Transcript Slide 1

McAfee Security and IPv6
David LePage
Enterprise Solutions Architect – Network Security Business Unit, McAfee
May 17, 2009
Agenda
•
•
•
•
•
•
•
2
Very brief overview of McAfee + Secure Computing
IPv6 Overview
McAfee Firewall Enterprise (Sidewinder)
McAfee Web (SmartFilter)
McAfee TrustedSource/URL Database
McAfee Web Merge Tool
Questions / Comments
McAfee Firewall Enterprise Sales Presentation
July 16, 2015
Confidential McAfee Internal Use Only
Agenda
•
•
•
•
•
•
•
3
Very brief overview of McAfee + Secure Computing
IPv6 Overview
McAfee Firewall Enterprise (Sidewinder)
McAfee Web (SmartFilter)
McAfee TrustedSource
McAfee Web Merge Tool
Questions / Comments
McAfee Firewall Enterprise Sales Presentation
July 16, 2015
Confidential McAfee Internal Use Only
Did You Know?
McAfee Network Security Stats:
• >$500M+ Revenue and growing at 20+%
• Over 600 dedicated development staff
• 250 threat researchers in 23 countries
• Over 22,000 customers
• Over 400,000 Appliances in service
• Over 2500 Network Security partners
Recognized Product Line Leadership
Core to McAfee’s Total Security Strategy
Complete Protection, Fastest Time to Confidence
4
Title of presentation
July 16, 2015
Confidential McAfee Internal Use Only
Agenda
•
•
•
•
•
•
•
5
Very brief overview of McAfee + Secure Computing
IPv6 Overview
McAfee Firewall Enterprise (Sidewinder)
McAfee Web (SmartFilter)
McAfee TrustedSource/URL Database
McAfee Web Merge Tool
Questions / Comments
McAfee Firewall Enterprise Sales Presentation
July 16, 2015
Confidential McAfee Internal Use Only
IPv6 Overview
A Primary reason for the existence of IPv6 is address depletion in IPv4:
IPv4 = 32 bit addresses
111.1.1.200 = 110111100000001000000011101111
4,294,967,296 (4.29 x 109) Possible Addresses
IPv6 = 128 bit addresses
fd4c:4547:4f53:111::200 =
11111101010011000100010101000111010011110101001100000001
00010001000000000000000000000000000000000000000000000000
0000001000000000
340,282,366,920,938,463,463,374,607,431,768,211,456 (3.4×1038)
Possible Addresses
Confidential McAfee Internal Use Only
IPv6 Conventions – The Interfaces
• IPv6 Address types:
–
–
–
–
–
Loopback(::1)
Unicast (2000::/3
Link-Local (FE80::/10)
Multicast (FF00::/8)
Anycast
• IPv6 Host Interface Requirements:
–
–
–
–
–
Loopback address
Link-local address
Unicast Address
All-nodes multicast address
Solicited-node multicast address
• Router requirements
– All IPv6 Host Interface Requirements
– Subnet-router anycast address
– All-routers multicast address
Confidential McAfee Internal Use Only
IPv6 Conventions – The Initial Allocations
• From: http://www.iana.org/assignments/ipv6-address-space:
–
–
–
–
2000::/3
FC00::/7
FE80::/10
FF00::/8
(Global Unicast)
(Unique Local Unicast)
(Link Local Unicast)
(Multicast)
• Current Allocation of Global Unicast addresses:
2001:0000::/23 IANA
2001:0200::/23 APNIC
2001:0400::/23 ARIN
2001:0600::/23 RIPE
2001:0800::/23 RIPE
2001:0A00::/23 RIPE
2001:0C00::/23 APNIC
2001:0E00::/23 APNIC
2001:1200::/23 LACNIC
2001:1400::/23 RIPE
2001:1600::/23 RIPE
2001:1800::/23 ARIN
2001:1A00::/23 RIPE
2001:1C00::/22 RIPE
2001:2000::/20 RIPE
2001:3000::/21 RIPE
2001:3800::/22 RIPE
2001:3C00::/22 RESERVED
2001:4000::/23 RIPE
2001:4200::/23 AfriNIC
2001:4400::/23 APNIC
2001:4600::/23 RIPE
2001:4800::/23 ARIN
2001:4A00::/23 RIPE
2001:4C00::/23 RIPE
2001:5000::/20 RIPE
2001:8000::/19 APNIC
2001:A000::/20 APNIC
2001:B000::/20 APNIC
2002:0000::/16 6to4
2003:0000::/18 RIPE
2400:0000::/12 APNIC
2600:0000::/12 ARIN
2610:0000::/23 ARIN
2620:0000::/23 ARIN
2800:0000::/12 LACNIC
2A00:0000::/12 RIPE
2C00:0000::/12 AfriNIC
Confidential McAfee Internal Use Only
Changes from IPv4 to IPv6
• NAT goes away
• Network address configuration becomes automatic (-ish)
• Broadcast traffic goes away
• ARP goes away
• IP packet format changes to lower overhead on routers
• Packet fragmentation goes away
• Better address allocation to lower BGP overhead on the Internet’s core
routers
Confidential McAfee Internal Use Only
Agenda
•
•
•
•
•
•
•
10
Very brief overview of McAfee + Secure Computing
IPv6 Overview
McAfee Firewall Enterprise (Sidewinder)
McAfee Web (SmartFilter)
McAfee TrustedSource/URL Database
McAfee Web Merge Tool
Questions / Comments
McAfee Firewall Enterprise Sales Presentation
July 16, 2015
Confidential McAfee Internal Use Only
Commonly understood IPv6 Requirements
• Which requirements apply to McAfee Firewall Enterprise
– Section 2 (“Baseline Requirements”)
– Section 3.6 (“Security Device Requirements”)
• Our read on the requirements
– Security devices do not have to meet the requirements in end-node, router
or host systems
– No transition requirements in the Security Device section
• Status
– First support for IPv6 was complete and implemented at a customer site in
March of 2008 using a “dual stack” approach.
