Friday 13 th May :30-12:15

Transcription

1 IPv6 Promised Role in Mitigating Cyber Attacks: Really it s Time! Friday 13 th May :30-12:15 Alaa AL-Din Al-Radhi IPv6 & Cyber Security: Consultant Engineer, Practitioner, Networker & Trainer IPv6 Forum Jordan Chapter President alradhi2000@yahoo.ca, alaalradhi@hotmail.com Friday, May 13, 2011 Alaa Al-Din Al-Radhi 1

2 IPv6 Security Road-Map & How-To Wrap-UP IPv6 Security Techies IPv6 Transition Threats Common IPv4 & IPv6 Security Concerns IPv6 Security Basic Issues Friday, May 13, 2011 Alaa Al-Din Al-Radhi 2

3 IPv4 Addresses Finished: Sorry, We are closed!! Friday, May 13, 2011 Alaa Al-Din Al-Radhi 3

4 NAT Layers for IP Shortages Too Many Security Attacks Current ISP (Internet Service Provider) Challanges Mobility Convergence Congestion & Delay

5 IPv6 Security Basic Issues Friday, May 13, 2011 Alaa Al-Din Al-Radhi 5

6 The ONLY real security A person can have in this world = A reserve of knowledge, Intent, experience, ability & action Friday, May 13, 2011 There is NO Fixed Answer; ONLY Possible Solutions! Alaa Al-Din Al-Radhi 6

7 Security Characteristics & Process IPv6 Will restore the CIA Model Friday, May 13, 2011 Alaa Al-Din Al-Radhi 7

8 Output Objective: Sieving Malicious Traffic Packet Filtering Anti Spoofing Learning & Stats. Analysis HTTP Analysis & Authen. Filters: IP's, ports, flags, etc. Friday, May 13, 2011 TCP Others Statistical Analysis, Layers 3-7 Alaa Al-Din Al-Radhi High-level Protocols: Anomaly Behavior, etc 8

9 Security incidence are a normal part of an ISP s operations Secure Resources: Firewall, Encryption, Authentication, Audit Manage & Improve: Post Mortem, Analyze the Incident, modify the plan / procedures Security Policy Monitor & Respond Intrusion Detection, work the incidence Friday, May 13, 2011 Test, Practice, Drill Vulnerability Scanning Alaa Al-Din Al-Radhi 9

10 Penetration Identify & Evaluate RISK Assessments: Security Breaches Likelihood AAA Remote Staff Friday, May 13, 2011 ISP s Backbone Alaa Al-Din Al-Radhi NOC Office Staff 10

11 Complete Security Life Cycle Friday, May 13, 2011 Alaa Al-Din Al-Radhi 11

12 What Goal How Access Control Authentication Non - Repudiation Data Confidentiality Communication Security Data Integrity Availability 8 Security Dimensions for Network Vulnerabilities: Ensures access by authorized personnel & devices only Protects against unauthorized use Confirms communications identity of (e.g., end-users, Net Elements, etc) Provide assurance of an entity Prevents Actions Denial of entity Ensures availability of an evidence that can be as has taken place Protects unauthorized data access Ensures data content can NOT be Manipulated by unauthenticated entity Ensures authorized information flow Ensures Info. NON-Interception Ensures Info. accuracy Provides event occurrence Network Availability Disaster recovery solutions Simple log-in / Password ACL IDS Digital certificates Digital Signatures SSL Logs Access control Digital signatures Encryption (3DES, AES) Access control lists File permissions VPNs (IPSec, L2TP) MPLS tunnels IPSec Anti-Virus Software FW, IDS / IPS Backup & Business continuity Privacy Information Protection Encryption of IP headers (IPSec) Friday, May 13, 2011 Alaa Al-Din Al-Radhi 12

13 ISP Security Breakdowns Checklists Endpoints Device integrity + Device and user AAA + Hosts: firewall (i.e. Black Ice) + OS patches + AV + hardening + File system encryption + Vulnerability scanning CPE Access / Perimeter Aggregation & Distribution Backbone / Core L3 filtering, L3 DDoS mitigation L2 security (Firewall, AAA, device integrity) + URL filtering + IDS (Host/Network based) Device integrity + Route authentication + Stateful / stateless firewall + Crypto + L3 filtering + L3 DDoS mitigation + L3 spoof mitigation Device integrity + Route Authentication

