Network Security IPv4 + IPv6

Similar documents
Configuring the Transparent or Routed Firewall

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

IP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

INDIAN INSTITUTE OF TECHNOLOGY BOMBAY MATERIALS MANAGEMENT DIVISION : (+91 22) (DR)

Securing IPv6. What Students Will Learn:

CCT vs. CCENT Skill Set Comparison

Security Considerations in IP Telephony Network Configuration

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

ITL BULLETIN FOR JANUARY 2011

IINS Implementing Cisco Network Security 3.0 (IINS)

The Truth about IPv6 Security

IPv6 Opportunity and challenge

Campus LAN at NKN Member Institutions

Security of IPv6 and DNSSEC for penetration testers

"Charting the Course...

IPv6 Fundamentals, Design, and Deployment

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

Designing and Developing Scalable IP Networks

Implementing Cisco IOS Network Security

Configuring a customer owned router to function as a switch with Ultra TV

Cisco Certified Network Associate Exam. Operation of IP Data Networks. LAN Switching Technologies. IP addressing (IPv4 / IPv6)

Firewalls und IPv6 worauf Sie achten müssen!

How To Learn Cisco Cisco Ios And Cisco Vlan

Matt Ryanczak Network Operations Manager

Interconnecting Cisco Networking Devices Part 2

ProCurve Networking IPv6 The Next Generation of Networking

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Networking Technology Online Course Outline

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Basic IPv6 WAN and LAN Configuration

Appendix A. X-Bone Surety Assessment Report. Developer Architectures and Application Screenshots ISI X-Bone Software Architecture Diagram.

Lecture 17 - Network Security

Network Security. Topology. Spring This is the logical topology of the network environment used for testing.

CIRA s experience in deploying IPv6

Interconnecting Cisco Network Devices 1 Course, Class Outline

: Interconnecting Cisco Networking Devices Part 2 v1.1

C)PTC Certified Penetration Testing Consultant

Skills Assessment Student Training Exam

Vulnerabili3es and A7acks

Network Security Stripped. Trends for from layered technologies to bare essentials

Broadband Network Architecture

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Deploying IPv6, Now. Christian Huitema. Architect Windows Networking & Communications Microsoft Corporation

Moonv6 Test Suite DRAFT

SEC , Cisco Systems, Inc. All rights reserved.

Example: Advertised Distance (AD) Example: Feasible Distance (FD) Example: Successor and Feasible Successor Example: Successor and Feasible Successor

Chapter 8 Router and Network Management

Eric Vyncke, Distinguished Engineer, 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

IPv6 Transport Support and Market Segmentations

Gigabit Multi-Homing VPN Security Router

SSVVP SIP School VVoIP Professional Certification

Networking 4 Voice and Video over IP (VVoIP)

IPv6 Fundamentals: A Straightforward Approach

Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.

OVERLAYING VIRTUALIZED LAYER 2 NETWORKS OVER LAYER 3 NETWORKS

Gigabit Multi-Homing VPN Security Router

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

IPv6 en Windows. Juan Jackson Pablo García

Virtual Private Networks. Juha Heinänen Song Networks

Using a VPN with Niagara Systems. v0.3 6, July 2013

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

About Me. Work at Jumping Bean. Developer & Trainer Contact Info: mark@jumpingbean.co.za

Gigabit SSL VPN Security Router

Cisco Announces IPv6 Licensing Parity with IPv4 for Cisco Catalyst Series Switches

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Ten top problems network techs encounter

CCIE Security Written Exam ( ) version 4.0

About the Technical Reviewers

IPv6 deployment status & Migration Strategy

WAN Failover Scenarios Using Digi Wireless WAN Routers

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG 5 How-To Guide. Firewall. June 2011 Revision 1.0

1.264 Lecture 37. Telecom: Enterprise networks, VPN

V310 Support Note Version 1.0 November, 2011

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

Introduction to MPLS-based VPNs

MPLS for ISPs PPPoE over VPLS. MPLS, VPLS, PPPoE

VLANs. Application Note

Protocol Specification & Design. The Internet and its Protocols. Course Outline (trivia) Introduction to the Subject Teaching Methods

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

Network security includes the detection and prevention of unauthorized access to both the network elements and those devices attached to the network.

VXLAN: Scaling Data Center Capacity. White Paper

Gigabit Content Security Router

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Interconnecting Cisco Networking Devices: Accelerated (CCNAX) 2.0(80 Hs) 1-Interconnecting Cisco Networking Devices Part 1 (40 Hs)

Interconnecting Cisco Networking Devices, Part 2 Course ICND2 v2.0; 5 Days, Instructor-led

3.5 IPv6 Forum Certified Security Course, Engineer, Trainer & Certification (GOLD)

Chapter 3 LAN Configuration

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Configuring DHCP Snooping

Network Detector Setup and Configuration

Solutions Guide. Ethernet-based Network Virtualization for the Enterprise

Campus IPv6 connection Campus IPv6 deployment

Implementing IPv6 at ARIN Matt Ryanczak

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

Configure A VoIP Network

How To Protect Your Network From Attack

Transcription:

Network Security IPv4 + IPv6 by Managing Director SuperInternet

Overview Confidentiality? Integrity? Availability! IPv6 Issues (Compared with IPv4) Physical Security of the Network Assumptions: Generally familiar with Network Security Telecommunications Infrastructure Technical Management We only have 45 mins

Neglected Areas Not the usual Topics: IPSec, VPNs, SSL VPNs, PKI, Firewalls, IDS/IPS Confidentiality on the Network Many available solutions Data Integrity on the Network Several issues solved by end-to-end crypto (Application) IF implemented. Else Network HELPS! Somewhat known solutions: DHCP Snooping, ARP inspection, L3 Micro segmentation Routing Subversion Network Availability DoS at all levels Physical Infrastructure Weaknesses New-Old Issues: IPv6 vs IPv4 and back again.

