IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6
|
|
|
- Isabella Rose
- 6 years ago
- Views:
Transcription
1 IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv Infoblox Inc. All Rights Reserved. 1
2 So many new security issues with IPv6! 2013 Infoblox Inc. All Rights Reserved. 2
3 Or are there 2013 Infoblox Inc. All Rights Reserved. 3
4 IPv6 Security issues Same problem, different name A few myths & misconceptions Actual new issues FUD (Fear Uncertainty & Doubt) 2013 Infoblox Inc. All Rights Reserved. 4
5 Round up the usual suspects! 2013 Infoblox Inc. All Rights Reserved. 5
6 Remember these? ARP cache poisoning P2p ping pong attacks Rogue DHCP 2013 Infoblox Inc. All Rights Reserved. 6
7 ARP cache poisoning Bad guy broadcasts fake ARP Hosts on subnet put bad entry in ARP Cache Result: MiM or DOS 2013 Infoblox Inc. All Rights Reserved. 7
8 Ping pong attack P2P link with subnet > /31 Bad buy sends packet for addr in subnet but not one of two routers Result: Link clogs with routers sending packet back and forth 2013 Infoblox Inc. All Rights Reserved. 8
9 Rogue DHCP Client broadcasts DHCP request Bad guy sends DHCP offer w/his bad router as default GW Client now sends all traffic to bad GW Result: MiM or DOS 2013 Infoblox Inc. All Rights Reserved. 9
10 Look similar? Neighbor cache corruption P2p ping pong attacks Rogue DHCP + rogue RA 2013 Infoblox Inc. All Rights Reserved. 10
11 Solutions? Lock down local wire /127s for p2p links (RFC 6164) RA Guard (RFC 6105) 2013 Infoblox Inc. All Rights Reserved. 11
12 And now for something completely different! 2013 Infoblox Inc. All Rights Reserved. 12
13 So what is new? Extension header chains Packet/Header fragmentation Predictable fragment headers Atomic fragments Tunnels 2013 Infoblox Inc. All Rights Reserved. 13
14 The IPv4 Packet 2013 Infoblox Inc. All Rights Reserved. 14
15 The IPv6 Packet 2013 Infoblox Inc. All Rights Reserved. 15
16 Fragmentation Minimum 1280 bytes Only source host can fragment Destination must get all fragments What happens if someone plays with fragments? 2013 Infoblox Inc. All Rights Reserved. 16
17 IPv6 Extension Header Chains No limit on length Deep packet inspection bogs down Confuses stateless firewalls Fragments a problem See RFC Infoblox Inc. All Rights Reserved. 17
18 Predictable Fragments Fragment Header ID field No requirement other than unique Some implementations predictable draft-gont-6man-predictable-fragment-id 2013 Infoblox Inc. All Rights Reserved. 18
19 Results of predicting ID Determine the packet rate Perform stealth port scans Uncover the rules of a number of firewalls Count the # of systems behind a middle-box Perform a Denial of Service (DoS) attack 2013 Infoblox Inc. All Rights Reserved. 19
20 Atomic Fragments Packet w/fragment Header but not fragmented Usually forced by forged Packet too big msg Fragments can overlap Results: various fragmentation attacks possible See RFC Infoblox Inc. All Rights Reserved. 20
21 Tunnels ACLs catch port/ip/protocol Some IPv6 tunnels don t use standard port/ip/protocol Signatures 2013 Infoblox Inc. All Rights Reserved. 21
22 Reality Most of these attacks are complicated Most attackers are lazy and will find easier vectors of attack But, there are toolsets out there: Beat on your vendors! 2013 Infoblox Inc. All Rights Reserved. 22
23 You re already running IPv Infoblox Inc. All Rights Reserved. 23
24 I m not using IPv6 Are you running: Windows 8, Server 2012, Vista or newer Windows clustering Mac OSX Any modern LINUX or FreeBSD 2013 Infoblox Inc. All Rights Reserved. 24
