Upload
cpuhogg
View
38
Download
0
Tags:
Embed Size (px)
Citation preview
9/26/2011 1© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv6 SecurityInterface 2011 – Denver, Colorado
October 20, 2011
Scott HoggGTRI - Director of Technology Solutions
CCIE #5133, CISSP #4610
IPv6 Adoption
• IPv6 is the next generation computer network protocol for use on the Internet and within private networks.
• IPv6 is a standard defined by the Internet Engineering Task Force (IETF) and was first specified in the mid-90s.
• IPv6 is designed to replace IPv4 but IPv6 is a different protocol than IPv4 yet they can both coexist.
• IPv6 has taken many years to mature and get ready for mass deployment and now IPv6 is deployed on the global Internet.
• IPv4 address exhaustion has occurred and has limited expansion of the Internet.
9/26/2011 2© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv6 Address Allocations
9/26/2011 3© 2011 Global Technology Resources, Inc. All Rights Reserved.
Number of IPv6 Prefixes and ASNs
9/26/2011 4© 2011 Global Technology Resources, Inc. All Rights Reserved.
9/26/2011 5© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv6 – Coming to a Network Near You
• An IPv6-enabled Internet already exists.
• An IPv6 transition is already underway in the U.S. Federal Government and other parts of the world.
• IPv6 infrastructure and Host OSs are ready now!
• Much of the infrastructure you have already purchased is IPv6 capable (software upgrade); it’s just a matter of enabling it.
• Service providers have initial IPv6 services and are continuing to work on their deployments.
• Organizations that connect to the Internet now need to learn about IPv6 and prepare their systems to communicate using this protocol.
• You will be transitioning to IPv6 over the coming years and you want to consider the security implications of IPv6 before you deploy it throughout your network.
9/26/2011 6© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv6 Security – Latent Threat
• Even if you haven’t started using IPv6 yet, you
probably have some IPv6 running on your networks
already and didn’t know it
• Do you use Linux, Mac OS X, BSD, or Microsoft
Vista/Windows 7 systems in your environment?
– They all come with IPv6 capability, some even have IPv6
enabled by default (IPv6 preferred)
– They may try to use IPv6 first and then fall-back to IPv4
– Or they may create IPv6-in-IPv4 tunnels to Internet
resources to reach IPv6 content
– Some of these techniques take place regardless of user
input or configuration
• If you are not protecting your IPv6 nodes then you have just allowed a huge back-door to exist
9/26/2011 7© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv6 Security Threats
• There isn’t a large hacker community focusing on
IPv6 today but it is starting to gain the attacker’s
attention
• THC IPv6 Attack Toolkit, IPv6 port scan tools, IPv6
packet forgery tools and IPv6 DoS tools all exist and continue to evolve
• Many major vendors and open-source software
have already published IPv6 bugs/vulnerabilities
• Attacks at the layers below and above the network layer are unaffected by the security of IPv6
– Buffer overflows, SQL Injection, cross-site scripting will all
remain valid attacks on IPv6 servers
– E-mail/SPAM is still a problem in IPv6 nets
9/26/2011 8© 2011 Global Technology Resources, Inc. All Rights Reserved.
Reconnaissance
• Ping sweeps, port scans, application vulnerability scans are problematic with IPv6’s large address space - brute-force scanning a /64 is not practical
• There are methods of speeding up reconnaissance– ping6 -I eth0 ff02::1
– [root@hat ~]# ./alive6 eth0 ff02::1
– Node Information Queries (RFC 4620) in BSD
– Scanning for specific EUI-64 addresses using specific OUIs
– Scanning IPv4 and getting IPv6 info
• Metasploit Framework “ipv6_neighbor" auxiliary module can leverage IPv4 to find IPv6 hosts
– Scanning 6to4, ISATAP, Teredo addresses
– Attackers may find one node and leverage the neighbor cache to find other nodes
– DHCPv6 logs, DNS servers, server logs, NMSs, Google
9/26/2011 9© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv6 Privacy Addressing
• Privacy of addresses in an issue with IPv6– EUI-64 addresses are derived from the host’s MAC
– That could be used to track user’s activity and thus identity
• Temporary and Privacy IPv6 address intended to protect the identity of the end-user– MD5 hash of the EUI-64 concatenated with a random
number that can change over time
– Different implementations rotate the address at different frequencies – can be disabled
• Forensics and troubleshooting are difficult with privacy addresses – Who had what address when?
• Dynamic DNS and firewall state updates• Difficulty creating granular firewall policy when IP
addresses change often
• Better to use DHCPv6 with randomized IIDs
IPv6 Attack Tools
• THC IPv6 Attack Toolkit– parasite6, alive6, fake_router6, redir6, toobig6,
detect-new-ip6, dos-new-ip6, fake_mld6, fake_mipv6, fake_advertiser6, smurf6, rsmurf6
• Scanners– Nmap, halfscan6, Scan6, CHScanner
• Packet forgery– Scapy6, SendIP, Packit, Spak6
• DoS Tools– 6tunneldos, 4to6ddos, Imps6-tools
9/26/2011 10© 2011 Global Technology Resources, Inc. All Rights Reserved.
