Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line

Transcription

1 Next Generation IPv6 Cyber Security Protection Through Assure6i TM Product Line Designed to Prevent, Detect, and Block Malicious Attacks on Both IPv4 and IPv6 Networks TM

2 Introduction With the exponential growth of smart phones, tablets, and other network-enabled devices, global adoption of the Internet Protocol version 6 (IPv6) protocol is no longer a question of Is it going to impact my network?, rather, What is our organization s strategy for IPv6?. The transition to this new IP address format has introduced difficult challenges for organizations dependent upon the security of their critical IT networks. The rapid expansion of unplanned and unmonitored IPv6-enabled systems in IPv4- only networks is greatly increasing the attack surface presented by those infrastructures Unfortunately, most network security products, including firewalls and intrusion detection systems, still lack the comprehensive security capabilities necessary to fully inspect and filter native and tunneled IPv6 traffic. Salient CRGT delivers powerful next-generation IPv6 cyber security protection through its Assure6i product line designed to detect and prevent malicious attacks on any network. Assure6i provides features to safely secure or eliminate native IPv6 traffic. In addition, Assure6i identifies and prevents covert IPv6 traffic tunneling through existing (IPv4) networks, enabling a safe and seamless transition to IPv6. Background Celebrated with a World IPv6 Launch day on June 6, 2011, IPv6 is rapidly replacing its legacy predecessor, IPv4. Adoption has been swift: in June 2008, a mandate issued by the President s Office of Management and Budget (OMB) requires next-generation IP connectivity over the backbone networks of all federal agencies. Recently, Google s IPv6 statistics show 11% global IPv6 deployment. Despite the growing use of IPv6, numerous vendors of security appliances do not support IPv6 or are not feature-comparable with IPv4. IPv6 introduces many vulnerable attack surfaces due to the plethora of new transition technologies. IPv4 attacks are complex, but many cyber security devices understand and protect against most of the legacy attacks. New IPv6 attack surfaces include dual-stack (using both IPv6 alongside IPv4 on the same host), IPv6 transition technologies such as encapsulated IP packets or tunnels, IPv6 extension headers, and the base IPv6 header. Many of these attack vectors have already far exceeded the levels of sophistication of most security tools currently available on the market. Page 1

3 Undetected IPv6 Traffic It is an often unknown and/or overlooked configuration vulnerability that many, if not all, modern operating systems enable IPv6 by default. The operating systems may even have transition technologies installed and available for the host. Transition technologies enable the host to use IPv6 over IPv4 by utilizing an IPv6-to-IPv4 translation or IPv6 over IPv4 configurations. Most modern operating systems prefer native IPv6 over IPv4 to help promote IPv6 adoption. The preference of IPv6 ensures that the host sends data over an IPv6 network before using the IPv4 network. Many enterprises believe their network is IPv4-only. Since they only configure IPv4 routing and assign only IPv4 addresses, the belief leads them to disregard providing security for IPv6. In an enterprise where IPv4-only networks are assumed, many IPv6 threat vectors could be successfully carried out without any detection. In a book on IPv6 security in 2008, Eric Vyncke and Scott Hogg state the following: The main issue with dual-stack hosts is that IPv6 is enabled by default on several recent operating systems (notably Microsoft Vista and some Mac OS X and Linux versions), and an IPv6 security policy is not always enforced because naive or unaware security officers neglect this IPv6 migration. In such a case, the security officer establishes a strict and well-understood security policy for the IPv4 network that is well configured and enforced. The security officer is unaware of IPv6 and/or ignores the IPv6 network, failing to configure or enforce a security policy. The latter point is quite dangerous because even if a network does not run IPv6, dual-stack hosts are open to local IPv6 attacks. Vyncke, Eric; Hogg, Scott ( ). IPv6 Security (Kindle Locations ). Cisco Press. Kindle Edition. Today s network security devices must achieve parity for both IPv6 and IPv4 networks. Until all vendors upgrade their devices to achieve complete parity, network administrators must become aware of the unseen and invisible networks running within their enterprise. Using Deep Packet Inspection (DPI) technology, Assure6i can recognize and discover either native or tunneled IPv4 and IPv6 traffic, de-encapsulate and inspect it for known attacks, and enforce policy rules across each packet layer. By default, the de-encapsulation process supports up to four levels of tunneled traffic, applying the same set of rules to each encapsulated packet. Assure6i responds to network events by generating alert data and optionally dropping traffic as specified by policy. Assure6i will provide a complete view of IPv6 traffic on the network and close the IPv6 security gap currently existing on many enterprise networks. Covert Communication In an IPv4 environment, malicious payloads are typically contained within the application layer. Possibilities exist for hiding data in the IPv4 options fields, but there is limited bit space to be entirely useful. The introduction of IPv6 has created several effective ways to hide data within the packet. Covert channels can be exploited using IPv6 packet header fields (flow label), flexible extension headers, or tunnels. Flow Label The flow label is a new packet header field introduced with IPv6. Currently, several web services, such as google search, use this field to load-balance their servers. A standard algorithm for flow label generation doesn t currently exist, and each service has their own implementation. The flow label is essentially an unverifiable field with excellent potential as a command and control covert channel. Additionally, it can be used to covertly exfiltrate data. Using common Linux command line tools such as split and cat, a hacker could chunk and send data to a remote server which would then reconstruct the data into the original format. In this scenario, Assure6i is used to verify the flow label field is enforced with zero values where appropriate. Covert communication utilizing the IPv6 flow label field is effectively detected and eliminated. Page 2