25 Guess again Congratulations, you re running IPv Infoblox Inc. All Rights Reserved. 25
26 Get used to it Test now Train your staff Beat on your vendors Monitor it, don t try to disable it 2013 Infoblox Inc. All Rights Reserved. 26
27 But everybody says 2013 Infoblox Inc. All Rights Reserved. 27
28 IPSEC: the myth IPSEC in IPv6 is better than IPv4 because it was designed in and mandated Infoblox Inc. All Rights Reserved. 28
29 IPSEC: the reality RFCs said MUST support IPSEC (but softening to SHOULD ) Didn t define support, let vendors do it Vendors shipped, didn t enable No PKI 2013 Infoblox Inc. All Rights Reserved. 29
30 IPv6 is HUGE! So big you can t scan it Unless you don t really use it 2013 Infoblox Inc. All Rights Reserved. 30
31 Use the space we have Give the whole /64 to DHCP pools Randomize address assignments across the whole /64 Avoid EUI-64 (draft-gont-6man-deprecateeui64-based-addresses) 2013 Infoblox Inc. All Rights Reserved. 31
32 It s the end of the world as we know it! 2013 Infoblox Inc. All Rights Reserved. 32
33 IPv6 will destroy the Internet! Apps will break Firewalls won t work ICMP is scary We don t understand it so it must be insecure 2013 Infoblox Inc. All Rights Reserved. 33
34 Apps Yes, you will need to test and possibly rewrite all your code You need to reach everyone, including mobile devices Most bad ideas also in IPv4 code 2013 Infoblox Inc. All Rights Reserved. 34
35 If it was wrong in IPv4 Hard coding IP addresses Not checking inputs/sizes Using relative DNS labels No longer have source Not tested since Y2K 2013 Infoblox Inc. All Rights Reserved. 35
36 Where to read more RIPE presentation: Making_an_application_fully_IPv6_compliant_(2).pdf 2013 Infoblox Inc. All Rights Reserved. 36
37 Firewalls won t work What do you do if your gear doesn t meet your needs? Beat on your vendors until it does But you need to know what to ask for 2013 Infoblox Inc. All Rights Reserved. 37
38 ICMP is scary, turn it off! ICMPv4 wasn t that scary ICMPv6 is much more tightly defined Read RFC Infoblox Inc. All Rights Reserved. 38
39 We don t understand it, so If someone is telling you that IPv6 is evil incarnate, it s because: They are a vendor that doesn t support IPv6 but their competitors do They are trying to sell you a security product 2013 Infoblox Inc. All Rights Reserved. 39
40 Test!!! 2013 Infoblox Inc. All Rights Reserved. 40
41 Know what you need And ask for it! Hold vendors to IPv6 support Use the USGv6 standard: Infoblox Inc. All Rights Reserved. 41
42 Q & A 2013 Infoblox Inc. All Rights Reserved. 42
43 Thank you! 2013 Infoblox Inc. All Rights Reserved. 43
IPv6: Problems above Layer 3 Paul Ebersman, IPv6 PLNOG10, Warsaw, 28 Feb 2013
IPv6: Problems above Layer 3 Paul Ebersman, IPv6 Evangelist pebersman@infoblox.com, @paul_ipv6 PLNOG10, Warsaw, 28 Feb 2013 2013 Infoblox Inc. All Rights Reserved. 1 Lots of Changes 2013 Infoblox Inc.
There are more layers than just layer 3 Paul Ebersman, IPv6 NANOG57, Orlando, FL (04-06 Feb 2013)
There are more layers than just layer 3 Paul Ebersman, IPv6 Evangelist pebersman@infoblox.com, @paul_ipv6 NANOG57, Orlando, FL (04-06 Feb 2013) 1 Lots of Changes 2 Cause the IETF likes change SLAAC vs
IPv6: Are we there yet? NANOG 58 New Orleans Paul Ebersman IPv6
IPv6: Are we there yet? NANOG 58 New Orleans Paul Ebersman IPv6 Evangelist @Paul_IPv6, pebersman@infoblox.com 2013 Infoblox Inc. All Rights Reserved. 1 So where are we? 2013 Infoblox Inc. All Rights Reserved.
