Transcript PRESENTATION TITLE/SIZE 30

IPv6 Network Assessor
Susan Shareshian
Solutions Manager, Cisco Systems, Inc.
[email protected]
© 2005 Cisco Systems, Inc. All rights reserved.
1
Session Agenda
• Impetus Behind the Development Efforts
• Overview of the Network Assessor Tool
• Plans for the Future
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
2
Why are we moving to IPv6?
RST-1210
Session Number
10987_04_2005_c2
Presentation_ID
©
2006
© 2005
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
3
3
Business and Technical Reasons
• The Office of Management and Budget
(OMB) is requiring all Federal agencies to
transition their network backbones to IPv6
by June 2008
• IPv6 Enables New Services and
Applications
• Many other countries are already well on
their way to implementing IPv6
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
4
How Do We Get There from Here?
• IT Departments must include IPv6 as a core element of their IT
strategy
• Applications must become IP version agnostic
• Education and careful planning are crucial
• Baseline and test any anticipated
changes/installations
• IPv4 & IPv6 will coexist for the foreseeable
future
• No D-Day / Flag Day
• Approximately 1/3 of the deployed desktop
systems are ‘IPv6 capable’
• Service providers are deploying IPv6 now!
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
5
What’s the cost?
• Hardware Costs
Short Term, replace devices that don’t understand IPv6 or perhaps just a
software upgrade
Long Term, normal lifecycle replacement as IPv6 becomes prevalent
*Offering Dual-Stack uses more memory and processing power
• Software Costs
Most “modern” hardware, routers, servers, clients, can be upgraded to
support IPv6
COTS applications are moving that way now
Custom applications that make socket calls need to be made protocol
agnostic
• Human Capital Costs associated with Training
Cost to train an organization’s personnel to install, operate, maintain, and
service IPv6 hardware and software
• Operational Costs of multiple IP environments
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
6
IPv6 Network Assessor
RST-1210
Session Number
10987_04_2005_c2
Presentation_ID
©
2006
© 2005
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
7
7
Cisco IPv6 Network Assessor Description
IPv6 Network Assessor is a stand alone portable tool that can
inventory classified and nonclassified networks
• Identifies and polls selected devices and collects appropriate data
which then indicates the capability to support IPv6
• Provides observations and recommendations that may be used by
the customer as guidelines for future design issues
• Assessment examines Cisco IOS® based routers and Catalyst®
Operating System (CatOS) and IOS® based switches, and provides
for a general overview of the devices
• If more in-depth device evaluation is required, additional audits that
provide device specific information such as the GSR audit, as well as
audits that provide a baseline over time, are available as part of
Cisco® Advanced Services
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
8
Cisco IPv6 Network Assessor Capability Reports
Results may be organized as follows:
• The device is currently capable of supporting IPv6 features;
hardware and software upgrades are not required
• The device needs:
IOS upgrade
Flash memory upgrade
Processor memory upgrade
Both flash and processor memory upgrades
Memory and IOS upgrades
• The device is not capable of supporting IPv6 services
• The analysis was unable to determine the device’s capability to
support IPv6; further analysis is required
Cisco IPv6 capability assessments are designed to build a
meaningful report on the network device capability to support IPv6
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
9
Cisco IPv6 Network Assessor
Components
• Native Windows Application
Runs under:
Windows XP Professional
Windows 2000 Server
Windows Server 2003
• Microsoft SQL Server Data
Repository
MSDE or SQL Server 2000 SP3a
Local or Remote Installation
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Key Features
• Discovery
SNMP or Fingerprint
• Credentialed Inventory
Telnet/SSH
• Exception Tracking and
Reporting
• Extensive Operator
Controllable Multi-Threading
for Concurrent Processing
• IPv6 Capability Reports Query
and Data Export Facility
Cisco Confidential
10
Discovery
Fingerprinting
SNMP Discovery
• Discovery
One or more IP address ranges specified
by the operator.
Icmp echo to determine if device exists
• Inventory
IP port scans (a.k.a. port probes)
Library of known device responses
One or more “guesses”
Reverse DNS lookup
• Security Requirements
None.
• Notes
Will be detected and isolated by any
customer intrusion detection software.
• Discovery
One or more IP address ranges
specified by the operator
• Inventory
snmpget retrieves MIB-I data
• Security Requirements
Read-only (public) SNMP community
string.
• Notes
Devices will respond if and only if (IFF):
Device exists
SNMP Agent running
Valid read-only community string
Not IP address restricted
Device will not respond
Unless ALL conditions above are
satisfied
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
11
Credentialed Inventory
• Configure Settings
Seed File Requirements
Host List, Username & Password, Group Names….
Importing Seed File into Settings with Import Wizard
• Building the Database
Running multiple scans to collect every available target
Using Exception Reporting to keep track of multiple scans
Exporting Scan Status Reports
How many scans are required to build a database
• Inventory
Queries each Switch and/or Router by invoking a series of “show” commands
Communication with target hosts via Telnet or SSH
• Security Requirements
Username and Password with sufficient privileges to execute the “show” commands
on the target
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
12
Plans for the Future
RST-1210
Session Number
10987_04_2005_c2
Presentation_ID
©
2006
© 2005
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
13
13
IPv6 Audit
• Local Audit capabilities – Multi Vendor
– 5 day or 7 day
– Trending, utilization, capacity
– IPv6 capability and recommendations
• Capture and Report IPv6 Capability of every device
on the network
– Servers
– IP Phones
– Applications
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
14
IPv6 Services Practice
• IPv6 Migration and Assessment Services
– Certified Engineers
– Best Practices
– Tools
– Secure Facilities
– Documentation Repository
– Dedicated Engineering and Testing Facilities
• Next Phase of tool…….
– Security Assessments
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
15
Session Number
Presentation_ID
©
© 2006
2005 Cisco
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
Cisco Confidential
16