– JITC certification has been achieved for McAfee Firewall v7.0.1 platform in
Jan 2009:
http://jitc.fhu.disa.mil/apl/ipv6.html
– See next slides for details
Thur 11
sday
SECURE COMPUTING
CONFIDENTIAL
Confidential McAfee Internal Use Only
General IPv6 functionality
• Sidewinder currently supports IPv6!
• IPv6 currently supported for stateful inspection rules, DNS, ICMP,
DHCP.
• Sidewinder rules can be written using source or destination addresses
based on IPv4, IPv6 or both – allowing for flexible deployment
• 3 different modes for interface configuration (static, stateless autoconfig,
stateful autoconfig)
SECURE COMPUTING CONFIDENTIAL
Thursday, July 16, 2015
12
Confidential McAfee Internal Use Only
Information Assurance Device Requirements
Requirement
Response
RFC 1981: Path MTU Discovery for IPv6
Compliant
RFC 2460: Internet Protocol v6 (IPv6) Specification
Compliant
RFC 2461: Neighbor Discovery for IPv6
Compliant
RFC 2464: IPv6 Stateless Address AutoConfiguration or RFC 3315 Dynamic Host
Configuration
Compliant
RFC 2462: IPv6 Stateless Address AutoConfiguration (Section 5.5)
Compliant
RFC 4007: IPv6 Scoped Address Architecture
Compliant
RFC 4193: Unique Local IPv6 Unicast Addresses
Compliant
SECURE COMPUTING CONFIDENTIAL
Thursday, July 16, 2015
13
Confidential McAfee Internal Use Only
Information Assurance Device Requirements (cont)
Requirement
Response
RFC 4291: IP Version 6 Addressing
Architecture
Compliant
RFC 4443:Internet Control Message
Protocol (ICMPv6)
Compliant
RFC 2710: Multicast Listener
Discovery (MLD) for IPv6
Compliant
RFC 2710: Transmission of IPv6
Packets over Ethernet Networks
Compliant
RFC 4213: Basic Transition
Mechanisms for IPv6 Hosts and
Routers (Dual Stack)
Compliant
SECURE COMPUTING CONFIDENTIAL
Thursday, July 16, 2015
14
Confidential McAfee Internal Use Only
IPv6 Security Requirements for VPN
Requirement
Response
All Requirement
nodes MUST support IPsec Encapsulating Security
Payload (ESP)
with 3DESCBC/AES128CBC/SHA1
:
transforms as defined in the following RFCS:
Compliant (2H 2009)
§ RFC 4301, Security Architecture for the Internet
Protocol
: IP Encapsulating Security Payload
§ RFC 4303,
(ESP)
§ RFC 4305, (ESP and AH) Cryptographic Algorithm
Implementation Requirements for Encapsulating
Security Payload (ESP) and Authentication Header
(AH)
RFC 4308: Cryptographic Suites for IPsec
Compliant (2H 2009)
RFC 4309: Using Advanced Encryption Standard
(AES) CCM Mode with IPsec Encapsulating Security
Payload (ESP)
Compliant (2H 2009)
SECURE COMPUTING CONFIDENTIAL
Thursday, July 16, 2015
15
Confidential McAfee Internal Use Only
IPv6 Security Requirements for VPN (cont)
Requirement
Response
All nodes MUST support manual keying
Compliant (2H 2009)
All nodes SHOULD support Authentication Header
(AH). All AH implementations MUST support SHA1
as defined in:
Compliant (2H 2009)
§ RFC 4302, IP Authentication Header (AH)
§ RFC 4305, (ESP and AH) Cryptographic Algorithm
Implementation Requirements for Encapsulating
Security Payload (ESP) and Authentication Header
(AH)
If a security device must distribute IP Security Policy
information to other devices, it SHOULD also
implement:
Compliant (2H 2009)
§ RFC 3585, IPsec Configuration Policy Information
Model
§ RFC 3586, IP Security Policy Requirements
16
Thursday, July 16, 2015
Confidential McAfee Internal Use Only
IPv6 Security Requirements for VPN (cont)
Requirement
Response
All nodes SHOULD support automatic key management and exchange
as defined in:
Compliant (2H 2009)
§ RFC 4304, Extended Sequence Number (ESN) Addendum to
IPsec Domain of Interpretation (DOI) for Internet Security
Association and Key Management Protocol (ISAKMP)
§ RFC 4306: (ISAKMPSEC) Internet Key Exchange (IKEv2) Protocol
§ RFC 4307: Cryptographic Algorithms for Use in the Internet Key
Exchange Version 2 (IKEv2)