IPv6 deployment for Enterprise/Sysadmins Paul NAv6 Summit 2013, Denver, Apr 2013
IPv6 deployment for Enterprise/Sysadmins Paul Ebersman pebersman@infoblox.com, @paul_ipv6 NAv6 Summit 2013, Denver, 17-19 Apr 2013 2013 Infoblox Inc. All Rights Reserved. 1 The only constant is change
IPv6 and IPv4: Twins or Distant Relatives
IPv6 and IPv4: Twins or Distant Relatives Paul Ebersman, IPv6 Evangelist NANOG54, San Diego (5-8 Feb 2012) 1 What you ll see immediately More addresses 340 undecillion Bigger, beefier addresses 2001:db8:dead:beef::1
Results of a Security Assessment of the Internet Protocol version 6 (IPv6)
Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Vienna, Austria, November 15-18, 2011 About... I have worked in security assessment of communication
SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann
SECURITY IN AN IPv6 WORLD MYTH & REALITY RIPE 68 Warsaw May 2014 Chris Grundemann WHO AM I? DO Director @ Internet Society CO ISOC Founding Chair RMv6TF Board NANOG PC NANOG-BCOP Chair IPv6 Author (Juniper
Network Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012)
Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012) 1 Lots of Changes 2 Change is good Well, change is inevitable Many constraints
But we ve always done it this
But we ve always done it this way Paul Ebersman, IPv6 Evangelist UKNOF 23 London (09 Oct 2012) 1 Lots of Changes 2 Change is good Well, change is inevitable Many constraints from IPv4 now gone Bigger than
Security in an IPv6 World Myth & Reality
Security in an IPv6 World Myth & Reality DGI Washington D.C. August 2014 Chris Grundemann MYTH: IPv6 Has Security Designed In MYTH: IPv6 Has Security Designed In IPSEC IS NOT NEW IPsec exists for IPv4
IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016
IPv6 Security David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016 Outline MORE MATERIAL HERE THAN TIME TO PRESENT & DISCUSS (BUT SLIDES AVAILABLE FOR LATER REFERENCE) IPv6 security & threats
Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse
Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL 2011 2011 Marc Heuse Hello, my name is Basics Philosophy Vulnerabilities Vendor Responses & Failures Recommendations
IPv6 Security Fundamentals
IPv6 Security Fundamentals UK IPv6 Council January 2018 Dr David Holder CEng FIET MIEEE david.holder@erion.co.uk IPv6 Security Fundamentals Common Misconceptions about IPv6 Security IPv6 Threats and Vulnerabilities
Recent Advances in IPv6 Security. Fernando Gont
Recent Advances in IPv6 Security Fernando Gont About... Security researcher and consultant for SI6 Networks Have worked on security assessment on communications protocols for: UK NISCC (National Infrastructure
IPv6 Security Course Preview RIPE 76
IPv6 Security Course Preview RIPE 76 Alvaro Vives - Marseille - 14 May 2018 Overview IPv6 Security Myths Basic IPv6 Protocol Security (Extension Headers, Addressing) IPv6 Associated Protocols Security
IPv6 Security Safe, Secure, and Supported.
