130 likes | 145 Views
Learn about the challenges and best practices for securing IPv6 networks. Understand the importance of IPsec, tunneling, and application security in IPv6 deployment. Explore the evolving landscape of IPv6 security tools and prepare for the future.
E N D
Securing IPv6 Ken Renard WareOnEarth Communications, Inc <kdrenard@wareonearth.com> <kdrenard@hpcmo.hpc.mil>
Commercial Security Tools • “IPv6 support” has a wide spectrum of meaning • “We support IPv6 and all its components per RFCs” • “If you throw an IPv6 packet at us, we won’t crash” • IPv6 is low priority with most vendors • Firewall support has been slow • Major vendors are now stepping up to the plate • Limited tunneling support • VPN products (IPsec-based) • Yet to seen one that supports or even acknowledges IPv6
Commercial Security Tools • Operating Systems • More Unixes are starting to support IPsec for IPv6 • Need to perform careful evaluation • Few vendors have practical IPv6 experience or environment • Products will mature as IPv6 adoption increases • Obtain practical experience and discover full set of requirements • Prepare yourself for growing pains
IPv6 Security -- Site Deployment • Most sites set up test bed networks first • Cannot get authorization to run on production networks • Sites have valid security concerns • Political • “My agency requires brand-X firewall -- will it do v6?” • Can I get system accredited? • Technical • Want to have full suite of IPv4 security tools for IPv6 • Need to monitor and police IPv6 traffic (Firewalls & IDS)
IPv6 SecurityThings to Look Out For... • Increased use of tunneling • Transition mechanisms • 6to4, Teredo, ISATAP, etc... • IPsec (IPv4, IPv6, VPN products) • Potential back-door to internal network • May bypass perimeter defenses (firewall, IDS, etc) • Replicate perimeter defenses at tunnel endpoint • Covert Channels • IPv6 options have a wealth of covert channel opportunities • Neighbor Discovery vulnerabilities • An ARP by any other name...
Application SecurityIPv6-enabling Applications • Another Y2K exercise? • Larger addresses all the way through • From socket to log file -- make sure there’s enough space! • Access Control Lists • Harder to maintain IP-based ACLs (don’t use IP ACLs) • Increased reliance on DNS • IPv6 in DNS -- more prone to error? (don’t use DNS ACLs) • Applications may not know about IPsec • User-level security still required
IPv6 SecurityOn the Increased Availability of IPsec • “IPv6 is secure” -- most IPv6 literature • Mostly based on requirement for IPsec • “End-to-End security” at the Network Layer • Departure from popular “perimeter defense” strategy • IPsec is not a silver bullet. IPsec is not a silver bullet. IPsec... • IPsec is more widely available for IPv4 today • Are we using it? • Are we using it wisely? • End-to-End security requires... • Authentication infrastructure (PKI?) • Shift from perimeter defense model or re-define perimeter
IPv6 SecurityOn the Increased Availability of IPsec • IPsec is complex • Policy generation can be tough • IPsec tools are less than intuitive • Vary greatly across OS • Selecting appropriate mechanisms is daunting • Encryption types, authentication types, modes, etc • “Interoperable” implementations are just barely interoperable • IPsec is a node-to-node security mechanism • Do not try to solve user-level security with IPsec • Applications may be unaware of IPsec protection
IPv6 SecurityOn the Increased Availability of IPsec • IPsec can be very useful... • For securing routing protocol communication • Host-level applications such as NFS • Creating enclaves of securely-connected networks • Generic remote access solution • A “must” for IPv6 mobility • Recommendations • Authentication is VERY important -- do not ignore • Authorization -- IPsec can bypass perimeter defenses • IKEv2 promises reduced complexity
IPv6 Tools in the DREN • Intrusion Detection Systems • DoD Intrusion Detection made IPv6-aware • snort-2.1.1 with IPv6 capabilities • Authentication infrastructure • Kerberos from MIT • Secure Shell & PuTTY • Other tools • ssldump, kx509, libnids, tunnel detection
IPv6 SecurityTo-Do List • As a community, we need to improve IPv6 security tools and practices • Product evaluation • Share results and lots of details (http://www.moonv6.com/) • IPv6-enabling security tools • IDS, firewalls, authentication mechanisms • Security scanners (Nessus, SAINT, etc) • Make IPsec easier to use • Educate ourselves and our people • Refine policies to include IPv6 and possible shift in security paradigm
IPv6 SecurityTo-Do List • As a community, we need to improve IPv6 security tools and practices (continued) • SeND -- Secure Neighbor Discovery • Applications Security • Mobile IPv6 • Authentication Infrastructure • Multicast security