SlideShare una empresa de Scribd logo
1 de 13
Descargar para leer sin conexión
Skeeve Stevens
IPv6 Security
CEO Director
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• This talk to to help people understand the security implications of
migrating to IPv6
• Highlights some key areas for you to consider
• Explain the differences between IPv6 and IPv4
• Technical Difficulty - 2 out of 10 (some slides higher)
• If you know what IPv6 is, then you will understand (mostly) this
presentation
• IPv6 - I LIKE! It’s NICE
What is this talk about?
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• If you are new to IPv6 - do not implement it in a production
environment until you understand the security implications
• If you do IPv6 without considering security then you WILL get
hacked - and quickly. Would you leave your house unlocked?
• CPE’s (modem/router) barely understand IPv6 - initial security is
weak - choose the right product! IPv6 Firewalls are coming!
• Use someone who ACTUALLY knows what they are talking about
- not just someone who just says they know!
• Security through obscurity = security through
stupidity - they WILL find your v6 address!
IPv6 Security? Oh oh
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• Enabling IPv6 leaves you wide open - immediately
Key Issues to Consider
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• Every aspect of security that you have in IPv4 needs to be
replicated to IPv6
• SSH,Telnet,Access Lists, SNMP, CoPP – All are immediately open
and accessible when you turn on IPv6 - all IPv4 security is
immediately bypassed!
• It isn’t hard to do the security – you just HAVE to do it – or else
• Nothing has changed with the basic tenants of security – just all
new commands for some platforms – and often in strange places
• The only new important consideration is that IPv6 requires ICMP
for PMTU (Path MTU Discovery) – disabling it WILL break things
(in ways that you can’t easily troubleshoot)
Key Issues to Consider
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• IPv4 vs. IPv6
• They are totally separate protocols and essentially do not
interact at any point - even on the same router and/or switch
• IPv6 is a completely new version - there is no backward
compatibility at all - just some translation methods
• It is a perfect time for you re-evaluate all your security policies and
procedures
• Zone flow
• Device lock down policies and Host build procedures
• User restriction
• Source/destination control
• Inter-departmental security - often ignored
Key Issues to Consider
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• Does your equipment treat v6 the same as v4?
• Routers, Layer 3 switches, Firewalls, IPS & IDS,VPN Services
• Equipment
• Plan for equipment upgrades if needed
• Does it process v6 in hardware or software
• SW may not be fast enough for your application
• May cause DoS situations
• Recommendations
• Talk to your vendors about stable versions
• Use test gear or lab kit where possible
• Monitor sites posting vulnerabilities and respond quickly
Equipment Considerations
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• IPv6 address space is huge.Attackers scanning a network range is
unwieldy. Example - NMAP doesn’t let you scan IPv6 ranges
• Attackers will look for other ways to find their targets
• Take precautions to protect systems that are caches for addresses
• DHCP servers (reservations)
• DNS (DNS harvesting),Web Log harvesting
• Neighbour caches (like ARP cache)
• Don’t simple replicate your IPv4 last octet in IPv6 chazwazza*
Make attackers work if they really want a hosts address!
• Inject randomisation in your addressing to make it less obvious -
but don’t make life too hard for yourself
* http://www.urbandictionary.com/define.php?term=chazwazza
Tactics
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• Filter unneeded or potentially dangerous communications
Examples:
• Routing Header 0 vulnerabilities (sort of like IPv4 source
routing). Deprecated by RFC 5095 but still dangerous since it can
let an attacker control hop flow.
• If certain internal IPv6 address never need to hit the Internet,
filter them
• ICMP is critical to IPv6. Let certain (but not all) types through
hops
• Anycast & Multicast unless they are specifically used
• Don’t leave yourself open to potential future attacks - Everything
you know now will change in the next 5 years. They WILL get
smarter, they WILL get faster than ever before.
Filtering (More Advanced)
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
One key difference:
The key area where v6 is different from v4 is that v6 packets use a
concept knows as extension headers which were developed to
improve performance by making the packet header structure more
simple.
Essentially v6 extension headers are optional headers that let you
specify certain ways that you can influence the packet to behave
such a routing the packet through a certain path on the network, or
you might have a fragmentation header that breaks up the packet
and then reassembles it.
In v4 we had to have all those headers included in one single
header but they're optional in v6.
Because they're optional, security protocols need to understand a
variable set of headers which makes security devices more complex
Extension Headers (Even More Advanced)
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
• IPv6 is not automatically more secure than IPv4
• IPv6 is just layer 3... above or below layer 3 will act just the same
as they do with v4 - assuming your apps are layer 3 agnostic
• IPv6 can be attacked just as easily as IPv4 - what does this mean?
• MAC can still be spoofed
• Flawed web apps will remain flawed - SQL injections, etc
• IPv6 attacks will grow more smarter and more creative as
deployments grow
• Back in 2002 a Honeypot system caught a hack using IPv6
tunnels to break into sites
• Think of the hacks and bugs discovered each month - it is only a
matter of time. IPv6 is new - it will have problems
Please Remember
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
Does this mean that I should avoid v6?
It sounds complicated.
Who will help me?
PRACTICE SAFE IPV6!
So....
Tuesday, 24 May 2011
INET Colombo, May 2011
IPv6 Security
Thanks....
Questions?
Thanks to Kurt Bales, Jeff Doyle and Grant Moerschel for content and inspiration
CONNECT WITH ME
Email~ skeeve@eintellego.asia
Web~ www.eintellego.asia
Facebook~ facebook.com/eintellego - eintellego@facebook.com
LinkedIn~ http://au.linkedin.com/in/skeeve
Twitter~ @eintellego @networkceoau @skeevestevens
CEO Blog~ www.network-ceo.net
Tuesday, 24 May 2011

