Embed Size (px)
DESCRIPTION
This workshop will start with a presentation of results of a study that was conducted for the European Commission on IPv6 and security. This will be followed by presentations from a technology provider who will focus on the security issues related to IPv6. The last presentation will be done by an organisation that has implemented IPv6 and it will share its experiences with the focus on security. At the end of the session, there is a Q&A.http://ipv6-ghent.fi-week.eu/ipv6-security/
Citation preview
14/12/2010
AW
T w
ww
.aw
t.b
e
IPv6 and security from a user’s point of view
ir. Zaccone Carmelo
Expert within the ‘Pôle Veille Technologique et Juridique’
Agence Wallonne des Télécommunications
AWT.be
14/12/2010
AW
T w
ww
.aw
t.b
e
Agenda
1. Quick overview of network security considerations
2. The AWT.be’ safe/secure IPv6 deployement scenario
3. Conclusions: the errors, mistakes and lessons learned
14/12/2010
AW
T w
ww
.aw
t.b
e
Putting the rumor aside
• It’s very often said that IPv6 is more secure than IPv4.
This is a false rumour!
• IPsec is indeed mandatory but only mean a more secure data transport:• iif endorsed by all hosts• iif implemented by all applications• iif a key exchange system is adopted worldwide
14/12/2010
AW
T w
ww
.aw
t.b
e
Putting the rumor aside
• Assuming all of this would however enable to have a more secure Internet: Operators may tracks sources of attacks because of• direct host-to-host communications• v6 infrastructure support peer-to-peer applications
14/12/2010
AW
T w
ww
.aw
t.b
e
Both protocols face most of the same threats
• Mostly the same:• Layer 3/Layer 4 spoofing/sniffing, network flooding,• DHCP vulnerabilities, Man in the Middle attacks,• Virus, spam, spit, ...
• Nevertheless, IPv6 specificities bring new perspectives on some type of attacks
• The IPv6 protocol security enhancements• closes doors for some threats• open new doors for some others threats
• NDP & auto-configuration offers new attacks (e.g. fake RA, fake DaD reply). nb: SEND is a potential answer
• Dual Stacks may introduce backdoors
14/12/2010
AW
T w
ww
.aw
t.b
e
Trivial benefit, scanning IPv6 is harder
• IPv6 subnet is 4 billion times harder to scan than all of IPv4
• Address allocation scheme• Traditional v4 sequential IP allocation
-> rich set of neighbored targets
• Sparse ip allocations make • brute force scanning impractical
• removes hacking tools (e.g. backdoors scanners trojan)• removes worm propagation vectors• removes DDoS tool (eg. Smurf uses broadcast)• makes life harder on spammers• makes life harder in hackers war
• Use of trivial IP address allocations can degrade this !
14/12/2010
AW
T w
ww
.aw
t.b
e
Agenda
1. Quick overview of network security considerations
2. The AWT.be’ safe/secure IPv6 deployment scenario
3. Conclusions: the errors, mistakes and lessons learned
14/12/2010
AW
T w
ww
.aw
t.b
e
The AWT infrastructure
• Inside IT services are enterprise like:• Mail/Agenda (MS exchange),• DB (MySQL, Oracle, MSSql),• Storage (cifs, SAN),• Etc,
• Outside IT services are traditional ones:• DMZ (HTTP,FTP, Mail, etc)• VPN
• Large information technology infrastructure (PC & servers):• mix environment throughout many vendors (Microsoft, Linux,
Apple, VMWARE) & over various generations (eg. Srv2000/2003, XP, SEVEN, OSX)
• Network with many different IP segments (VLANS) where all traffic is firewall controlled
14/12/2010
AW
T w
ww
.aw
t.b
e
IPv6 Genesis @ AWT.be
• Implication of the network administrator for long time (’99)• IPv6Forum, Alcatel v6Team lead, IETF, EU, • Task Force AWT « Technology Watch WG »
• Interest of the system administrator !