IPv6 Dual Stack 2 protocols on the same wire VLANs still segregate BUT IPv4 Subnets DO NOT New-Old Problems: IPv6 Global Unicast Addresses PUBLIC IP on the machine! IF configured route-able then node is fully exposed to the Internet

IPv4 DHCP Issues Flashback before IPv6 IP Address Conflicts?! Rogue DHCP Servers APs on your LAN?! Users Setting Static IPs Desktop Lockdown? DHCP Snooping and IP Source Guard ip source binding mac-address Vlan vlan-id ip-address interface interface-name (Conf-if) ip verify source vlan dhcp-snooping portsecurity

IPv6 Dual Stack (Cont d) Autoconfiguration As If a DHCP server were running (but Stateless) Only Router needs to be configured Public Address on Router? (ref. prev. slide!) Do you have a shadow network running?

Control Plane Policing Flashback: IPv4 - Router Unresponsive due to Attack Data Plane can handle load, but Control Plane cannot Sluggish response Policy-Map on Control-Plane

Dual Stack Resource Contention Performace: IPv6 in H/W or S/W? Tunnels in H/W or S/W? What about v4? Flooding v6 results in v4 outage as well Control Plane Resource Issues QoS? Will IPv6 bypass QoS rules?

Flat Networks Network may already been segregated by VLANs, Subnets and Firewall rules between segments. Good for IPv4 BUT (see next slide) Non Dual Stack on same interface/wire. BUT implemented as 1 Large VLAN?! IPv6 address space allows for large flat networks Risks of large flat networks Same as IPv4: Layer 2 Attacks! (Ref earlier notes about shadow networks even if separate VLAN) Aside: MPLS L2 VPNs

ISATAP Intra-Site Automatic Tunnel Addressing Protocol Summary: lookup IPv4 DNS for isatap.domain.name Establish Tunnel to ISATAP server Get IPv6 address All Peers on Same Tunnel are Peers! What if Enterprise security model is based on VLAN-Subnet segregation?! New-Old Problem: Tunnels inside and outside the organization. Tunnelled Packets bypass all FW/IPS rules.

IPv6 Firewalls / IDS,IPS Does your Firewall support IPv6? For ALL features that you need? IDS/IPS? Or will you do without? Is IPv6 implemented as a tunnel over IPv4 which goes Through the Firewalls?! Note from previous slides: IPv6 address is usually a Globally Routable IP! ( Public Address )

Routing Protocol Security Dynamic Routing Issues BGP MD5 OSPF Area Authentication Default Interface passive Bad Routes by real neighbours Does your Infrastructure support OSPFv3? MP- BGP? Else Static Routes? Redistributed? Is the Dynamic Routing Protocol used in your network secured?

Miscellaneous IPv6 Issues EUI-64: GUID leakage Vendor leakage Organization Size? ICMPv6 Firewall defaults changed L2: Neighbour Discovery / SEcure ND Router/Neighbour Solicitation ( ARP ) SEND only in Win2008 and Win7 (not in Vista) Overheads!

IPv6 IPSec IPSec is ALWAYS in the IPv6 Stack Should you turn it on? What are we trading for what? No more MITM, Replay, sniffing, etc Firewall? IDS / IPS? QoS? Vendor Play?!?

Section Summary Watch out for weaknesses opened by transitional mechanisms. E.g. Dual Stacks, ISATAP, Tunnels. Ensure that your existing policy can be mapped to IPv6 and that feature parity is available. E.g. Firewall, IPS/IDS Several Issues are not new. Already in IPv4. IPv6 does not solve these issues. E.g. Dynamic Routing Protocol security on to more things not solved by IPv6

Data Centers E.g. Singapore: 1Net, Equinix, GlobalSwitch Co-Lo [Easy] Access TATP?! Everyone is there Peering

Cable Landing Stations E.g. Singapore: Tuas, Changi, Bedok

MDF Rooms and Risers Cables within Buildings Who has Access to the MDF Room? Access to Risers? ALL Communications go through the MDF Room

Lead-In pipes Telecommunications Links Buildings to Telecom Exchanges Plans generally available!

Low Tech Attacks Electrical Overload to Ethernet switch Capacitive discharge from Ethernet ports (MDF/Riser to Router) Is fiber more resilient? Fiber fuse Critical Infrastructure in Car Parks... [salt] Water? Carbon Particles? SMOKE! Ref back -> DataCenters, MDF

Benjamin CLAYTONT.P. JONES Tan

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information