14 What is Needed: IPv6 End-to-End Secure Communications IPv4 Site-to-Site secure communications Private address segments Branch A IPsec Node NAT Low security in the LAN segments Global address segments Secure Transmission IPv4 Internet IPsec R R Node Private address segments NAT Low interoperability between deferent vendors Branch B Global address segments Secure Transmission IPv6 End-to-End secure communications Branch A End-to-End secure communications R IPv6 Internet Secure Transmission Easy to set up new connection R R Branch B Partner company Friday, May 13, 2011 Alaa Al-Din Al-Radhi 14

15 Motivations for IP Layer Security 1. The Internet community has developed some applicationspecific security mechanisms: Kerberos for Client / Server authentication PGP, PEM or S/MIME for security SSL for secure web access 2. So, we need to provide security at IP layer: IPSec, with the following benefits: Implemented at IP layer, all traffic can be secured, NO matter what application. IPSec in a firewall can NOT be bypassed if the firewall is the only connection between intranet & extranet. Transparent to applications: NO changes on upper-layer software. Provide routing security. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 15

16 IPv6: Header Structure Simple header with fixed length of 40 bytes 6 Optional extension headers when needed : 1. Hop-by-hop Option Header, 2. Routing Header, 3. Fragment Header, 4. Destination Options Header, 5. Authentication Header (AH), 6. Encapsulating Security Payload (ESP) header. Each extension header is identified by the Next Header field in the preceding header. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 16

17 IPv6: Header Structure = 40 Bytes Upper Layer PDU Bytes = Jumbo Payload Upper Layer PDU Bytes Friday, May 13, 2011 Alaa Al-Din Al-Radhi 17

18 IPv6: Header Structure Hop-by-Hop = 0; UDP = 17; Encapsulated Header = 41; RSVP = 46; IPSEC Encapsulating Security Payload = 50 + Authentication Header = 51; ICMPv6 = 58; No Next Header = 59; Destination Options = 60; OSPFv3 = 98 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 18

19 IPv6: Header Structure Benefits The checksum has been removed, because error checking is usually performed in link layer and transport layer protocols. Fragmentation has been relegated to an extension header, the minimum MTU has been increased to 1280 bytes, and fragmentation and reassembly are only performed by endpoints. Routers have to examine more than the 40-byte header only when the Next Header (NH) field is zero. The design also pays careful attention to alignment for 64-bit processors; for e.g., the addresses are aligned on 64-bit boundaries. The constant size of IPv6 headers makes the header length field found in IPv4 unnecessary. Routers & intermediate nodes handling the packets are NOT required to accommodate variability in the length of headers, which expedites packet handling. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 19

20 IPv6: Some Quick Security Facts Hop limit & GTSM: Still valid security mechanisms against DOS attacks on local links Amplification attack (congestion & DoS): can be caused by a packet with a Routing Header containing multiple instances of the same address. It is Crucial to perform ingress filtering that prohibits the forwarding of packets with a Type 0 Routing Header NH functionality in IPv6 provides the foundation for enhanced services such as IPv6 security & mobility. Packets containing hop-by-hop extension headers must be analyzed at every node along the forwarding path Extension headers bring additional complexity (and performance degradation) for the purpose of traffic filtering Block mobility headers if IPv6 mobility is NOT being used by an organization Extension headers can also be used as a covert channel to hide communications between two systems, e.g., in Destination Options Friday, May 13, 2011 Alaa Al-Din Al-Radhi 20

21 IPv6 Defenses: What s New? Authentication & Encryption IPSec CGA Crypto Graphic Generator RFC 2401 RFC 2402 RFC 2406 RFC 2408 Secure Neighbor Discovery SEND ULA Unique Local Addresses Firewall Model Change Friday, May 13, 2011 Alaa Al-Din Al-Radhi 21

22 What is Needed: Secure Site to Site IPv6 Traffic over IPv4 & IPv6 Networks with IPSec Friday, May 13, 2011 Alaa Al-Din Al-Radhi 22

23 IPSec RFC 2401, RFC 2402 Components RFC 2406, RFC 2408, RFC2409 IPSec = 3 Main Protocols into a Cohesive Security Framework: Provides Framework for the Authenticating and Securing Data IP protocol 51 AH: Authentication Header: Provides Framework for the Negotiation of Security Parameters & Establishment of Authenticated Keys IKE: Internet Key Exchange Negotiation of SA characteristics Automatic key generation Automatic key refresh Manageable manual configuration Provides Framework for the Encrypting, Authenticating and Securing Data IP protocol 50 ESP: Encapsulating Security Payload: Friday, May 13, 2011 Alaa Al-Din Al-Radhi 23