IPv6 Security Safe, Secure, and Supported. Andy Davidson Hurricane Electric and LONAP adavidson@he.net Twitter: @andyd MENOG 9 Muscat, Oman, Tuesday 4 th October 2011 Don t Panic! IPv6 is not inherently
Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks
Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks Navaneethan C. Arjuman nava@nav6.usm.my National Advanced IPv6 Centre January 2014 1 Introduction IPv6 was introduced
IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery
IPv6- IPv4 Threat Comparison v1.0 Darrin Miller dmiller@cisco.com Sean Convery sean@cisco.com Motivations Discussions around IPv6 security have centered on IPsec Though IPsec is mandatory in IPv6, the
IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo
IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines Merike Kaeo merike@doubleshotsecurity.com Current IPv6 Deployments Don t break existing IPv4 network Securing IPv6 Can t secure something
AN INTRODUCTION TO ARP SPOOFING
AN INTRODUCTION TO ARP SPOOFING April, 2001 Sean Whalen Sophie Engle Dominic Romeo GENERAL INFORMATION Introduction to ARP Spoofing (April 2001) Current Revision: 1.8 Available: http://chocobospore.org
IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC
IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC Lin Tao lintao850711@sina.com Liu Wu liuwu@cernet.edu.cn Duan Haixin dhx@cernet.edu.cn Sun Donghong sdh@cernet.edu.cn Abstract IPv6 is widely
Recent IPv6 Security Standardization Efforts. Fernando Gont
Recent IPv6 Security Standardization Efforts Fernando Gont Part I: Protocol Issues 2 IPv6 Addressing 3 Security & Privacy Analysis RFC 7721: Security and Privacy Considerations for IPv6 Address Generation
IPv6 Next generation IP
Seminar Presentation IPv6 Next generation IP N Ranjith Kumar 11/5/2004 IPv6 : Next generation IP 1 Network Problems Communication Problem Identification Problem Identification of Networks Logical Addressing
Insights on IPv6 Security
Insights on IPv6 Security Bilal Al Sabbagh, MSc, CISSP, CISA, CCSP Senior Information & Network Security Consultant NXme FZ-LLC Information Security Researcher, PhD Candidate Stockholm University bilal@nxme.net
Recent Advances in IPv6 Security. Fernando Gont
Recent Advances in IPv6 Security Fernando Gont About... Security researcher and consultant for SI6 Networks Have worked on security assessment on communications protocols for: UK NISCC (National Infrastructure
Internetwork Expert s CCNA Security Bootcamp. Common Security Threats
Internetwork Expert s CCNA Security Bootcamp Common Security Threats http:// Today s s Network Security Challenge The goal of the network is to provide high availability and easy access to data to meet
IPv6 Security Considerations: Future Challenges
IPv6 Security Considerations: Future Challenges Prof. Sukumar Nandi Company LOGO Dept of Computer Sc. & Engg. Indian Institute of Technology Guwahati Agenda Outline Motivation for IPv6 Brief comparision
IPv6 Implementation Best Practices For Service Providers
IPv6 Implementation Best Practices For Service Providers Brandon Ross Chief Network Architect and CEO 2013 Utilities Telecom Council Network Utility Force www.netuf.net @NetUF RFC 6540 - IPv6 Support Required
Insights on IPv6 Security
Insights on IPv6 Security Bilal Al Sabbagh, MSc, CISSP, CCSP Senior Information & Network Security Consultant - NXme Information Security Researcher Stockholm University 10/9/10 NXme FZ-LLC 1 NIXU Middle
CSC 574 Computer and Network Security. TCP/IP Security
CSC 574 Computer and Network Security TCP/IP Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) Network Stack, yet again Application Transport Network
Recent Advances in IPv6 Security. Fernando Gont
Recent Advances in IPv6 Security Fernando Gont About... Security researcher and consultant at SI6 Networks Have worked on security assessment on communications protocols for: UK NISCC (National Infrastructure
ICS 451: Today's plan
ICS 451: Today's plan ICMP ping traceroute ARP DHCP summary of IP processing ICMP Internet Control Message Protocol, 2 functions: error reporting (never sent in response to ICMP error packets) network
DDoS Testing with XM-2G. Step by Step Guide
DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial
IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering
IPv6 Security Vendor Point of View Eric Vyncke, evyncke@cisco.com Distinguished Engineer Cisco, CTO/Consulting Engineering 1 ARP Spoofing is now NDP Spoofing: Threats ARP is replaced by Neighbor Discovery
Recent Advances in IPv6 Security. Fernando Gont