Más contenido relacionado

La actualidad más candente

y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
DEVNET-1151 DevNet Sandbox 101
DEVNET-1151	DevNet Sandbox 101DEVNET-1151	DevNet Sandbox 101
DEVNET-1151 DevNet Sandbox 101Cisco DevNet
 
OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)NETWAYS
 
Voxeo Summit Day 1 - A view into the Voxeo cloud
Voxeo Summit Day 1 - A view into the Voxeo cloudVoxeo Summit Day 1 - A view into the Voxeo cloud
Voxeo Summit Day 1 - A view into the Voxeo cloudVoxeo Corp
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 
Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011
Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011
Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011François Proulx
 
DEVNET-1102 Introduction to the DevNet Sandbox and IVT
DEVNET-1102	Introduction to the DevNet Sandbox and IVTDEVNET-1102	Introduction to the DevNet Sandbox and IVT
DEVNET-1102 Introduction to the DevNet Sandbox and IVTCisco DevNet
 
Techzim Surge: Important Considerations for Hosting Web or Mobile Apps
Techzim Surge: Important Considerations for Hosting Web or Mobile AppsTechzim Surge: Important Considerations for Hosting Web or Mobile Apps
Techzim Surge: Important Considerations for Hosting Web or Mobile AppsAnthony Somerset
 
Zabbix over the Internet
Zabbix over the InternetZabbix over the Internet
Zabbix over the InternetRicardo Santos
 
Janus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) serverJanus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) serverDevDay
 
Lec01 intro and hello world program
Lec01   intro and hello world programLec01   intro and hello world program
Lec01 intro and hello world programAsif Shahzad
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
OSCON 2019 | Time to Think Different
OSCON 2019 | Time to Think DifferentOSCON 2019 | Time to Think Different
OSCON 2019 | Time to Think DifferentNATS
 
SIP/WebRTC load testing @ KamailioWorld 2017
SIP/WebRTC load testing @ KamailioWorld 2017SIP/WebRTC load testing @ KamailioWorld 2017
SIP/WebRTC load testing @ KamailioWorld 2017Lorenzo Miniero
 

La actualidad más candente (19)

y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
DEVNET-1151 DevNet Sandbox 101
DEVNET-1151	DevNet Sandbox 101DEVNET-1151	DevNet Sandbox 101
DEVNET-1151 DevNet Sandbox 101
 
OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)OSMC 2021 | Contributing to open source with the example of icinga (1)
OSMC 2021 | Contributing to open source with the example of icinga (1)
 
