IPv6 防護管理及控管機制 · Internal Segmentation Firewall (ISFW) Internal Network (100 Gbps+) Branch Office Private Cloud Edge Gateway Data Center ISFW ISFW ISFW ISFW ISFW

© Copyright Fortinet Inc. All rights reserved.

IPv6 IPv6 防護防護管理及控管機管理及控管機制制

Johnson Lai

Technical Consultant

E: [email protected]

Johnson Lai

Technical Consultant

E: [email protected]

2

IPV6 Now!

3

Internet and TCP/IP

1969 – ARPANET begins

1981 – IPv4 definition (RFC 791)

1983 – ARPANET adopts TCP/IP

1990 – First research about IP exhaustion

1993 – Begins the “commercial internet”

2011 – No more /8 IPv4 available in Asia (APINIC)

4

5

安全報告分析趨勢安全報告分析趨勢

95% 的惡意軟體存在少於一個月，其中 4/5 的種類不到一週的時間就消失

70–90% 的惡意軟體樣本都具有獨一性。針對特定企業或組織所設計開發的

60% 六成的資安事件裡，攻擊者可以在幾分鐘之內發動攻擊，並快速癱瘓企業或組織

50% 近50％的釣魚電子郵件收到後，相關的連結會在第一個小時被點擊

23% 的收件人除了點選釣魚網站連結外，另外有11% 的人員也會同時開啟附件檔案

6

Lets Talk SecurityLets Talk Security

7

Security issues related to IPv6

IPv4 security devices cannot inspect IPv6 traffic

Some legacy security devices will never support IPv6 and

will need to be replaced

Many security vendors have limited support for IPv6

today, leading to potential gaps in protection

Address Translation Potential Vulnerabilities

IPv6 support is often at much slower performance

8

IPv6 Security Concerns

ICMPv6 handling

» ICMPv6 has more relevance

» Give you control over ICMPv6 – despite what RFCs suggest

Firewalls to protect Routers and Network

IPv6 specific Features

» Neighbor Discovery

» Router Advertisment

» Multicast handling

9

40 Byte

FIXED

IPv6 Extenstion Header Security

10

IPv6 Extenstion Header Security

IPv6 Extension Header and Options

» Give you full control over IPv6 Extension

» Validation to conformity

» Lengths Control

» RFC6564 (A Uniform Format for IPv6 Extension Headers)

Application Security

» DNS – Domain Name Services

» All other Applications…

Old App-Attacks remain the same

11

• Static / Dynamic routing (RIPng,

OSPFv3 and BGP4+)

• DNS

• Network interface addressing

• Routing access lists and prefix

lists

• IPv6 tunnel over IPv4, IPv4

tunnel over IPv6

• Security policies

• Authentication

• IPv6 over SCTP

• Packet and network sniffing

IPsec VPN

SSL VPNs

• UTM protection

• NAT/Route and Transparent mode

• Logging and reporting

• SNMP

• Virtual IPs and groups

• Ping6

• IPv6 NAT: NAT66, NAT64, DNS64

• IPv6 explicit proxy

• IPv6 MIBs

• IPv6 Per-IP shaper

• IPv6 policy routing

• IPv6 session pickup in HA mode

• NAT64 acceleration (XLR/XLP)

• IPv6 SSL proxy IPS inspection

• DHCP Client / DHCP Relay

• NAT64 High Availability (HA)

IPv6 All Features

12

Transition of IPv6Transition of IPv6

Ebony and IvoryEbony and Ivory

13

Transition and Co-Existence

Tunnelling / Encapsulation

» DSLite

» 6over4 (SIXXS, Hurricane Electric)

Translation

» NAT64

» NAT46

» NAT444 / NAT446

Dual-Stack (Co-existence)

14

Tunneling/Encapsulation

IPv4

IPv6

IPv6 Access and Transport

IPv6[IPv4]

IPv4

De-Capsulation + CGN

IPv4

IPv6

15

Tunneling/Encapsulation

IPv4

IPv6

IPv4

IPv6

IPv6

IPv6[IPv4]

16

Dual-Stack/Co-existence

IPv4

IPv6

IPv6 and IPv4 Access and Transport

IPv4

IPv6

17

Dual-Stack/Co-existence

IPv4

IPv6

IPv4

IPv6

IPv4

IPv6

18

Translation

IPv4


NAT46

IPv6 Server

IPv4 IPv6


NAT64 IPv4 IPv6

IPv4 Server

IPv6

19

Translation

IPv4 IPv6 IPv4 IPv6

IPv4 IPv6 IPv4 IPv6

IPv4

IPv6

20

NAT64 NAT46

DNS64 NAT446

SIXXS

4in6 6in4

NAT46+6in6

CGN

Logging

Options, Options, Options

21

Lets Talk Wire & Lets Talk Wire &

WirelessWireless

22

Access everywhereAccess everywhere––Unified Unified Access LayerAccess Layer

Wireless Access

Wired Access

Remote Access

DIGITAL ASSET

• Content Inspection • Attack Mitigation

• User Identification • Access Control

23

Threat Landscape & Evolving IT Infrastructure

WAN

Internet

Cloud

Home

Office

Internal

Segmentation

Firewall

(ISFW)

