Network Security IPv4 + IPv6 by Managing Director SuperInternet
Overview Confidentiality? Integrity? Availability! IPv6 Issues (Compared with IPv4) Physical Security of the Network Assumptions: Generally familiar with Network Security Telecommunications Infrastructure Technical Management We only have 45 mins
Neglected Areas Not the usual Topics: IPSec, VPNs, SSL VPNs, PKI, Firewalls, IDS/IPS Confidentiality on the Network Many available solutions Data Integrity on the Network Several issues solved by end-to-end crypto (Application) IF implemented. Else Network HELPS! Somewhat known solutions: DHCP Snooping, ARP inspection, L3 Micro segmentation Routing Subversion Network Availability DoS at all levels Physical Infrastructure Weaknesses New-Old Issues: IPv6 vs IPv4 and back again.
IPv6 Dual Stack 2 protocols on the same wire VLANs still segregate BUT IPv4 Subnets DO NOT New-Old Problems: IPv6 Global Unicast Addresses PUBLIC IP on the machine! IF configured route-able then node is fully exposed to the Internet
IPv4 DHCP Issues Flashback before IPv6 IP Address Conflicts?! Rogue DHCP Servers APs on your LAN?! Users Setting Static IPs Desktop Lockdown? DHCP Snooping and IP Source Guard ip source binding mac-address Vlan vlan-id ip-address interface interface-name (Conf-if) ip verify source vlan dhcp-snooping portsecurity
IPv6 Dual Stack (Cont d) Autoconfiguration As If a DHCP server were running (but Stateless) Only Router needs to be configured Public Address on Router? (ref. prev. slide!) Do you have a shadow network running?
Control Plane Policing Flashback: IPv4 - Router Unresponsive due to Attack Data Plane can handle load, but Control Plane cannot Sluggish response Policy-Map on Control-Plane
Dual Stack Resource Contention Performace: IPv6 in H/W or S/W? Tunnels in H/W or S/W? What about v4? Flooding v6 results in v4 outage as well Control Plane Resource Issues QoS? Will IPv6 bypass QoS rules?
Flat Networks Network may already been segregated by VLANs, Subnets and Firewall rules between segments. Good for IPv4 BUT (see next slide) Non Dual Stack on same interface/wire. BUT implemented as 1 Large VLAN?! IPv6 address space allows for large flat networks Risks of large flat networks Same as IPv4: Layer 2 Attacks! (Ref earlier notes about shadow networks even if separate VLAN) Aside: MPLS L2 VPNs
ISATAP Intra-Site Automatic Tunnel Addressing Protocol Summary: lookup IPv4 DNS for isatap.domain.name Establish Tunnel to ISATAP server Get IPv6 address All Peers on Same Tunnel are Peers! What if Enterprise security model is based on VLAN-Subnet segregation?! New-Old Problem: Tunnels inside and outside the organization. Tunnelled Packets bypass all FW/IPS rules.
IPv6 Firewalls / IDS,IPS Does your Firewall support IPv6? For ALL features that you need? IDS/IPS? Or will you do without? Is IPv6 implemented as a tunnel over IPv4 which goes Through the Firewalls?! Note from previous slides: IPv6 address is usually a Globally Routable IP! ( Public Address )
Routing Protocol Security Dynamic Routing Issues BGP MD5 OSPF Area Authentication Default Interface passive Bad Routes by real neighbours Does your Infrastructure support OSPFv3? MP- BGP? Else Static Routes? Redistributed? Is the Dynamic Routing Protocol used in your network secured?
Miscellaneous IPv6 Issues EUI-64: GUID leakage Vendor leakage Organization Size? ICMPv6 Firewall defaults changed L2: Neighbour Discovery / SEcure ND Router/Neighbour Solicitation ( ARP ) SEND only in Win2008 and Win7 (not in Vista) Overheads!
IPv6 IPSec IPSec is ALWAYS in the IPv6 Stack Should you turn it on? What are we trading for what? No more MITM, Replay, sniffing, etc Firewall? IDS / IPS? QoS? Vendor Play?!?
Section Summary Watch out for weaknesses opened by transitional mechanisms. E.g. Dual Stacks, ISATAP, Tunnels. Ensure that your existing policy can be mapped to IPv6 and that feature parity is available. E.g. Firewall, IPS/IDS Several Issues are not new. Already in IPv4. IPv6 does not solve these issues. E.g. Dynamic Routing Protocol security on to more things not solved by IPv6
Data Centers E.g. Singapore: 1Net, Equinix, GlobalSwitch Co-Lo [Easy] Access TATP?! Everyone is there Peering
Cable Landing Stations E.g. Singapore: Tuas, Changi, Bedok
MDF Rooms and Risers Cables within Buildings Who has Access to the MDF Room? Access to Risers? ALL Communications go through the MDF Room
Lead-In pipes Telecommunications Links Buildings to Telecom Exchanges Plans generally available!
Low Tech Attacks Electrical Overload to Ethernet switch Capacitive discharge from Ethernet ports (MDF/Riser to Router) Is fiber more resilient? Fiber fuse Critical Infrastructure in Car Parks... [salt] Water? Carbon Particles? SMOKE! Ref back -> DataCenters, MDF
Benjamin CLAYTONT.P. JONES Tan