Voxeo Summit Day 1 - A view into the Voxeo cloud
Voxeo Summit Day 1 - A view into the Voxeo cloudVoxeo Summit Day 1 - A view into the Voxeo cloud
Voxeo Summit Day 1 - A view into the Voxeo cloud
 
Kali linux
Kali linuxKali linux
Kali linux
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 
Kali linux summarised
Kali linux summarisedKali linux summarised
Kali linux summarised
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 
Kalilinux
KalilinuxKalilinux
Kalilinux
 
Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011
Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011
Wi-Fi: Secure or Open / Secure Open Wireless Access / SOWA @ HackFest 2011
 
DEVNET-1102 Introduction to the DevNet Sandbox and IVT
DEVNET-1102	Introduction to the DevNet Sandbox and IVTDEVNET-1102	Introduction to the DevNet Sandbox and IVT
DEVNET-1102 Introduction to the DevNet Sandbox and IVT
 
Techzim Surge: Important Considerations for Hosting Web or Mobile Apps
Techzim Surge: Important Considerations for Hosting Web or Mobile AppsTechzim Surge: Important Considerations for Hosting Web or Mobile Apps
Techzim Surge: Important Considerations for Hosting Web or Mobile Apps
 
Zabbix over the Internet
Zabbix over the InternetZabbix over the Internet
Zabbix over the Internet
 
Janus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) serverJanus: an open source and general purpose WebRTC (gateway) server
Janus: an open source and general purpose WebRTC (gateway) server
 
ZAP @FOSSASIA2015
ZAP @FOSSASIA2015ZAP @FOSSASIA2015
ZAP @FOSSASIA2015
 
Lec01 intro and hello world program
Lec01   intro and hello world programLec01   intro and hello world program
Lec01 intro and hello world program
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
OSCON 2019 | Time to Think Different
OSCON 2019 | Time to Think DifferentOSCON 2019 | Time to Think Different
OSCON 2019 | Time to Think Different
 
SIP/WebRTC load testing @ KamailioWorld 2017
SIP/WebRTC load testing @ KamailioWorld 2017SIP/WebRTC load testing @ KamailioWorld 2017
SIP/WebRTC load testing @ KamailioWorld 2017
 

Similar a IPv6 Security

Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksSkeeve Stevens
 
Tech 2 Tech IPv6 presentation
Tech 2 Tech IPv6 presentationTech 2 Tech IPv6 presentation
Tech 2 Tech IPv6 presentationJisc
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of SouthamptonIPv6 Summit 2010
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
 
ARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities ReportARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities ReportARIN
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdfFernandoGont
 
Network Security IPv4 plus IPv6.pdf
Network Security IPv4 plus IPv6.pdfNetwork Security IPv4 plus IPv6.pdf
Network Security IPv4 plus IPv6.pdfKelvin Goh
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseThierry Zoller
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6Zivaro Inc
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoDigicomp Academy AG
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn FortinetDigicomp Academy AG
 
Track f interoperable ip-delivery_ch_e ofer shragay
Track f   interoperable ip-delivery_ch_e ofer shragayTrack f   interoperable ip-delivery_ch_e ofer shragay
Track f interoperable ip-delivery_ch_e ofer shragaychiportal
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6Zivaro Inc
 
Ron Broersma dren-stavanger-22 nov2011
Ron Broersma dren-stavanger-22 nov2011Ron Broersma dren-stavanger-22 nov2011
Ron Broersma dren-stavanger-22 nov2011IPv6no
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnelhacktivity
 
IETF Activities Update
IETF Activities UpdateIETF Activities Update
IETF Activities UpdateARIN
 

Similar a IPv6 Security (20)

Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
 
Tech 2 Tech IPv6 presentation
Tech 2 Tech IPv6 presentationTech 2 Tech IPv6 presentation
Tech 2 Tech IPv6 presentation
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
ARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities ReportARIN 36 IETF IPv6 Activities Report
ARIN 36 IETF IPv6 Activities Report
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
 
Network Security IPv4 plus IPv6.pdf
Network Security IPv4 plus IPv6.pdfNetwork Security IPv4 plus IPv6.pdf
Network Security IPv4 plus IPv6.pdf
 
IPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash CourseIPV6 - Threats and Countermeasures / Crash Course
IPV6 - Threats and Countermeasures / Crash Course
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
 