4 Extension Headers Extension headers are optional headers designed to add additional features to IPv6 when needed. However, the flexibility and loose enforcement of valid options described by RFC 2460 opens routers and hosts to attack. Extension headers can be used for covert channels, data exfiltration and denial of service attacks. IPv6 extension headers are not strictly constrained by the guidance in RFC The RFC instructs IP stacks to ignore options it does not recognize or headers that are out of order to reduce conflicts between various implementations. Extension headers are variable in size and therefore can contain a near limitless amount of data which can be exploited very efficiently for data exfiltration. Many security tools do not properly calculate and enforce correct padding or provide firewall functions to block unknown or unwanted extension header types. Abusing the recommended extension header order provides the ability to bypass signature based security tools which cannot protect against the number of possible extension header order permutations. Enterprise networks should be aware of which applications require specific extension headers to deploy security tools which properly inspect their formatting and limit their use. The Assure6i sensor inspects the entire packet for extension headers that are chained improperly, incorrectly formatted or which are blocked from being received on the network. It checks for suspicious corner cases such as data contained after No Next Header identifiers. Assure6i provides detection routines to ensure that the extension headers do not allow a rogue covert channel or extension header abuse to exist. Tunnels The effort to transition from IPv4 to IPv6 has introduced many types of tunneling mechanisms to foster the adoption of IPv6 and enhance network interoperability. A tunnel can be configured in routers to move native IPv6 traffic from one network to another over a IPv4-only backbone. This would allow an enterprise to use IPv6 internally between physically different locations for example. A tunnel can also be initiated by the client (i.e. desktop) through relay services widely available on the internet. Both transition strategies increase the attack surface of the IP stack and create complexity for IT administrators. Many enterprise networks do not have the tools required to correctly configure and secure a network from tunneling mechanisms. Many IT administrators do not believe IPv6 is traversing their network because their either never configured IPv6 or do not have tools which can accurately detect IPv6 traffic either natively or within tunnels. They essentially ignore the possibility that IPv6 is already configured out of the box. The belief and assumption of security based on the lack of configuration is unsafe. As shown below, the IETF released RFC 6169 which discusses automatic tunneling mechanisms and the importance of the network administrator s oversight. Of the plethora of tunneling mechanisms that have so far been standardized and widely implemented, the so-called automatic tunneling mechanisms (such as Teredo, ISATAP, and 6to4) are of particular interest from a security standpoint, since they might be employed without prior consent or action of the user or network administrator. UDP based tunnels are particularly dangerous because they can be the hardest to lockdown. They are typically used to punch holes through a firewall to connect to a IPv6 relay service. Two commons protocols such as Teredo and TSP do not need to conform to the documented configurations in the RFC and could utilize any UDP port to initiate the connection to the relay service. UDP based tunnels could be configured to use popular and usually open ports such as 53 (DNS) or 80 (HTTP) or seemingly random ports such as Many security devices do not have the processing resources or intelligence necessary to identify tunneling protocols on obscure ports. Deep packet inspection of all traffic crossing a security boundary is required. The Assure6i sensor Page 3