Recent Advances in IPv6 Security Fernando Gont About... Security researcher and consultant at SI6 Networks Have worked on security assessment on communications protocols for: UK NISCC (National Infrastructure
IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011
IPv6 Associated Protocols Athanassios Liakopoulos (aliako@grnet.gr) 6DEPLOY IPv6 Training, Skopje, June 2011 Copy... Rights This slide set is the ownership of the 6DEPLOY project via its partners The Powerpoint
Security Considerations for IPv6 Networks. Yannis Nikolopoulos
Security Considerations for IPv6 Networks Yannis Nikolopoulos yanodd@otenet.gr Ημερίδα Ενημέρωσης Χρηστών για την Τεχνολογία IPv6 - Αθήνα, 25 Μαίου 2011 Agenda Introduction Major Features in IPv6 IPv6
Securing the Transition Mechanisms
Securing the Transition Mechanisms ITU/APNIC/MICT IPv6 Security Workshop 23 rd 27 th May 2016 Bangkok Last updated 30 th January 2016 1 Where did we leave off? p We ve just covered the current strategies
Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line
Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line Designed to Prevent, Detect, and Block Malicious Attacks on Both IPv4 and IPv6 Networks TM Introduction With the exponential
CS 457 Lecture 11 More IP Networking. Fall 2011
CS 457 Lecture 11 More IP Networking Fall 2011 IP datagram format IP protocol version number header length (bytes) type of data max number remaining hops (decremented at each router) upper layer protocol
Control Plane Protection
Control Plane Protection Preventing accidentally on purpose We really talking about making sure routers do what we expect. Making sure the route decision stays under our control. Layer 2 Attacks ARP injections
IPv6 Security awareness
IPv6 Security awareness By Musa Stephen HONLUE Trainer@AFRINIC Stephen.honlue@afrinic.net 04/12/2015' 1 Presentation Objectives! Create awareness of IPv6 Security implications.! Highlight technical concepts
Chapter 8 roadmap. Network Security
Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity 8.4 Securing e-mail 8.5 Securing TCP connections: SSL 8.6 Network layer security: IPsec 8.7 Securing
20-CS Cyber Defense Overview Fall, Network Basics
20-CS-5155 6055 Cyber Defense Overview Fall, 2017 Network Basics Who Are The Attackers? Hackers: do it for fun or to alert a sysadmin Criminals: do it for monetary gain Malicious insiders: ignores perimeter
Realities of IPv6 as the Future Network Layer TelecomNEXT March 21, 2006
Realities of IPv6 as the Future Network Layer TelecomNEXT March 21, 2006 Todd Underwood Chief Operations and Security Officer Introduction and Context Renesys provides Internet Intelligence services to
Recent Advances in IPv6 Security. Fernando Gont
Recent Advances in IPv6 Security Fernando Gont About... Security Researcher and Consultant at SI6 Networks Published: 20 IETF RFCs (9 on IPv6) 10+ active IETF Internet-Drafts Author of the SI6 Networks'
Actual4Test. Actual4test - actual test exam dumps-pass for IT exams
Actual4Test http://www.actual4test.com Actual4test - actual test exam dumps-pass for IT exams Exam : GCFW Title : GIAC Certified Firewall Analyst Vendors : GIAC Version : DEMO Get Latest & Valid GCFW Exam's
EE 122 Fall 2010 Discussion Section III 5 October 2010
EE 122 Fall 2010 Discussion Section III 5 October 2010 http://www.cs.berkeley.edu/~alspaugh/ee122/fa10/ Question 1: IP Header This is the IPv4 header structure we will need for the problems Kisco Inc.
Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,
Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin, ydlin@cs.nctu.edu.tw Chapter 1: Introduction 1. How does Internet scale to billions of hosts? (Describe what structure
ECE 435 Network Engineering Lecture 23
ECE 435 Network Engineering Lecture 23 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 30 November 2017 HW#11 will be posted Announcements Don t forget projects next week Presentation
Security Concerns With Tunneling draft-ietf-v6ops-tunnel-security-concerns-00
Security Concerns With Tunneling draft-ietf-v6ops-tunnel-security-concerns-00 Dave Thaler Suresh Krishnan Jim Hoagland IETF 72 1 Status Formerly draft-ietf-v6ops-teredo-securityconcerns-02.txt Most points
Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview
Internetwork Expert s CCNA Security Bootcamp Mitigating Layer 2 Attacks http:// Layer 2 Mitigation Overview The network is only as secure as its weakest link If layer 2 is compromised, all layers above
Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.