Presd1 09
Presd1 09Presd1 09
Presd1 09
 
IPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live DemoIPv6 Security - Workshop mit Live Demo
IPv6 Security - Workshop mit Live Demo
 
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
4. IPv6 Security - Workshop mit Live Demo - Marco Senn Fortinet
 
Track f interoperable ip-delivery_ch_e ofer shragay
Track f   interoperable ip-delivery_ch_e ofer shragayTrack f   interoperable ip-delivery_ch_e ofer shragay
Track f interoperable ip-delivery_ch_e ofer shragay
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
 
Ron Broersma dren-stavanger-22 nov2011
Ron Broersma dren-stavanger-22 nov2011Ron Broersma dren-stavanger-22 nov2011
Ron Broersma dren-stavanger-22 nov2011
 
ION Durban - IPv6 Case Study (Liquid Telecom)
ION Durban - IPv6 Case Study (Liquid Telecom)ION Durban - IPv6 Case Study (Liquid Telecom)
ION Durban - IPv6 Case Study (Liquid Telecom)
 
VPN
VPNVPN
VPN
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
 
IETF Activities Update
IETF Activities UpdateIETF Activities Update
IETF Activities Update
 

Más de Skeeve Stevens

Building an Elastic Fabric
Building an Elastic FabricBuilding an Elastic Fabric
Building an Elastic FabricSkeeve Stevens
 
Elastic Fabrics & Cloud ISPs
Elastic Fabrics & Cloud ISPsElastic Fabrics & Cloud ISPs
Elastic Fabrics & Cloud ISPsSkeeve Stevens
 
Wholesale services over VxC Fabrics
Wholesale services over VxC FabricsWholesale services over VxC Fabrics
Wholesale services over VxC FabricsSkeeve Stevens
 
Future of Wearable Technology
Future of Wearable TechnologyFuture of Wearable Technology
Future of Wearable TechnologySkeeve Stevens
 
Service Provider Models using the NBN
Service Provider Models using the NBNService Provider Models using the NBN
Service Provider Models using the NBNSkeeve Stevens
 
World Youth Day 2008 - Lightening Talk
World Youth Day 2008 - Lightening TalkWorld Youth Day 2008 - Lightening Talk
World Youth Day 2008 - Lightening TalkSkeeve Stevens
 
The Impact of Social Media with Mobile Devices
The Impact of Social Media with Mobile DevicesThe Impact of Social Media with Mobile Devices
The Impact of Social Media with Mobile DevicesSkeeve Stevens
 
IPv6 Readiness - Preparing for the Inevitable
IPv6 Readiness - Preparing for the InevitableIPv6 Readiness - Preparing for the Inevitable
IPv6 Readiness - Preparing for the InevitableSkeeve Stevens
 
Social Media Trends and the Network
Social Media Trends and the NetworkSocial Media Trends and the Network
Social Media Trends and the NetworkSkeeve Stevens
 
Computerworld Conference (2002)
Computerworld Conference (2002)Computerworld Conference (2002)
Computerworld Conference (2002)Skeeve Stevens
 
Wholesale Options for Small ISPs
Wholesale Options for Small ISPsWholesale Options for Small ISPs
Wholesale Options for Small ISPsSkeeve Stevens
 
Why Being a Small ISP is still Viable
Why Being a Small ISP is still ViableWhy Being a Small ISP is still Viable
Why Being a Small ISP is still ViableSkeeve Stevens
 

Más de Skeeve Stevens (13)

Building an Elastic Fabric
Building an Elastic FabricBuilding an Elastic Fabric
Building an Elastic Fabric
 
The Cloud ISP
The Cloud ISPThe Cloud ISP
The Cloud ISP
 
Elastic Fabrics & Cloud ISPs
Elastic Fabrics & Cloud ISPsElastic Fabrics & Cloud ISPs
Elastic Fabrics & Cloud ISPs
 
Wholesale services over VxC Fabrics
Wholesale services over VxC FabricsWholesale services over VxC Fabrics
Wholesale services over VxC Fabrics
 
Future of Wearable Technology
Future of Wearable TechnologyFuture of Wearable Technology
Future of Wearable Technology
 
