• No results found

Network Security IPv4 + IPv6

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Network Security IPv4 + IPv6"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

Network Security

IPv4 + IPv6

Benjamin T.P. Tan

Managing Director

SuperInternet

by

(2)

Overview

• Confidentiality? Integrity? Availability! • IPv6 Issues (Compared with IPv4)

Physical Security of the Network Assumptions:

• Generally familiar with – Network Security

– Telecommunications Infrastructure • Technical Management

(3)

Neglected Areas

• Not the usual Topics: IPSec, VPNs, SSL VPNs, PKI,

Firewalls, IDS/IPS

– Confidentiality on the Network

• Many available solutions

• Data Integrity on the Network

– Several issues solved by end-to-end crypto

(Application) IF implemented. Else Network HELPS!

– Somewhat known solutions: DHCP Snooping, ARP

inspection, L3 Micro segmentation

– Routing Subversion

• Network Availability

– DoS at all levels

– Physical Infrastructure Weaknesses

(4)

IPv6 – Dual Stack

• 2 protocols on the same wire • VLANs still segregate

• BUT IPv4 Subnets DO NOT New-Old Problems:

• IPv6 Global Unicast Addresses

– PUBLIC IP on the machine!

– IF configured route-able then node is fully

(5)

IPv4 DHCP Issues

• Flashback before IPv6

• IP Address Conflicts?! • Rogue DHCP Servers

– APs on your LAN?!

• Users Setting Static IPs

– Desktop Lockdown?

• DHCP Snooping and IP Source Guard

ip source binding mac-address Vlan vlan-id ip-address interface interface-name

(Conf-if) ip verify source vlan dhcp-snooping port-security

(6)

IPv6 – Dual Stack (Cont’d)

• Autoconfiguration

– As If a DHCP server were running (but

Stateless)

– Only Router needs to be configured

• Public Address on Router? (ref. prev. slide!) Do you have a shadow network running?

(7)

• Flashback: IPv4 - Router Unresponsive due to Attack

• Data Plane can handle load, but Control Plane cannot

• Sluggish response

• Policy-Map on Control-Plane

(8)

Dual Stack Resource Contention

• Performace:

– IPv6 in H/W or S/W? – Tunnels in H/W or S/W? – What about v4?

• Flooding v6 results in v4 outage as well • Control Plane Resource Issues

(9)

Flat Networks

• Network may already been segregated by VLANs, Subnets and Firewall rules between segments. Good for IPv4 – BUT… (see next slide)

• Non Dual Stack on same interface/wire.

– BUT implemented as 1 Large VLAN ?!

• IPv6 address space allows for large flat networks • Risks of large flat networks

– Same as IPv4: Layer 2 Attacks!

(Ref earlier notes about shadow networks even if separate VLAN)

(10)

ISATAP

• Intra-Site Automatic Tunnel Addressing Protocol • Summary:

– lookup IPv4 DNS for isatap.domain.name – Establish Tunnel to ISATAP server

– Get IPv6 address

• All Peers on Same Tunnel are Peers!

• What if Enterprise security model is based on VLAN-Subnet segregation?!

• New-Old Problem: Tunnels inside and outside the organization.

(11)

IPv6 Firewalls / IDS,IPS

• Does your Firewall support IPv6? • For ALL features that you need? • IDS/IPS ? Or will you do without?

• Is IPv6 implemented as a tunnel over IPv4 which goes Through the Firewalls?!

Note from previous slides: IPv6 address is usually a Globally Routable IP! (“Public Address”)

(12)

Routing Protocol Security

• Dynamic Routing Issues

• BGP MD5

• OSPF Area Authentication • Default Interface passive

• Bad Routes by real neighbours

• Does your Infrastructure support OSPFv3? MP-BGP? Else Static Routes? Redistributed?

Is the Dynamic Routing Protocol used in your network secured?

(13)

Miscellaneous IPv6 Issues

• EUI-64: – GUID leakage – Vendor leakage – Organization Size? • ICMPv6

– Firewall “defaults” changed

• L2: Neighbour Discovery / SEcure ND

– Router/Neighbour Solicitation (“ARP”)

– SEND only in Win2008 and Win7 (not in Vista) – Overheads!

(14)

IPv6 IPSec

• IPSec is ALWAYS in the IPv6 Stack • Should you turn it on?

• What are we trading for what?

– No more MITM, Replay, sniffing, etc – Firewall? IDS / IPS?

– QoS?

(15)

Section Summary

• Watch out for weaknesses opened by transitional mechanisms.

– E.g. Dual Stacks, ISATAP, Tunnels.

• Ensure that your existing policy can be mapped to IPv6 and that feature parity is available.

– E.g. Firewall, IPS/IDS

• Several Issues are not new. Already in IPv4. IPv6 does not solve these issues.

– E.g. Dynamic Routing Protocol security

(16)

Data Centers

• E.g. Singapore: 1Net, Equinix, GlobalSwitch • Co-Lo

• [Easy] Access • TATP?!

• “Everyone” is there • Peering

(17)

Cable Landing Stations

(18)

MDF Rooms and Risers

• Cables within Buildings

• Who has Access to the MDF Room? • Access to Risers?

(19)

Lead-In pipes

• Telecommunications Links

• Buildings to Telecom Exchanges • Plans generally available!

(20)

Low Tech Attacks

• Electrical Overload to Ethernet switch

– Capacitive discharge from Ethernet ports – (MDF/Riser to Router)

• Is fiber more resilient?

– Fiber fuse

• Critical Infrastructure in Car Parks...

– [salt] Water?

– Carbon Particles? – SMOKE!

(21)
(22)

References

Download now ( PDF - 22 Page - 486.49 KB )

Related documents

In Situ Subsurface Characterization

Characterization Techniques Test Invasive/ Noninvasive Sample Recovered Usage Standard penetration test Invasive Yes Extensive Cone penetration test Invasive No Extensive

Green Haven, Windermere Road Grange-over-Sands Asking Price 320,000

neighbouring properties the generous gardens and grounds of Green Haven include and ample driveway parking to the front of the bungalow, garage and car port offering..

ANALYSIS OF IPV6 TRANSITION TECHNOLOGIES

In addition to connecting the IPv6 network with the IPv6 Internet through the IPv4 network, the prefix is the same and the 6to4 router will encapsulate the IPv4

Assessment of scientific creativity thinking: Adaptation and validation of a test for the Spanish population

Los coeficientes de correlación entre las puntuaciones de los alumnos en las tres dimensiones de creatividad para las siete tareas que componen el TPCC se mostraron

WHITE PAPER. Best Practices for Deploying IPv6 over Broadband Access

n order to quickly offer end-to-end IPv6 service, providers use 6rd to encapsulate IPv6 traffic in IPv4 headers, and tunnel home users’ IPv6 traffic through the IPv4 network

Quinoa in Bolivia - Food Sovereignty and Food Security

It can be said that the above mentioned articles that deal with food sovereignty implicitly, show the dedication and importance the Government places within

Standard on Teleradiology

A teleradiology report should contain the type of the service (primary interpretation, second opinion etc.), the name of both the transmitting and receiving sites, the

Evaluating Public Attitudes and Farmers’ Beliefs towards Climate Change Adaptation: Awareness, Perception, and Populism at European Level

Evaluating Public Attitudes and Farmers’ Beliefs towards Climate Change Adaptation: Awareness, Perception, and Populism at European Level.. Sandra Ricart 1, * , Jorge Olcina 2