24 IPSec Modes = Tunnel + Transport For Everything Else A new IP header is created in place of the original; this allows for encryption of entire original packet For End- To-End Session The ESP or AH header is inserted behind the IP header; The IP header can be authenticated but NOT encrypted Friday, May 13, 2011 Alaa Al-Din Al-Radhi 24

25 IPSec IPSec Services Service AH ESP (Encryption ONLY) ESP (Encryption + Authentication) Access Control Connectionless integrity Data origin authentication Reject replayed packets Payload confidentiality Traffic flow confidentiality Limited, due to limited amount of payload padding Friday, May 13, 2011 Alaa Al-Din Al-Radhi 25

26 SA (Security Association) Agreement between 2 entities on method to communicate securely IPSec SA is unidirectional 2-way communication consists of 2 SA s Destination Address Security Par. Index (SPI) IPSec Transform Key Additional SA Attributes (e.g., lifetime) Each SA is identified by: Security Parameters Index (SPI): 32-bit integer chosen by sender; enables receiving system to select the required SA. Destination Address: Only unicast IP addresses allowed! Security Protocol Identifier: AH or ESP. This information appears in the IP packet, so receiver knows how to behave A390BC1 AH, HMAC-MD5 7572CA49F Day or 100MB Friday, May 13, 2011 Alaa Al-Din Al-Radhi 26

27 IPSec IPSec Modes in SA AH ESP (Encryption ONLY) ESP ( Encryption + Authentication ) Transport Mode SA Authenticate IP payload & selected parts of IP header & IPv6 extension headers. Encrypt IP payload + any IPv6 extension headers after ESP header. Encrypt IP payload + any IPv6 extension headers after ESP header. Authenticate IP payload. Tunnel Mode SA Authenticate entire inner IP packet & selected parts of outer IP header & outer IPv6 extension headers. Encrypt inner IP packet. Encrypt & authenticate inner IP packet. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 27

28 IPSec AH: Authentication & Integrity ESP: Encapsulating Security Payload Data confidentiality (encryption) Limited traffic flow confidentiality Data integrity Optional data origin authentication Anti-replay protection Does NOT protect IP header Friday, May 13, 2011 Alaa Al-Din Al-Radhi 28

29 IPSec AH: Authentication V4 vs. V6 V4 V6 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 29

30 IPSec ESP: V4 vs. V6 V4 V6 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 30

31 Phase1 Phase2 IPSec IKE (Internet Key Exchange) = Hybrid Protocol RFC 2409 IKE is a 2 Phase Protocol: Peers Negotiate a Secure, Authenticated Channel with Which to Communicate Main Mode or Aggressive Mode Accomplish a Phase I Exchange Security Associations Are Negotiated on Behalf of IPSec Services; Quick Mode Accomplishes a Phase 2 Exchange Friday, May 13, 2011 Alaa Al-Din Al-Radhi 31

32 How Does IKE Works? Phase1 Authentication Architecture Phase 2 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 32

33 IPSec Components IKE 1 2 IKE Phase 1 IPSec Peer IPSec Peer Secure communication channel IKE Phase 2 3 IPSec Tunnel Terminology 4 Secured traffic exchange Data Integrity : Secure hashing (HMAC) is used to ensure NO data alteration in transit Data Confidentiality: Encr. is used to ensure data can NOT be intercepted by 3 rd party Data Origin Authentication: Authentication of the SA peer Anti-replay: Sequence numbers are used to detect & discard duplicate packets Hash Message Authentication Code (HMAC): A hash of the data & secret key used to provide message authenticity Diffie-Hellman Exchange: A shared secret key is established over an insecure path using public and private keys Friday, May 13, 2011 Alaa Al-Din Al-Radhi 33

34 IPSec Transforms An IPSec transform specifies either an AH or an ESP protocol and its corresponding algorithms and mode. IPSec Transforms Set A transform set is a combination of IPSec transforms that enact a security policy for traffic Up to 3 transforms can be in a set Sets are limited to up to 1 AH and up to 2 ESP transforms Friday, May 13, 2011 Alaa Al-Din Al-Radhi 34