9/26/2011 11© 2011 Global Technology Resources, Inc. All Rights Reserved.
LAN Threats
• IPv6 uses ICMPv6 for many LAN operations
– Stateless auto-configuration
– Neighbor Discovery Protocol (NDP)
– IPv6 equivalent of IPv4 ARP – same attack types
• Spoofed RAs can renumber hosts or launch a MITM
attack
• Forged NA/NS messages to confuse NDP
• Redirects – same as ICMPv4 redirects
• Forcing nodes to believe all addresses are on-link
• These attacks presume the attacker is on-net or has
compromised a local computer
Methods of Preventing Rogue RAs
• Prevent unauthorized LAN access
• Disable unused switch ports
• Network Access Control (NAC), Network Admission Control (NAC)
• IEEE 802.1AE (MACsec), Cisco TrustSec
• IEEE 802.1X
• RA Guard (RFC 6105)
• NDPMon
• Ramond
• Kame rafixd
• Port Security
• Cisco Port-based ACL (PACL)9/26/2011 12© 2011 Global Technology Resources, Inc. All Rights Reserved.
AllowIncoming
RA Message
BlockIncoming
RA Message
AllowSending
RAs
9/26/2011 13© 2011 Global Technology Resources, Inc. All Rights Reserved.
Extension Headers
• There are rules for the frequency and order of various extension headers
– Hop-by-Hop and Destination Options
• Header Manipulation – Crafted Packets– Large chains of extension headers
– Separate payload into second fragment
– Consume resources - DoS– Invalid Extension Headers – DoS
• Routing Headers Type 0 – source routing
– Routers can be configured to block RH0– This is now the default on newer routers
– Firewalls, Windows, Linux and MacOS all block RH0 by default
9/26/2011 14© 2011 Global Technology Resources, Inc. All Rights Reserved.
Fragmentation
• In IPv6 routers do not fragment
– Fragments destined for network device should be dropped
• IPv6 links must have MTU >= 1280 bytes
– Fragments with less than 1280 bytes should be dropped with the exception of the last fragment
• It is left to the end-systems to perform Path MTU Discovery (PMTUD)
– ICMPv6 – Type 2 - Packet Too Big
• Fragmentation can hide attacks or as an attack itself on the upper layers
– Overlapping fragments, out of order fragments, tiny fragments
• Handling of Overlapping IPv6 Fragments - RFC 5722
Layer-3/4 Spoofing
• Spoofing of IPv6 packets is possible
• IPv6 BOGON (Martians) Filtering is required
– Filter traffic from unallocated space and filter router
advertisements of bogus prefixes
– Permit Legitimate Global Unicast Addresses
– Don’t block FF00::/8 and FE80::/10 – these will block NDP
• Hierarchical addressing and ingress/egress filtering
can catch packets with forged source addresses
• Tracebacks may prove to be easier with IPv6
• You can use inbound Infrastructure ACLs (iACLs)
that deny packets sent to infrastructure IPv6
addresses
9/26/2011 15© 2011 Global Technology Resources, Inc. All Rights Reserved.
Transition Mechanism Threats
• Dual Stack is the preferred transition method
• You are only as strong as the weakest of the two
stacks
• Running dual stack will give you at least twice the
number of vulnerabilities and require twice the work
to secure
9/26/2011 16© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv4 IPv6
9/26/2011 17© 2011 Global Technology Resources, Inc. All Rights Reserved.
Threats Against Translation
• Manual Tunnels– Preferred over dynamic tunnels
– Filter tunnel source/destination and use IPsec
– If spoofing, return traffic is not sent to attacker
• Dynamic Tunnels– 6to4 Relay routers are “open relays”
– Attackers can guess 6to4 addresses easily
– ISATAP can have potential MITM attacks
– Attackers can spoof source/dest IPv4/v6 addresses
• Translation techniques are susceptible to DoSattacks– NAT prevents IPsec, DNSSEC, Geolocation and other
applications from working
– Consuming connection state (CPU resource consumption attack on ALG)
– Consuming public IPv4 pool and port numbers (pool depletion attack)
9/26/2011 18© 2011 Global Technology Resources, Inc. All Rights Reserved.