• Theoretical Know How BUT few practice !• workshop (mid 2006) of NREN BELNET « v6 user » but not
« v6 administration»• arrival of the IPv6 customer’s connectivity service
• assignment of AWT.be RIPE Range [2001:06a8:3880::/48]
• Administrators’ brainstorming leaded to a ‘Safe & Secure’ IPv6 introduction approach
14/12/2010
AW
T w
ww
.aw
t.b
e
Practically
• True ‘brain teaser’ to segment the IPv6 addresses range in a efficient and secure matter
• The access network had to be Firmware upgraded and IPv6 features (some where still in beta) turned on
• Policy to not introduce IPv6 into the main firewall (PIX535) but rather • playing with a dedicated firewall (PIX515) natively using V6 only
(except a single IPv4 in the v4 management network)• dedicated v6 LANS hermetic to v4 LANS (no dual stacks @start)• Firewall is ruling all LANS (RA + ACL)
• Learning v6 ACL syntax and trying not to make typing errors in addresses• Usual deny ALL policy for incoming traffic• Usual intelligent interfaces security level (eg. OutsideNW<
GuestNW < EmployeNW)
14/12/2010
AW
T w
ww
.aw
t.b
e
Practically cont’d
1. Learning & Playing native from end host stations point of view Setting up the v6 only inside servers farm zone (eg. DNS) Setting up the beta-employee & beta-guest v6 only networks
2. Introduction of AWT services facing the IPv6 Internet Setting up the v6 only DMZ servers farm zone Safe approach: no IPv6 in the production services
o reverse-proxy for http, ftpo relay for smtp, network shareo slave for dns
Mainly because o MS Windows server < Server2008, same for SQL, etco Not enough confidence/experience with v6 in Linuxo Logging analysis tools not yet ready
14/12/2010
AW
T w
ww
.aw
t.b
e
Practically cont’d
3. Leaving (3 months ago) trial state by inserting dual stacks from v6 capable end stations point of view from v6 capable host servers point of view
A. Setting up the beta-employee & beta-guest dual stacks networks dedicated IPv6 network segments different than the v6 only LANs combining users v4 & v6 subnets on the same VLAN combining guest v4 & v6 subnets on the same VLAN
B. Setting up the dual stacks DMZ servers farm zone dedicated IPv6 network segment different than the v6 only DMZ combining DMZ v4 & v6 subnets on the same VLAN removing the reverse-proxy http, ftp, the slave dns enabling (stack + apps) IPv6 support on Linux production servers
(MS windows’ll come next year with migration to server2008)
14/12/2010
AW
T w
ww
.aw
t.b
e
Agenda
1. Quick overview of network security considerations
2. The AWT.be’ safe/secure IPv6 deployement scenario
3. Conclusions: the errors, mistakes and lessons learned
14/12/2010
AW
T w
ww
.aw
t.b
e
Errors, mistakes & lessons
FW is not capable of all RA settings such router does (eg. FLAGS) FW v6ACL must take care of more ICMP messages than in v4 Huge attention to give when typing IPv6 addresses Not an easy task to analyse IPv6 logs
We see as many attacks attemps than on IPv4
Remote access : moving to OpenVPN as Cisco VPN concentrator is not v6 capable
Special attention to reverse-proxy (http, ftp): AWT v4 servers uses virtual hosting for many websites AWT reverse-proxy was not hosting all the websites AWT uses DNS CNAME for the websites virtual hosts-> some public websites (not in the rproxy) became ‘down’ for IPv6
internet users (we discovered it by analysing our v6 FW logs)
14/12/2010
AW
T w
ww
.aw
t.b
e
Errors, mistakes & lessons
Special attention to dual stacks employees: some internal websites (not in the rproxy) became ‘down’ for AWT
users when dual stack was turned on.
Personal software Firewal/Anti-Virus (e.g. symantec, mcafee) not ready for IPv6 Dual stacks hosts become more vulnerable Need to disable v6 stacks when outside the secured AWT office
Need to higher awareness/consciousness of the users not NAT for security through obscurity direct public IP reachability, so take care to host local services (e.g.
file share)
Same law enforcement on network logs conservation for IPv6 than IPv4! v6 simplifies the games: no NAT translations to record
14/12/2010
AW
T w
ww
.aw
t.b
e
[email protected]. Expert en Télécommunications et Technologies de l'Information
linkedin.com/in/zaccone
Agence Wallonne des Télécommunications twitter.com/carmelo
OIP du gouvernement Wallon (Belgique)
Avenue prince de Liège 133 B-5100 Jambes www.awt.be
Tél. : +32 81 77.80.76 Mob : +32 475 58.67.82 VoIP : sip:[email protected] Fax. : +32 81 77.80.99