35 5 Steps of IPSec Friday, May 13, 2011 Alaa Al-Din Al-Radhi 35

36 1 Inserting Traffic Access lists determine traffic to encrypt: Permit: traffic must be encrypted Deny: traffic sent unencrypted 2 5 Steps of IPSec: Authenticates IPSec peers Negotiates to protect IKE exchange Exchanges keys Establishes IKE SA IKE Phase One Friday, May 13, 2011 Alaa Al-Din Al-Radhi 36

37 3 IKE Phase Two Negotiates IPSec SA protected by an existing IKE SA Establishes IPSec SA Periodically renegotiates IPSec SAs to ensure security 5 Steps of IPSec: 4 IPSec Encrypted Tunnel Information is exchanged via IPSec tunnel. Packets are encrypted & decrypted. Uses encryption specified in IPSec SA. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 37

38 5 Tunnel Termination Tunnel is terminated by: TCP session termination: SA lifetime timeout Packet counter exceeded Removes IPSec SA 5 Steps of IPSec: Friday, May 13, 2011 Alaa Al-Din Al-Radhi 38

39 CGA Cryptographically Generated Addresses (CGA) Each devices has a RSA key pair (NO need for certification) Ultra light check for validity Prevent spoofing a valid CGA address Friday, May 13, 2011 Alaa Al-Din Al-Radhi 39

40 SEND Secure Neighbor Discovery: Based on CGA A standard is to mitigate the ND attacks Certification paths: Anchored on trusted parties, expected to certify the authority of the routers on some prefixes Cryptographically Generated Addresses (CGA): IPv6 addresses whose interface identifiers are cryptographically generated RSA signature option: Protect all messages relating to neighbor & router discovery Timestamp and nonce options: Prevent replay attacks Friday, May 13, 2011 Alaa Al-Din Al-Radhi RFC

41 FW Model Change Distributed Firewalls A ONE point for routing & security policy Friday, May 13, 2011 Alaa Al-Din Al-Radhi 41

42 Common IPv4 & IPv6 Security Concerns Friday, May 13, 2011 Alaa Al-Din Al-Radhi 42

43 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 43 DDoS Vulnerabilities, Threats and Targets

44 OSI Was Built to Allow Different Layers to Work Without the Knowledge of Each Other Unfortunately this means if one layer is hacked, communication are compromised without the other layers being aware of the problem Security is only as strong as the weakest link In networking: layer 2 can be a very weak link Lower Levels Affect Higher Levels Friday, May 13, 2011 Alaa Al-Din Al-Radhi 44

45 Attack Surfaces & layers Friday, May 13, 2011 Alaa Al-Din Al-Radhi 45

46 Common IPv4 & IPv6 Security Issues Denial of Service Attacks (DOS) Viruses & Worms Distribution Man-in-the-middle Attacks (MITM) Sniffing Fragmentation Attacks Application Layer Attacks An attempt to make a computer resource unavailable to its intended users. One common method involves flooding the target host with requests, thus preventing valid network traffic to reach the host Malicious code/programs can propagate themselves from one infected or compromised hosts to another. This distribution is aided by the small address space of IPv4 Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 IPv6 is NO less likely to fall victim to a sniffing attack than IPv4 This attack uses many small fragmented ICMP packets which when reassembled at the destination exceed the maximum allowable size for an IP datagram which can cause the victim host to crash, hang or even reboot The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do NOTHING to prevent Friday, May 13, 2011 Alaa Al-Din Al-Radhi 46

47 On: Layer 1 Layer 2 Layer 3 Layers 4-7 Multiple Layers Misc. Threats Overview Briefing Wiretapping, console access, Rogue devices, VLAN hopping ; MAC, DHCP, ARP, Spoofing; IP Spoofing, DDoS, Routing, Smurf, Tunneling, Transition Viruses, Worms, Application, Rogue software, MITM Reconnaissance, Sniffing, unauthorized access Daily Probes & Attacks Top TCP & UDP Attacks Friday, May 13, 2011 Alaa Al-Din Al-Radhi 47

48 IPv6 Transition Threats Friday, May 13, 2011 Alaa Al-Din Al-Radhi 48

49 IPv4 to IPv6 Transition Landscape Challenges 16+ Transition Methods, possibly in combination Consider security for both protocols Resiliency (shared resources) Applications can be subject to attack on both IPv6 & IPv4 Host security controls should block & inspect traffic from both Bypass FW (protocol 41 or UDP) Can cause asymmetric traffic (hence breaking stateful firewalls) Dual Stack Tunnels Friday, May 13, 2011 Alaa Al-Din Al-Radhi 49