Internal

Network (100 Gbps+)

Branch

Office

Private

Cloud

Edge

Gateway

Data Center

ISFW

ISFW ISFW

ISFW ISFW

ISFW

External

Interna

l

24

ISFW Requirement NO. 1 - PERFORMANCE

Internet

Border Firewall (NGFW)

Ports Speeds 1G, 10G

No. of Ports 2 to 12

Throughput Mbps to 1Gbps

Internal Segmentation Firewall

(ISFW)

Interfaces 10G, 40G & 100G

No. of Ports 8 to 48 Ge/10Ge

Throughput 10Gps to 1Tbps

26

High Performance Scalable Enterprise Firewall with Optimum Path Processing (OPP) Engine

UTM (Distributed Enterprise)

UTM (SMB)

Virtual Firewall

SDN Firewall

Cloud Firewall

Internal Segmentation Firewall (ISFW)

Next Generation Firewall (NGFW)

Data Center Firewall (DCFW)

…..

…..

…..

Tbps Mbps

CPU CPU CPU

27

ISFW Requirement No. 2 - PROTECTION

Firewall

VPN

Application Control

IPS

Web Filtering

Anti-malware

WAN Acceleration

Data Leakage Protection

WiFi Controller

Advanced Threat Protection

SaaS Gateway

Software

Enabled

Security

Module

Management

28

A Global Threat Security Service that Updates the Platform in Real time - FortiGuard

Intrusion

Prevention Service

Antivirus

Service

Anti-spam

Service

Web Filtering

Service

IP Reputation

Service

Web Security

Service

Database Security

Service

Application

Control Service

Vulnerability

Management

Service

Mobile

Security

Global Fortinet Device Footprint

29

The Core of the Platform FortiOS

Granular

Segmentation

Automated

Orchestration

Scalable Central

Management

Visibility w/ Context

& one-click to action

Appliance

Virtual

Machine Cloud

Firewall NGFW

Time to Resolution

Protection & Intelligence

End to End Platform

ATP UTM

Policy & Control

Op

era

tion

s

Se

curity

P

latf

orm

30

Internal Segmentation Firewall – How is it different?

Deployment

Mode ISFW NGFW DCFW UTM

Purpose Visibility & protection for internal segments

Visibility & protection against external threats and internet activities

High performance, low latency network protection

Visibility & protection against external threats and user activities

Location Access Layer Internet Gateway Core Layer/DC gateway Internet Gateway

Network Operation

Mode Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode

Hardware

requirements Higher Port Density to protection multiple assets

GbE and 10GbE ports High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration

High GbE port density, integrated wireless connectivity and POE

Security

Components Firewall, IPS, ATP, Application Control

(User-based) Firewall, VPN, IPS, Application Control,

Firewall, DDoS protection

Comprehensive and extensible, client and device integration

Other

Characteristics Rapid Deployment – near zero configuration

Integration with Advanced Threat Protection (Sandbox)

High Availability Different WAN Connectivity Options such as 3G4G

31

Some Thoughts Though

Translation (NAT)

» Increasing network complexity

» Increasing Costs

Law enforcement / Logging requirements

» Service crippling

» “Service Points” where NAT happen on central Devices

» Fragmentation issues

“Thou shalt not trust your Network

to translate your Applications”

• Tunneling

» Fragmentation

» Unbalanced Networkcore Traffic / centralised TEP

» Multicast handling

32

Lets Talk SolutionLets Talk Solution

33

IPv6 – Fortinet Solution

Stateful

Inspection

Transition

Techniques

Performance

Virtualisation

Unified

Threat

Management

4G/LTE GTP

Diameter

sigtran

Core

Backbone

Management

RFC CATCH UP

34

FortiGate does it all!

FortiGate does it fast!

FortiGate does it secure!

Documents

IPv6 防護管理及控管機 制 · Internal Segmentation Firewall (ISFW) Internal Network (100 Gbps+) Branch Office Private Cloud Edge Gateway Data Center ISFW ISFW ISFW ISFW ISFW

IPv6 防護管理及控管機制 · Internal Segmentation Firewall (ISFW) Internal Network (100 Gbps+) Branch Office Private Cloud Edge Gateway Data Center ISFW ISFW ISFW ISFW ISFW