Service Provider Models using the NBN
Service Provider Models using the NBNService Provider Models using the NBN
Service Provider Models using the NBN
 
World Youth Day 2008 - Lightening Talk
World Youth Day 2008 - Lightening TalkWorld Youth Day 2008 - Lightening Talk
World Youth Day 2008 - Lightening Talk
 
The Impact of Social Media with Mobile Devices
The Impact of Social Media with Mobile DevicesThe Impact of Social Media with Mobile Devices
The Impact of Social Media with Mobile Devices
 
IPv6 Readiness - Preparing for the Inevitable
IPv6 Readiness - Preparing for the InevitableIPv6 Readiness - Preparing for the Inevitable
IPv6 Readiness - Preparing for the Inevitable
 
Social Media Trends and the Network
Social Media Trends and the NetworkSocial Media Trends and the Network
Social Media Trends and the Network
 
Computerworld Conference (2002)
Computerworld Conference (2002)Computerworld Conference (2002)
Computerworld Conference (2002)
 
Wholesale Options for Small ISPs
Wholesale Options for Small ISPsWholesale Options for Small ISPs
Wholesale Options for Small ISPs
 
Why Being a Small ISP is still Viable
Why Being a Small ISP is still ViableWhy Being a Small ISP is still Viable
Why Being a Small ISP is still Viable
 

Último

EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1DianaGray10
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxNeo4j
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfInfopole1
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 

Último (20)

EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
UiPath Studio Web workshop series - Day 1
UiPath Studio Web workshop series  - Day 1UiPath Studio Web workshop series  - Day 1
UiPath Studio Web workshop series - Day 1
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptxEmil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
Emil Eifrem at GraphSummit Copenhagen 2024 - The Art of the Possible.pptx
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
Extra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdfExtra-120324-Visite-Entreprise-icare.pdf
Extra-120324-Visite-Entreprise-icare.pdf
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 

