© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.07-1 Security Issues in IPv6 Discussing Security Issues in an IPv6 Transition Environment.

Презентация:



Advertisements
Похожие презентации
© 2006 Cisco Systems, Inc. All rights reserved. IP6FD v Security Issues in IPv6 Understanding IPv6 Security Practices.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v Implementing IPv6 Using IPv6 with IPv4.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Implementing Dual Stack.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Describing NAT-PT.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Describing IPv6 Tunneling Mechanisms.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Examining Mobility Examining Mobile IPv6.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Examining Mobility Examining Mobile IPv4.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring GRE Tunnels.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Security Issues in IPv6 Configuring IPv6 ACLs.
© 2006 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Cisco IOS Firewall.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 9 Routing.
© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Introducing IPsec.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Services Understanding QoS Support in an IPv6 Environment.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Services Using Cisco IOS Software Features.
© 2006 Cisco Systems, Inc. All rights reserved. IP6FD v IPv6-Enabled Routing Protocols Examining Integrated IS/IS.
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Ensuring the Reliability of Data Delivery Understanding How UDP and TCP Work.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Module Summary The IKE protocol is a key management protocol standard used in conjunction with.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Site-to-Site IPsec VPN Operation.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Advanced IPv6 Topics Understanding DHCPv6 Operations.
Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Security Issues in IPv6 Discussing Security Issues in an IPv6 Transition Environment

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Dual-Stack Issues Node may be poorly protected on IPv6 Node IPv6 address may be discovered via IPv4 scan IPv4 and IPv6 links may have different security levels / :DB8:8904:A23B::/64 Host A.25, ::25 IPv6 w NO/IPsec IPv4 w/IPsec Host B Attacker

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Firewalls typically have no visibility into the payload of a tunneled packet. Inability to Inspect Tunneled Packets Transition Mechanism Challenges IPv4 HeaderIPv6 Header IPv6 Payload (includes Layer 4 headers and data) Opaque to IPv4 Firewall IPv4 payload (not available for inspection by IPv4 firewall) IPv4 payload (available for inspection by IPv6 firewall)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v to4 Firewall Solution Transition Mechanism Challenges (Cont.) 6to4 IPv6 IPv4 IPv6 in IPv4 Tunnel IPv4 Firewall (no deep packet inspection) IPv6 Firewall IPv4 Pass-Through

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v In both the 6to4 and ISATAP firewall solutions, no packets arrive at the IPv6 transition device without inspection. ISATAP Firewall Solution Transition Mechanism Challenges (Cont.) IPv6 ISATAP IPv4 IPv4 Firewall IPv6 IPv6 Firewall IPv6 in IPv4 Tunnel

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Prevalent use of IPsec by internal hosts (peer-to-peer): edge devices, or firewalls, cannot inspect ESP-encrypted payloads. Use of IPsec Transition Mechanism Challenges (Cont.) ESP TrailerEncrypted Headers and PayloadESP Header IPv6 Header (next header = 50 = ESP) Opaque to IPv6 Firewall

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Manual Tunnels from Edge Devices Transition Mechanism Challenges (Cont.) 6to4 Packets 6to4 Relay 6to4 Packets Discarded Router IPv4 Only Passes IP Protocol 41 tun0 s0/0 Site Router IPv4 and IPv6 tun0 s0/0 IPv6 in IPv4 Tunnel

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Internet 6to4 IPv6 Transition Mechanism Challenges Tunnel Security Issues Valid 6to4 IPv4 Packet Invalid, Generated 6to4 IPv4 Packet 2002:v4addr::/48 6to4 Relay Hacker with Packet Generator 6to4 Relay

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Teredo requires outbound UDP. In the enterprise, all outbound UDP traffic should be denied, with specific UDP services allowed to specific Internet sites. Other security issues exist, all of which can be partially mitigated and most of which are not new. Teredo Tunnel Security Issues (Cont.) Teredo Client Teredo Server IPv4 NAT

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPsec cannot run through NAT-PT. NAT-PT Security Issues IPv6 OnlyIPv4 Only NAT-PT IPv4 Packet IPsec/ESP Encrypted s= :40000, d= :23 IPv4 Packet TCP FTP with Embedded v4 Addresses FTP port command client will listen for data at : s= :40000, d= :23 s=[2001:db8::30]:1000, d=[2001:db8::40]:23 IPv4 Packet IPsec/ESP Encrypted IPv6 Packet TCP FTP with Embedded v4 Addresses FTP port command client will listen for data at : s=[2001:db8::30]:1000, d=[2001:db8::40]:23 IPsec Peer FTP Client IPsec Peer FTP Server

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v ICMP Traffic Requirements Visiting Mobile Nodes Inside DMZ Outside Closely Managed ICMP IPv6 Client/Peer Resident Home Agents Mobile Nodes (away) Internet Server/Peer Proxy and DMZ Servers

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Summary Dual stack may lead to uneven security posture at Layer 3, one for IPv4 and one for IPv6. IPv6 transition mechanisms are unable to inspect tunneled packets. When using IPsec, edge devices cannot inspect ESP-encrypted payloads. Tunneling can compromise perimeter security. IPsec will not run through NAT. When configuring edge packet filtering, be sure to deny all by default while permitting needed functions.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v