6 environment can be far less protected than the IPv4 environment n E.g. IPv4 only NIDS 48

Dual Stack Your IPv4 Security 49

Dual Stack Your IPv6 Security 50

Protecting Dual-Stack Hosts p Host-based IPv6 Firewall n Ensure that your hosts have working IPv6 protection and that it is configured with a similar policy to the one protecting IPv4 p Microsoft Group Policy Objects (GPO) n For domain joined machines IPv6 can be disabled on interfaces it is not being used on. p Block all IPv6 traffic on switches n Blocking Ethernet frames with 0x86dd will stop IPv6 at Layer2 p Deploy native IPv6 51

Tunnels p A lot of the transition technologies use Tunnels of one sort or another. p These are not always deployed with security in mind. 52

Hacking the Tunnels p Tunnel Injection n Attacker can inject traffic into the tunnel n Spoofing the external IPv4 and internal IPv6 address n Can also be used as a reflection attack 53

Tunnels p Keep control and visability p Ensure that you control the tunnel endpoints 54

Securing Static Tunnels p Check the IPv4 source address. n Reject any tunnel packets where the source address does not match. n Attacker now has to discover two endpoint addresses. n Not a very high bar p Use antispoofing techniques n Reject IPv6 packets coming from the wrong tunnel n Unicast RPF n Helps to prevent reflection attacks. p Use IPSec 55

Securing Dynamic Tunnels (6to4) p Ensure Neighbour Discovery is blocked p ICMP redirect is denied p Link-local and site-local addresses are not permitted p 6to4 addresses based on RFC1918 addresses are dropped p Destination IPv6 address is checked. 56

6to4 p RFC 3964, Security Considerations for 6to4 p Unicast RPF to prevent spoofing within a tunnel. p Apply a ACL on the traffic coming out of the tunnel. 57

Today s Preferred Transition Technologies p 6rd p 464xlat p Dual Stack Lite 58

6rd IPv4 IPv6 IPv6 host Customer Router Tunnel Dual-Stack SP Network 6rd BR IPv6 Internet IPv4+IPv6 host IPv4 Internet IPv4 host IPv4-only SP Network SP NAT Subscriber Network Internet p 6rd (Rapid Deploy) used where ISP infrastructure to customer is not IPv6 capable (eg IPv4-only BRAS) n Customer has IPv4 Internet access either natively or via NAT n Customer IPv6 address space based on ISP IPv4 block 59

464XLAT IPv4 IPv6 IPv6 host Customer Router IPv6 Internet IPv4+IPv6 host SIIT encaps SP NAT Sharing IPv4 address(es) IPv4 Internet IPv4 host Subscriber Network IPv6-only SP Network Internet p Service Provider deploys IPv6-only infrastructure: n n IPv6 being available all the way to the consumer IPv4 is transported through IPv6 core to Internet via SIIT on 60 customer router, and NAT64 on SP NAT device

Dual-Stack Lite IPv4 IPv6 IPv6 host Customer Router IPv6 Internet IPv4+IPv6 host Tunnel SP NAT Sharing IPv4 address(es) IPv4 Internet IPv4 host p Subscriber Network IPv6-only SP Network Internet Service Provider deploys IPv6-only infrastructure: n n IPv6 being available all the way to the consumer IPv4 is tunnelled through IPv6 core to Internet via SP NAT device 61

What they have in common? p IPv4 Normal SP-NAT issues p Customer CPE Normal Dual-Stack issues 62

Today s Transition Technologies Risk Mitigation Strategies p Minimise the need for SP-NAT n The more IPv6 sessions you can encourage, the less reliance you will have on SP-NAT and all the security issues associated with that. p Look for a transition plan which uses native IPv6 n 464XLAT and DS-Lite p Pay careful attention to the Dual Stack operation of the CPE. n You need to deploy IPv4 and IPv6 protections on the CPE, not just IPv4 63

Securing the Transition Mechanisms CRC/ITU/APNIC IPv6 Security Workshop 29 th June 1 st July 2015 Ulaanbaatar 64

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information