Nodes needing to maintain interoperability with current/legacy support
Internet Key Exchange (IKE) SHOULD support IKE original version
by supporting the following algorithms
Compliant
§ RFC 2407, The Internet IP Security Domain of Interpretation for
ISAKMP
§ RFC 2408, Internet Security Association and Key Management
Protocol
§ RFC 2409, The Internet Key Exchange (IKE)
§ RFC 4109, Algorithms for Internet Key Exchange Version 1 (IKEv1)
SECURE COMPUTING CONFIDENTIAL
Thursday, July 16, 2015
17
Confidential McAfee Internal Use Only
Configuring IPv6 on Sidewinder
• IPv6 has three different methods of configuring an Interface
1) Static Address Configuration
• Set an IP address and prefix length by hand on the interface.
2) Stateless Automatic Configuration (SLA)
• Routers supply prefix and prefix length on the subnet
• Actual IPv6 address is based on prefix and EUI-64 version of MAC
address
• Hosts are responsible for executing Duplicate Address Detection
(DAD) protocol before using an IP address
• Network services such as DNS and NTP are reached via well known
multicast groups
3) Stateful Automatic Configuration
• Routers supply prefix and prefix length on the subnet
• DHCPv6 servers are contacted via multicast
• IP addresses are assigned by the DHCPv6 server
18
McAfee Firewall Enterprise Sales Presentation
July 16, 2015
Confidential McAfee Internal Use Only
Agenda
•
•
•
•
•
•
•
19
Very brief overview of McAfee + Secure Computing
IPv6 Overview
McAfee Firewall Enterprise (Sidewinder)
McAfee Web (SmartFilter)
McAfee TrustedSource/URL Database
McAfee Web Merge Tool
Questions / Comments
McAfee Firewall Enterprise Sales Presentation
July 16, 2015
Confidential McAfee Internal Use Only
McAfee SmartFilter brief overview
• SmartFilter is a URL content filter currently supported on multiple platforms,
including the Sidewinder Firewall platform
• SmartFilter running on the Sidewinder platform is a native implementation,
meaning that all functionality present in the standalone software versions are
also available on the Sidewinder platform
• SmartFilter leverages a world class URL database which categorizes URL
content based on a pre-defined set of categories.
Confidential McAfee Internal Use Only
20
July 16, 2015
Agenda
•
•
•
•
•
•
•
21
Very brief overview of McAfee + Secure Computing
IPv6 Overview
McAfee Firewall Enterprise (Sidewinder)
McAfee Web (SmartFilter)
McAfee TrustedSource/URL Database
McAfee Web Merge Tool
Questions / Comments
McAfee Firewall Enterprise Sales Presentation
July 16, 2015
Confidential McAfee Internal Use Only
TrustedSource / URL Database
• It’s more than just a URL Filtering Database!
• McAfee® TrustedSource™ is a global threat correlation engine and
intelligence base of global messaging and communication behavior,
including reputation, volume, and trends, including email, web traffic and
malware.
• Trusted Source has integrated the URL Filtering categorizations and use
other information gathered from different threat vectors to enhance our
ability to accurately categorize sites.
• The additional knowledge provided by TrustedSource™ data enables
appliances and services to more accurately filter communications and
protect electronic communications and transactions between people,
companies and countries.
• McAfee® TrustedSource™ researchers work to ensure the safety and
security of all Internet communications from the firewall to the PDA,
sharpening the intelligence gathering and applications.
SECURE COMPUTING CONFIDENTIAL
Thursday, July 16, 2015
22
Confidential McAfee Internal Use Only
Agenda
•
•
•
•
•
•
•
23
Very brief overview of McAfee + Secure Computing
IPv6 Overview
McAfee Firewall Enterprise (Sidewinder)
McAfee Web (SmartFilter)
McAfee TrustedSource
McAfee Web Merge Tool
Questions / Comments
McAfee Firewall Enterprise Sales Presentation
July 16, 2015
Confidential McAfee Internal Use Only