Internet Layers Application Application Transport Transport Network Network Network Network Link Link Link Link Ethernet Fiber Optics Physical Layer Wi-Fi ARP requests and responses IP: 192.168.1.1 MAC:
Filtering Trends Sorting Through FUD to get Sanity
Filtering Trends Sorting Through FUD to get Sanity NANOG48 Austin, Texas Merike Kaeo merike@doubleshotsecurity.com NANOG 48, February 2010 - Austin, Texas 1 Recent NANOG List Threads ISP Port Blocking
IPv6 Specifications to Internet Standard
IPv6 Specifications to Internet Standard Bob Hinden, Ole Trøan 6MAN chairs 1 Requirements for Internet Standard (RFC6410) There are at least two independent interoperating implementations with widespread
M0n0wall and IPSEC March 20, 2004 Version 1.1 Francisco Artes
M0n0wall and IPSEC March 20, 2004 Version 1.1 Francisco Artes falcor@netassassin.com Preface:... 2 Audience:... 2 Assumptions:... 2 Subnetting and VLAN routing:... 3 VPN tunnels between two IPSEC VPN concentrators:...
ARP Inspection and the MAC Address Table
This chapter describes how to customize the MAC address table and configure ARP Inspection for bridge groups. About, page 1 Default Settings, page 2 Guidelines for, page 2 Configure ARP Inspection and
IPv6 Neighbor Discovery (ND) Problems with Layer-2 Multicast State
DRAFT IPv6 Neighbor Discovery (ND) Problems with Layer-2 Multicast State Jeff Wheeler jsw@inconcepts.biz The Problem MLD-snooping is much like IGMP-snooping but for IPv6 It keeps unnecessary multicast
When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009
Packet Sniffers INFO 404 - Lecture 8 24/03/2009 nfoukia@infoscience.otago.ac.nz Definition Sniffer Capabilities How does it work? When does it work? Preventing Sniffing Detection of Sniffing References
ECE 435 Network Engineering Lecture 14
ECE 435 Network Engineering Lecture 14 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 25 October 2018 Announcements HW#6 was due HW#7 will be posted 1 IPv4 Catastrophe 2 Out of
Chapter 5. Security Components and Considerations.
Chapter 5. Security Components and Considerations. Technology Brief Virtualization and Cloud Security Virtualization concept is taking major portion in current Data Center environments in order to reduce
CSE Computer Security
CSE 543 - Computer Security Lecture 19 - Network Security November 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Big picture Abstract Introduction Results Summary Background Problem Description/Finalized
IPv6 Security Issues and Challenges
IPv6 Security Issues and Challenges Dr. Omar A. Abouabdalla (omar@ipv6global.my) Head Technology Consultant IPv6 Global Sdn Bhd 7 November 2012 IPv6 TO MIGRATE OR NOT TO MIGRATE? It s not an option. Either
Tomáš Podermański, Matěj Grégr,
Tomáš Podermański, tpoder@cis.vutbr.cz Matěj Grégr, igregr@fit.vutbr.cz Agenda Current status of IPv6 deployment at BUT IPv6 problems to solve Addressing First hop security User tracking and accounting
CSC 4900 Computer Networks: Network Layer
CSC 4900 Computer Networks: Network Layer Professor Henry Carter Fall 2017 Chapter 4: Network Layer 4. 1 Introduction 4.2 What s inside a router 4.3 IP: Internet Protocol Datagram format 4.4 Generalized
ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1
ARP, IP, TCP, UDP CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1 IP and MAC Addresses Devices on a local area network have IP addresses (network layer) MAC addresses (data
IPv6 Security: Threats and Mitigation
IPv6 Security: Threats and Mitigation Eric Vyncke, Distinguished Engineer @evyncke Agenda Debunking IPv6 Myths Shared Issues by IPv4 and IPv6 Specific Issues for IPv6 Extension headers, IPsec everywhere,
ECE 435 Network Engineering Lecture 23
ECE 435 Network Engineering Lecture 23 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 4 December 2018 Announcements HW#9 graded Don t forget projects next week Presentation schedule
CYBER ATTACKS EXPLAINED: PACKET SPOOFING
CYBER ATTACKS EXPLAINED: PACKET SPOOFING Last month, we started this series to cover the important cyber attacks that impact critical IT infrastructure in organisations. The first was the denial-of-service
The Layer-2 Insecurities of IPv6 and the Mitigation Techniques
The Layer-2 Insecurities of IPv6 and the Mitigation Techniques Eric Vyncke Cisco, Consulting Engineering Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be 2012 Cisco and/or its affiliates.