IPv6 Security

  • 1. Skeeve Stevens IPv6 Security CEO Director Tuesday, 24 May 2011
  • 2. INET Colombo, May 2011 IPv6 Security • This talk to to help people understand the security implications of migrating to IPv6 • Highlights some key areas for you to consider • Explain the differences between IPv6 and IPv4 • Technical Difficulty - 2 out of 10 (some slides higher) • If you know what IPv6 is, then you will understand (mostly) this presentation • IPv6 - I LIKE! It’s NICE What is this talk about? Tuesday, 24 May 2011
  • 3. INET Colombo, May 2011 IPv6 Security • If you are new to IPv6 - do not implement it in a production environment until you understand the security implications • If you do IPv6 without considering security then you WILL get hacked - and quickly. Would you leave your house unlocked? • CPE’s (modem/router) barely understand IPv6 - initial security is weak - choose the right product! IPv6 Firewalls are coming! • Use someone who ACTUALLY knows what they are talking about - not just someone who just says they know! • Security through obscurity = security through stupidity - they WILL find your v6 address! IPv6 Security? Oh oh Tuesday, 24 May 2011
  • 4. INET Colombo, May 2011 IPv6 Security • Enabling IPv6 leaves you wide open - immediately Key Issues to Consider Tuesday, 24 May 2011
  • 5. INET Colombo, May 2011 IPv6 Security • Every aspect of security that you have in IPv4 needs to be replicated to IPv6 • SSH,Telnet,Access Lists, SNMP, CoPP – All are immediately open and accessible when you turn on IPv6 - all IPv4 security is immediately bypassed! • It isn’t hard to do the security – you just HAVE to do it – or else • Nothing has changed with the basic tenants of security – just all new commands for some platforms – and often in strange places • The only new important consideration is that IPv6 requires ICMP for PMTU (Path MTU Discovery) – disabling it WILL break things (in ways that you can’t easily troubleshoot) Key Issues to Consider Tuesday, 24 May 2011
  • 6. INET Colombo, May 2011 IPv6 Security • IPv4 vs. IPv6 • They are totally separate protocols and essentially do not interact at any point - even on the same router and/or switch • IPv6 is a completely new version - there is no backward compatibility at all - just some translation methods • It is a perfect time for you re-evaluate all your security policies and procedures • Zone flow • Device lock down policies and Host build procedures • User restriction • Source/destination control • Inter-departmental security - often ignored Key Issues to Consider Tuesday, 24 May 2011
  • 7. INET Colombo, May 2011 IPv6 Security • Does your equipment treat v6 the same as v4? • Routers, Layer 3 switches, Firewalls, IPS & IDS,VPN Services • Equipment • Plan for equipment upgrades if needed • Does it process v6 in hardware or software • SW may not be fast enough for your application • May cause DoS situations • Recommendations • Talk to your vendors about stable versions • Use test gear or lab kit where possible • Monitor sites posting vulnerabilities and respond quickly Equipment Considerations Tuesday, 24 May 2011
  • 8. INET Colombo, May 2011 IPv6 Security • IPv6 address space is huge.Attackers scanning a network range is unwieldy. Example - NMAP doesn’t let you scan IPv6 ranges • Attackers will look for other ways to find their targets • Take precautions to protect systems that are caches for addresses • DHCP servers (reservations) • DNS (DNS harvesting),Web Log harvesting • Neighbour caches (like ARP cache) • Don’t simple replicate your IPv4 last octet in IPv6 chazwazza* Make attackers work if they really want a hosts address! • Inject randomisation in your addressing to make it less obvious - but don’t make life too hard for yourself * http://www.urbandictionary.com/define.php?term=chazwazza Tactics Tuesday, 24 May 2011
  • 9. INET Colombo, May 2011 IPv6 Security • Filter unneeded or potentially dangerous communications Examples: • Routing Header 0 vulnerabilities (sort of like IPv4 source routing). Deprecated by RFC 5095 but still dangerous since it can let an attacker control hop flow. • If certain internal IPv6 address never need to hit the Internet, filter them • ICMP is critical to IPv6. Let certain (but not all) types through hops • Anycast & Multicast unless they are specifically used • Don’t leave yourself open to potential future attacks - Everything you know now will change in the next 5 years. They WILL get smarter, they WILL get faster than ever before. Filtering (More Advanced) Tuesday, 24 May 2011
  • 10. INET Colombo, May 2011 IPv6 Security One key difference: The key area where v6 is different from v4 is that v6 packets use a concept knows as extension headers which were developed to improve performance by making the packet header structure more simple. Essentially v6 extension headers are optional headers that let you specify certain ways that you can influence the packet to behave such a routing the packet through a certain path on the network, or you might have a fragmentation header that breaks up the packet and then reassembles it. In v4 we had to have all those headers included in one single header but they're optional in v6. Because they're optional, security protocols need to understand a variable set of headers which makes security devices more complex Extension Headers (Even More Advanced) Tuesday, 24 May 2011
  • 11. INET Colombo, May 2011 IPv6 Security • IPv6 is not automatically more secure than IPv4 • IPv6 is just layer 3... above or below layer 3 will act just the same as they do with v4 - assuming your apps are layer 3 agnostic • IPv6 can be attacked just as easily as IPv4 - what does this mean? • MAC can still be spoofed • Flawed web apps will remain flawed - SQL injections, etc • IPv6 attacks will grow more smarter and more creative as deployments grow • Back in 2002 a Honeypot system caught a hack using IPv6 tunnels to break into sites • Think of the hacks and bugs discovered each month - it is only a matter of time. IPv6 is new - it will have problems Please Remember Tuesday, 24 May 2011
  • 12. INET Colombo, May 2011 IPv6 Security Does this mean that I should avoid v6? It sounds complicated. Who will help me? PRACTICE SAFE IPV6! So.... Tuesday, 24 May 2011
  • 13. INET Colombo, May 2011 IPv6 Security Thanks.... Questions? Thanks to Kurt Bales, Jeff Doyle and Grant Moerschel for content and inspiration CONNECT WITH ME Email~ skeeve@eintellego.asia Web~ www.eintellego.asia Facebook~ facebook.com/eintellego - eintellego@facebook.com LinkedIn~ http://au.linkedin.com/in/skeeve Twitter~ @eintellego @networkceoau @skeevestevens CEO Blog~ www.network-ceo.net Tuesday, 24 May 2011