50 Example: L3-L4 Spoofing in IPv6 When Using IPv6 over IPv4 Tunnels Most IPv4 / IPv6 transitions have NO authentication built in => an IPv4 attacker can inject traffic if spoofing on IPv4 & IPv6 addresses Friday, May 13, 2011 Alaa Al-Din Al-Radhi 50

51 Example: ISATAP / 6to4 Tunnels Bypass ACL Friday, May 13, 2011 Alaa Al-Din Al-Radhi 51

52 Example: Transition Threats: e.g. ISATAP Unauthorized tunnels firewall bypass (protocol 41) IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the enterprise. This has implications on network segmentation & network discovery NO authentication in ISATAP & rogue routers are possible IPv6 addresses can be guessed based on IPv4 prefix Friday, May 13, 2011 Alaa Al-Din Al-Radhi 52

53 Example: Teredo Tunnels 1 Without Teredo: Controls Are in Place Friday, May 13, 2011 Alaa Al-Din Al-Radhi 53

54 Example: Teredo Tunnels 2 No More Outbound Control Friday, May 13, 2011 Alaa Al-Din Al-Radhi 54

55 Example: Teredo Tunnels 3 No More Inbound Control Friday, May 13, 2011 Alaa Al-Din Al-Radhi 55

56 L3 Spoofing in IPv6 urpf (Unicast Reverse Path Forwarding ) Remains the Primary Tool for Protecting Against L3 Spoofing (e.g.. DoS) Friday, May 13, 2011 Alaa Al-Din Al-Radhi 56

57 Transition Mechanism Threats Summary Dual Stack : Preferred BUT: Running dual stack will give you at least twice the number of vulnerabilities Tunnels (6to4, etc) can bypass firewall / security Tunneling mechanisms are susceptible to packet forgery and DDoS attacks Manual Tunnels : Preferred: Filter tunnel source / destination and use IPSec If spoofing, return traffic is not sent to attacker Dynamic Tunnels 6 to 4 Relay routers are open relays ISATAP potential MITM attacks Attackers can spoof source / destination IPv4 / IPv6 addresses Deny packets for transition techniques NOT in use: Deny IPv4 protocol 41 forwarding unless that is exactly what is intended unless using 6to4 tunneling Deny UDP 3544 forwarding unless you are using Teredo tunneling Friday, May 13, 2011 Alaa Al-Din Al-Radhi 57

58 Dual Stack Transition Threats Comparasion Tunneling 1) Dual-stack = Vulnerabilities of V4 + V6. 2) If a FW is NOT configured to apply the same level of screening to IPv6 packets as for IPv4 packets, the FW may let IPv6 pass through to dual-stack hosts L3-L4 Spoofing in IPv6 with 6to4 Tunneling The 3 main potential problems are: 1. 6 to 4 routers not being able to identify whether relays are legitimate 2. Wrong or impartially implemented 6to4 router or relay security checks 3. 6 to 4 architecture used to participate in DoS or reflected DoS, making attacks harder to trace Friday, May 13, 2011 Alaa Al-Din Al-Radhi 58

59 IPv6 Security Techies Friday, May 13, 2011 Alaa Al-Din Al-Radhi 59

60 IPv6 Security Building Blocks Endpoint protection Admission control Infection containment Intelligent correlation & incident response IPS & anomaly detection Application security & defense Protection Techniques Perimeter protections from the Internet and external entities Secure remote-site connectivity with Virtual Private Network (VPN) technologies Infrastructure protection measures to ensure a secure network foundation Server security to protect the critical IT assets and data Client security measures to mitigate the insider threat Friday, May 13, 2011 Alaa Al-Din Al-Radhi 60

61 1 IPv6 Security Plan Equipment configuration Perimeter defense (FW, ACL, IDPS) Content filtering Mail filtering Patch Management Vulnerability Management (scanning) Certification & Accreditation of the new systems AAA (Authentication, Authorization, & Accounting) Rogue Detection Infrastructure Protocol Security IPSec Friday, May 13, 2011 Alaa Al-Din Al-Radhi 61

