20050503-IPv6-Renard
Download
Report
Transcript 20050503-IPv6-Renard
Securing IPv6
Ken Renard
WareOnEarth Communications, Inc
<[email protected]>
<[email protected]>
Commercial Security Tools
• “IPv6 support” has a wide spectrum of meaning
– “We support IPv6 and all its components per RFCs”
– “If you throw an IPv6 packet at us, we won’t crash”
• IPv6 is low priority with most vendors
• Firewall support has been slow
– Major vendors are now stepping up to the plate
– Limited tunneling support
• VPN products (IPsec-based)
– Yet to seen one that supports or even acknowledges IPv6
Commercial Security Tools
• Operating Systems
– More Unixes are starting to support IPsec for IPv6
• Need to perform careful evaluation
– Few vendors have practical IPv6 experience or
environment
• Products will mature as IPv6 adoption increases
– Obtain practical experience and discover full set of
requirements
– Prepare yourself for growing pains
IPv6 Security -- Site Deployment
• Most sites set up test bed networks first
– Cannot get authorization to run on production networks
• Sites have valid security concerns
– Political
• “My agency requires brand-X firewall -- will it do v6?”
• Can I get system accredited?
– Technical
• Want to have full suite of IPv4 security tools for IPv6
• Need to monitor and police IPv6 traffic (Firewalls & IDS)
IPv6 Security
Things to Look Out For...
• Increased use of tunneling
– Transition mechanisms
• 6to4, Teredo, ISATAP, etc...
– IPsec (IPv4, IPv6, VPN products)
– Potential back-door to internal network
• May bypass perimeter defenses (firewall, IDS, etc)
– Replicate perimeter defenses at tunnel endpoint
• Covert Channels
– IPv6 options have a wealth of covert channel opportunities
• Neighbor Discovery vulnerabilities
– An ARP by any other name...
Application Security
IPv6-enabling Applications
• Another Y2K exercise?
• Larger addresses all the way through
– From socket to log file -- make sure there’s enough space!
• Access Control Lists
– Harder to maintain IP-based ACLs (don’t use IP ACLs)
• Increased reliance on DNS
– IPv6 in DNS -- more prone to error? (don’t use DNS
ACLs)
• Applications may not know about IPsec
– User-level security still required
IPv6 Security
On the Increased Availability of IPsec
• “IPv6 is secure” -- most IPv6 literature
– Mostly based on requirement for IPsec
– “End-to-End security” at the Network Layer
• Departure from popular “perimeter defense” strategy
– IPsec is not a silver bullet. IPsec is not a silver bullet. IPsec...
• IPsec is more widely available for IPv4 today
– Are we using it?
– Are we using it wisely?
• End-to-End security requires...
– Authentication infrastructure (PKI?)
– Shift from perimeter defense model or re-define perimeter
IPv6 Security
On the Increased Availability of IPsec
• IPsec is complex
– Policy generation can be tough
– IPsec tools are less than intuitive
• Vary greatly across OS
– Selecting appropriate mechanisms is daunting
• Encryption types, authentication types, modes, etc
– “Interoperable” implementations are just barely
interoperable
• IPsec is a node-to-node security mechanism
– Do not try to solve user-level security with IPsec
– Applications may be unaware of IPsec protection
IPv6 Security
On the Increased Availability of IPsec
• IPsec can be very useful...
–
–
–
–
–
For securing routing protocol communication
Host-level applications such as NFS
Creating enclaves of securely-connected networks
Generic remote access solution
A “must” for IPv6 mobility
• Recommendations
– Authentication is VERY important -- do not ignore
– Authorization -- IPsec can bypass perimeter defenses
– IKEv2 promises reduced complexity
IPv6 Tools in the DREN
• Intrusion Detection Systems
– DoD Intrusion Detection made IPv6-aware
– snort-2.1.1 with IPv6 capabilities
• Authentication infrastructure
– Kerberos from MIT
– Secure Shell & PuTTY
• Other tools
– ssldump, kx509, libnids, tunnel detection
IPv6 Security
To-Do List
• As a community, we need to improve IPv6
security tools and practices
– Product evaluation
• Share results and lots of details (http://www.moonv6.com/)
– IPv6-enabling security tools
• IDS, firewalls, authentication mechanisms
• Security scanners (Nessus, SAINT, etc)
– Make IPsec easier to use
– Educate ourselves and our people
– Refine policies to include IPv6 and possible shift in
security paradigm
IPv6 Security
To-Do List
• As a community, we need to improve IPv6
security tools and practices (continued)
– SeND -- Secure Neighbor Discovery
– Applications Security
– Mobile IPv6
• Authentication Infrastructure
– Multicast security
Discussion...