5 inspects all packets it receives for numerous types of tunneled IPv6 protocols and can be configured to drop those that are not specified in the policy. Embedded IPv6 headers, similarly to the native IPv6 headers, are inspected according to policy rules. The transition to IPv6 is not simple for large networks. IPv6 capable security tools, network administrator training and security practices usually take time to be established and mature. Assure6i can help identify IPv6 traffic currently in use and effectively block any IPv6 traffic attempting to transverse the enterprise network. This feature allows organizations the ability to enforce organizational goals for the transition to IPv6. Given the versatile nature of IPv6 tunnels, Assure6i is the only way to secure IPv6 traffic across the enterprise. ICMPv6 IPv6 introduces ICMPv6 to facilitate the use of IPv6 across the internet and on the local network. ICMPv6 replaces ARP for neighbor discovery, routing configuration and identification of MTU issues on a network link. For security purposes, many enterprises broadly block ICMP in IPv4. It is highly recommended that ICMPv6 is not blocked in enterprise environments, but ICMPv6 requires careful configuration and continual inspection to use safely. Stateless address auto-configuration (SLAAC) is new with IPv6. The SLAAC process automates the configuration of a link local network address and then attempts to find a router to get a global network address. IPv6 does not require a DHCP server, and SLAAC provides a way for hosts to obtain a local and network address. It is important to note, networks without a configured router advertising the global address range can still communicate over the local network. SLAAC utilizes ICMPv6 to set up addressing. If ICMPv6 is not monitored, a rogue router could be established by an intruder. Since native IPv6 traffic is preferred over IPv4, all traffic will flow through the rogue router effectively allowing both eavesdropping and man-in-the-middle attack vectors. ICMPv6 can introduce various methods for conducting DoS attacks. For example, in 2014 Windows Server 2012 was patched to fix an IPv6 Router Advertisement DoS attack which would cause the server to crash. Though patched, the resolution is not perfect. Windows Server 2012 will still freeze while the attack is in progress. Ironically, many of the same security issues IPv4 ARP has endured will also test ICMPv6. Verification of proper formatting and reasonable packet size constraints for ICMPv6 is required to ensure the validity of the packet. Assure6i supports proper ICMPv6 formatting by providing flexible rule definitions to routing messages on the network. Assure6i can enforce ICMPv6 type and code level filtering for proper and safe utilization of IPv6 features. Conclusion Cyber security continues to be a top business and government concern. With the exponential growth of smart phones, tablets, and other network-enabled devices, we have an Internet of Everything. The global adoption of the IPv6 protocol is no longer a question of Is it going to impact my network? The concern now is, What is our organization s strategy for IPv6? How will you manage the growth and the possible exposure that the IPv6 infrastructure brings? IPv6 is in world-wide-use and growing. Securing the IPv6 enterprise is becoming increasingly more complex. Salient CRGT addresses IPv6 vulnerabilities through its Assure6i product line. Using DPI technology, Assure6i can easily recognize tunneled IPv4 and IPv6 traffic, de-encapsulate the traffic, inspect it for known threats, and enforce policy rules across each tunnel layer. The Assure6i platform is the only deep packet inspection intrusion detection system that provides comprehensive protection against IPv6 security threats that target your business functionality or agency mission. Page 4