Packet Header Formats
A P P E N D I X C Packet Header Formats S nort rules use the protocol type field to distinguish among different protocols. Different header parts in packets are used to determine the type of protocol used
*Performance and capacities are measured under ideal testing conditions using PAN-OS.0. Additionally, for VM
PA-820 PA-500 Feature Performance *Performance and capacities are measured under ideal testing conditions using PAN-OS.0. Additionally, for VM models please refer to hypervisor, cloud specific data sheet
It's the economy, stupid: the transition from IPv4 to IPv6
It's the economy, stupid: the transition from IPv4 to IPv6 Amsterdam, 20 february 2013 Iljitsch van Beijnum Today's topics IPv4 is running out Why IPv6 is cool Address configuration Issues with choices
A Framework for Optimizing IP over Ethernet Naming System
www.ijcsi.org 72 A Framework for Optimizing IP over Ethernet Naming System Waleed Kh. Alzubaidi 1, Dr. Longzheng Cai 2 and Shaymaa A. Alyawer 3 1 Information Technology Department University of Tun Abdul
Securing IPv6 Networks: ft6 & friends. Oliver Eggert, Simon Kiertscher
Securing IPv6 Networks: ft6 & friends Oliver Eggert, Simon Kiertscher Our Group 2 Outline IPv6 Intrusion Detection System Project IPv6 Basics Firewall Tests FT6 (Firewall test tool for IPv6) 3 IPv6 Intrusion
Homework 3 Discussion
Homework 3 Discussion Address Resolution Protocol (ARP) Data Link Layer Network Layer Data Link Layer Network Layer Protocol Data Unit(PDU) Frames Packets Typical Device Switch/Bridge Router Range Local
STEVEN R. BAGLEY PACKETS
STEVEN R. BAGLEY PACKETS INTRODUCTION Talked about how data is split into packets Allows it to be multiplexed onto the network with data from other machines But exactly how is it split into packets and
CSCI 680: Computer & Network Security
CSCI 680: Computer & Network Security Lecture 15 Prof. Adwait Nadkarni Fall 2017 Derived from slides by William Enck and Micah Sherr 1 Grading Class Participat ion and Quizzes 10% Grade Breakdown Homewo
ELEC5616 COMPUTER & NETWORK SECURITY
ELEC5616 COMPUTER & NETWORK SECURITY Lecture 17: Network Protocols I IP The Internet Protocol (IP) is a stateless protocol that is used to send packets from one machine to another using 32- bit addresses
The Layer-2 Security Issues and the Mitigation
The Layer-2 Security Issues and the Mitigation Techniques Eric Vyncke Cisco Distinguished Engineer evyncke@cisco.com Eric.Vyncke@ipv6council.be Eric.Vynce@ulg.ac.be 2012 Cisco and/or its affiliates. All
TD#RNG#2# B.Stévant#
TD#RNG#2# B.Stévant# En1tête#des#protocoles#IP# IPv4 Header IPv6 Extensions ICMPv6 s & 0...7...15...23...31 Ver. IHL Di Serv Packet Length Identifier flag O set TTL Checksum Source Address Destination
A Study of Two Different Attacks to IPv6 Network
IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 19, Issue 5, Ver. IV (Sep.- Oct. 2017), PP 66-70 www.iosrjournals.org A Study of Two Different Attacks to IPv6
A novel design for maximum use of public IP Space by ISPs one IP per customer
A novel design for maximum use of public IP Space by ISPs one IP per customer 6/20/2018 Jim McNally, James Lopeman Plusten Mark Steckel Citywisper Abstract This paper outlines a new design for ISP networks
*Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM
VM-300 VM-200 VM-100 Feature Performance *Performance and capacities are measured under ideal testing conditions using PAN-OS 8.0. Additionally, for VM models please refer to hypervisor, cloud specific
Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?