Application Threats
• Applications for IPv4 and IPv6 are the same
• Buffer overflows, SQL Injection, cross-site scripting will all remain valid attacks on IPv6 servers
• Use of IPsec can prevent many of these attacks that exploit trust between servers
• Completely hierarchal addressing will make trace-back easier but privacy addressing and forged MAC addresses won’t
• E-mail/SPAM is still a problem in IPv6 nets
• DNS servers will still be attacked
9/26/2011 19© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv6 Firewalls
• Don’t just use your IPv4 policy for your IPv6 policy
• Don’t blindly allow IPsec or IPv4 Protocol 41 (6in4 tunneled traffic) through the firewall unless you know the tunnel endpoints
• Firewalls have improved their IPv6 capabilities, IPv6 addresses in the GUI, some logs, ability to filter on Extension Headers, Fragmentation, PMTUD, and granular filtering of ICMPv6 and multicast
• IPv6 firewalls may not have all the same full
features as IPv4 firewalls
– UTM/DPI/IPS/WAF/content filtering features may only work for IPv4
9/26/2011 20© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv6 Intrusion Prevention
• Few signatures exist for IPv6 packets or you have to build your own using cryptic regular expressions or byte-offset values
• IPSs should send out notifications when non-conforming IPv6 packets are observed having faulty parameters, bad extension headers, source address is a multicast address
• Many IPSs don’t inspect packets that are encapsulated (6in4, 6to4, 6in6, ISATAP, Teredo, 6rd, DS-Lite)
• IPv6 support varies greatly in modern IPS systems
• Talk with your vendor about what you need
Host-Based Firewalls and AV
• There are many IPv6-capable host-based firewalls
available depending on the OS you prefer
– Linux: ip6tables (NetFilter), ipf
– Windows Firewall with Advanced Security
– BSD: pf, ipfw, ipf
– Mac: ipfw, ipf
– Solaris, HP-UX : ipf
• Few Host-based IPS systems support IPv6
• Desktop AntiVirus software has gotten better at allowing ICMPv6 (RA/RS/NA/NS) packets through
• However, there are still a handful of popular AV
suites that don’t support IPv6
9/26/2011 21© 2011 Global Technology Resources, Inc. All Rights Reserved.
Capturing and Monitoring IPv6
9/26/2011 22© 2011 Global Technology Resources, Inc. All Rights Reserved.
• SPAN ports add CPU overhead to switches and may not capture all the traffic you want
• Taps are by far a better method than hubs
• Packet Monitoring Matrix Switches can monitor ports and send traffic to tool ports
• They have flexible admin interface and advanced filtering capabilities to help you reduce the monitored traffic and more precisely look at what you are interested
• Flexible matching of packets based on rules
• Traffic can be collected from multiple sources and sent to a single tool port
• Traffic can be “forked” and sent to multiple tool ports
Packet Monitoring Matrix Switches
9/26/2011 23© 2011 Global Technology Resources, Inc. All Rights Reserved.
Anue Net Tool Optimizer
9/26/2011 24© 2011 Global Technology Resources, Inc. All Rights Reserved.
IPv6 addresses can
be specified in the
filter criteria
9/26/2011 25© 2011 Global Technology Resources, Inc. All Rights Reserved.
IP Security (IPsec)
• IPsec was first designed for IPv6 and then was added to IPv4 where it became widely deployed
• IPsec is defined by the IETF as several complimentary protocols
– Encapsulating Security Payload (ESP)
– Authentication Header (AH)
– Internet Key Exchange (IKE)
• IPsec can provide the following protections
– Data origin authentication
– Connectionless integrity
– Replay protection
– Confidentiality (encryption)
– Traffic flow confidentiality
– Access control
IPv6 Security Policies
• Many security standards don’t discuss IPv6.
However, any guideline related to IP may apply to
both versions – many policies are higher level
• NIST SP 800-119: Guidelines for the Secure
Deployment of IPv6, December 2010
– http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
• NIST Special Publication (SP) 500-267: A Profile for
IPv6 in the U.S. Government – V1, USGv6-V2 comments due June 10, 2011, results Sept. 2011
– USGv6 Profile tests for granular filtering of IPv6 and ICMPv6 messages
• http://www.antd.nist.gov/usgv6/cfp.html
9/26/2011 26© 2011 Global Technology Resources, Inc. All Rights Reserved.
9/26/2011 27© 2011 Global Technology Resources, Inc. All Rights Reserved.
Summary of BCPs
• Perform IPv6 filtering at the perimeter
• Use RFC2827 filtering and Unicast RPF checks throughout the network
• Use manual tunnels (with IPsec whenever possible) instead of dynamic tunnels and deny packets for transition techniques not used
• Use common access-network security measures (NAC/802.1X, disable unused switch ports, Ethernet port security, MACSec/TrustSec) because SEND won’t be available any time soon
• Strive to achieve equal protections for IPv6 as with IPv4
• Continue to let vendors know what you expect in terms of IPv6 security features
9/26/2011 28© 2011 Global Technology Resources, Inc. All Rights Reserved.
Yet another IPv6 Book
• IPv6 Security, By Scott Hogg and Eric
Vyncke, Cisco Press, 2009.
ISBN-10: 1-58705-594-5
ISBN-13: 978-1-58705-594-2