1 / 21

Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6)

IPv6 Security: Firewall Considerations. Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia. Why IPv6? . Exhaustion of the IANA IPv4 free pool. Awareness activities such as the IPv6 Forum and “ World IPv6 Day”.

olwen
Download Presentation

Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IPv6 Security: Firewall Considerations Prof. Dr. SureswaranRamadass Director National Advanced IPv6 Centre (NAv6) UniversitiSains Malaysia

  2. Why IPv6? • Exhaustionof the IANA IPv4 free pool. • Awarenessactivitiessuch as theIPv6 Forum and “WorldIPv6 Day”. • Imminentexhaustion of the free pool of IPv4 addresses at thedifferentRIRs. • All OS has IPv6 support part of your network is already running IPv6! • IPv6 is the only way moving forward!  Howabout NAT???

  3. NAT Causes Problems • Breaks globally unique address model • Breaks address stability • Breaks always-on model • Breaks peer-to-peer model • Breaks some applications • Breaks some security protocols • Breaks some QoS functions • Introduces a false sense of security • Introduces hidden costs

  4. Drivers for IPv6 • An explosion of Internet applications, games, information sources, and financial transactions. • The movement of traditional services such as voice and video from legacy circuit-based infrastructures to IP networks. • Millions of new IP-enabled mobile devices, with millions more projected in the near future. • Expanding economies in populous countries such as China and India, and developing economies throughout the world. • Burgeoning consumer electronics industries finding new ways to exploit IP capabilities. • Emerging IP-enabled sensor networks for industrial,medical, and military applications.

  5. Migration Deployment IPv6

  6. RIRs have been allocatingIPv6 address space since 1999. Thousands of organizations havereceived an IPv6 allocation to date. ARIN has IPv6 distribution policies for service providers, community networks, and end-user organizations. IPv6 Deployment has begun

  7. IPv4 & IPv6 Coexistence • Today, the Internet is predominantly based on IPv4. • For the foreseeable future, the Internet must run both IP versions (IPv4 & IPv6) at the same time. (When done on a single device, this is called the “dual-stack” approach.) • Deployment is already underway: Today, there are organizations attempting to reach your mail, web, and application servers via IPv6...

  8. Is IPv6more secure than IPv4? less

  9. The Big IPv6 Security Question Does IPv6 help or hinder network security? The Answer is not that simple!

  10. Types of IPv6 Security Issues • Issues due to the IPv6 protocol itself • Issues due to transition mechanisms • Issues due to IPv6 deployment. used in

  11. Co-existence Security Concerns • Dual-stackingincreasethecomplexity of thenetwork, and thusthenumber of potentialvulnerabilities. • Co-existencetrafficusuallyresults in complextraffic (withmultipleencapsulations). • Thisincreasesthedifficulty of performingDeepPacketInspection (DPI) • Increase in complexity of firewall filteringpoliciesordetection.

  12. IPv6 Deployment Security Concerns • Thereismuchlessexperiencewith IPv6 thanwith IPv4 • IPv6 implementations are lessmaturethantheir IPv4 counterparts • Security products (firewalls, NIDS, etc.) havelesssupportfor IPv6 thanfor IPv4 • Thecomplexity of theresultingnetworkwillincreaseduringthetransition/co-existanceperiod: • Twointernetworkingprotocols (IPv4 and IPv6) • Increased use of NATs • Increased use of tunnels • Use of othertransition/co-existancetechnologies • Lack of well-trainedIPv6 Engineers.

  13. Areas of Concern of IPv6 Deployment System Security Application Security Security Training & Experience Hackers Network Security

  14. IPv6 Security Hacking Arsenal/Tools • Attacker already have many IPv6 capable tools: THC-IPv6 Attack Suite Unfortunately, IPv6 security controls and products seems to be a bit behind.

  15. IPv6 and Firewall

  16. Host Based Firewalls • On Windows, many third party host based firewalls have only limited support for IPv6. • Some have none at all. • Others may even block some mechanisms such as DHCPv6 or SLAAC. • In Windows 7 and above, the built-in firewall has excellent support for IPv6 • On *BSD, the pf kernel-based packet filter can easily be deployed as an excellent host based dual stack firewall. You can even build a full gateway firewall using it. • The pfsense open source project has built a good GUI around pf, has very limited support for IPv6. • On Linux, netfilter/iptables is roughly equivalent to *BSD’s pf, but is not as complete and also does have support for IPv6.

  17. Gateway Firewalls • In addition to all the typical gateway firewall mechanisms and controls for IPv4 (including port forwarding and NAT), true dual-stack gateway firewalls should include the following new features: • Support for native dual stack service, plus tunnel endpoint support for one or more mechanisms including 6in4, TSP, 6rd, and even 4in6. • Configurable Router Advertisement Daemon • Support for multiple internal subnets with different /64 prefixes into each internal subnet. • Packet filtering controls for IPv6 traffic independent of controls for IPv4. • Independent control over all ICMPv6 messages • Dual stack application layer proxies for the most common protocols (HTTP, SMTP, SIP, etc)

  18. Typical IPv6 Devices Have MultipleAddresses You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your organization

  19. Firewalls (and Admins) Must Learn New Tricks

  20. ICMPv6 • More powerful than ICMPv4 • ICMPv6 uses IPv6 extension header # 58 (RFC 2463) • Type Description • 1 Destination Unreachable • 2 Packet too Big • 3 Time exceeded • 4 Parameter problem • 128 Echo Request • 129 Echo Reply • 130 Multicast Listener Query – sent to ff02::1 (all nodes) • 131 Multicast Listener Report • 132 Multicast Listener Done – sent to ff02::2 (all routers) • 133 Router Solicitation (RS) – sent to ff01::2 (all routers) • 134 Router Advertisement (RA) – sent to ff01::1 (all nodes) • 135 Neighbor Solicitation (NS) – sent to ff02:0:0:0:0:1:ff00::/104 • 136 Neighbor Advertisement (NA) • 137 Redirect

  21. THANK YOU Prof. Dr. SureswaranRamadass sures@nav6.usm.my www.nav6.usm.my

More Related