Lab1 Definition of Sniffing: A program or device that captures vital information from the network traffic specific to a particular network. Passive Sniffing: It is called passive because it is difficult
Wireless Network Security
Wireless Network Security Why wireless? Wifi, which is short for wireless fi something, allows your computer to connect to the Internet using magic. -Motel 6 commercial 2 but it comes at a price Wireless
Max sessions (IPv4 or IPv6) 500, , ,000
PA-3060 PA-3050 PA-3020 Feature Performance App-ID firewall throughput 4 Gbps 4 Gbps 2 Gbps Threat prevention throughput 2 Gbps 2 Gbps 1 Gbps IPSec VPN throughput 500 Mbps 500 Mbps 500 Mbps Connections
OSI Data Link & Network Layer
OSI Data Link & Network Layer Erkki Kukk 1 Layers with TCP/IP and OSI Model Compare OSI and TCP/IP model 2 Layers with TCP/IP and OSI Model Explain protocol data units (PDU) and encapsulation 3 Addressing
Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28
Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The
ARP Inspection and the MAC Address Table for Transparent Firewall Mode
ARP Inspection and the MAC Address Table for Transparent Firewall Mode This chapter describes how to customize the MAC address table and configure ARP Inspection for bridge groups. About ARP Inspection
CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers
CSC 6575: Internet Security Fall 2017 Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers Mohammad Ashiqur Rahman Department of Computer Science College of Engineering Tennessee
A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art
2015 IEEE 2015 International Conference on Computer, Communication, and Control Technology (I4CT 2015), April 21-23 in Imperial Kuching Hotel, Kuching, Sarawak, Malaysia A Review on ICMPv6 Vulnerabilities
IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land
IPv6 1 IPv4 & IPv6 Header Comparison IPv4 Header IPv6 Header Ver IHL Type of Service Total Length Ver Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit
Address Resolution Protocol (ARP), RFC 826
Address Resolution Protocol (ARP), RFC 826 Prof. Lin Weiguo Copyleft 2009~2017, School of Computing, CUC Sept. 2017 ARP & RARP } Note: } The Internet is based on IP addresses } Data link protocols (Ethernet,
Welcome to PHOENIX CONTACT Routing
Welcome to PHOENIX CONTACT Routing Kevin Speed Phoenix Contact kspeed@phoenixcon.com Need for Cyber Security in the Industrial World Hacks, attacks, broadcast storms, etc. happen every day. Not just an
CSc 466/566. Computer Security. 18 : Network Security Introduction
1/81 CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:57:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian Collberg
Selected Network Security Technologies
Selected Network Security Technologies Petr Grygárek rek Agenda: Security in switched networks Control Plane Policing 1 Security in Switched Networks 2 Switch Port Security Static MAC addresses assigned
Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration
[ 59 ] Section 4: We have now covered the basic configuration and delved into AAA services on the ASA. In this section, we cover some of the more advanced features of the ASA that break it away from a
Rocky Mountain IPv6 Summit April 9, 2008
Rocky Mountain IPv6 Summit April 9, 2008 Introduction to the IPv6 Protocol Scott Hogg GTRI - Director of Advanced Technology Services CCIE #5133, CISSP 1 IPv6 Header IPv4 Header 20 bytes IPv6 Header, 40