62 Old Model Firewall Security World 2 New Model Core routers individually secured Every router accessible from outside Friday, May 13, 2011 Alaa Al-Din Al-Radhi Core routers secured Individually Routers generally NOT accessible from outside 62

63 2 Enforcing a Security Policy Example: Cisco IOS IPv6 ACL Friday, May 13, 2011 Alaa Al-Din Al-Radhi 63

64 2 Example: Basic IPv6 Packet Filtering Friday, May 13, 2011 Alaa Al-Din Al-Radhi 64

65 2 Example: IPv6 Firewall Feature Set Friday, May 13, 2011 Alaa Al-Din Al-Radhi 65

66 Old Model Router Security World 3 New Model Policy enforced at process level (, SNMP ACL, etc.) Some early features such as ingress ACL used when possible Central policy enforcement, prior to process level Granular protection schemes On high-end platforms, hardware implementations

67 3 Preventing Routing Header Attacks Use IPSec to secure protocols such as OSPFv3 & RIPng Apply same policy for IPv6 as for Ipv4: Block Routing Header type 0 Prevent processing at the intermediate nodes: no ipv6 source-route At the edge: With an ACL blocking routing header RFC 5095 RH0 is deprecated: By default Cisco Routers changed in IOS code version 12.4(15)T to ignore and drop RH0 IPv6 Routing Header An extension header, Processed by the listed intermediate routers 2 Types: Type 0: similar to IPv4 routing (multiple intermediate routers) Type 2: used for mobile IPv6

68 4 ICMPv6 & other related security implications ICMPv6 Essential to IPv6 & dual stack network functioning: It reports errors if packets can NOT be processed properly & sends informational messages about the status of network ICMPv4 vs. ICMPv6 => ICMP policy on FW needs to change Friday, May 13, 2011 Alaa Al-Din Al-Radhi 68

69 Generic ICMPv4 Border FW Policy 4 Equivalent ICMPv6 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 69

70 Potential Additional ICMPv6 4 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 70

71 ICMPv6 Neighbor Discovery If A needs the MAC of B, it sends an ICMP6 Neighbor Solicitation NS to All-Nodes multicast address B sees the request and responds to A with an ICMP6 Neighbor Advertisement NA with its MAC address => Like ARP But everybody can respond to the request Friday, May 13, 2011 Alaa Al-Din Al-Radhi 71

72 ICMPv6 Duplicate Address Detection (DAD) If A sets a new IP address, it makes the Duplicate Address Detection DAD check, to check if anybody uses the address already. Anybody can respond to the DAD checks => dos-new-ipv6 prevents new systems on the LAN Friday, May 13, 2011 Alaa Al-Din Al-Radhi 72

73 ICMPv6 Stateless Auto-Configuration Routers send periodic (& soliticated) Router Advertisements (RA) to the All-Nodes multicast address Clients configure their routing tables and network prefix from advertisements => Like a DHCP-light in IPv4 Anyone can send Router Advertisements! Friday, May 13, 2011 Alaa Al-Din Al-Radhi 73

74 4 ICMPv6 & other related security implications ICMPv6 Threats Rogue devices on the network giving misleading information or consuming resources (DoS) Rogue DHCPv6client and servers on the linklocal multicast address (FF02::1:2): same threat as IPv4 Rogue DHCPv6servers on the site-local multicast address (FF05::1:3): new threat in IPv6 Scanning possible if leased addresses are consecutive ICMPv6 Threats Mitigation Rogue clients & servers can be mitigated by using the authentication option in DHCPv6 Port ACL can block DHCPv6traffic from client ports deny udp any eq 547 any eq 546 Cisco Network Registrar DHCPv6 Server Leased addresses are random => scanning difficult Can also lease temporary addresses (like privacy extension) Friday, May 13, 2011 Alaa Al-Din Al-Radhi 74

75 5 A MUST: Good IPSec Policy H2H Scenarios IKE Phase 1 (ISAKMP): 3DES Lifetime SHA-1 DH Group 2 (MODP) IKE Phase 2 (IPSec): 3DES Lifetime SHA-1 PFS DH Group 2 (MODP) Friday, May 13, 2011 Alaa Al-Din Al-Radhi Scenario A Scenario B 75

76 5 Good IPSec Policy A MUST: IKE Phase 1 (ISAKMP): 3DES Lifetime SHA-1 DH Group 2 (MODP) IKE Phase 2 (IPSec): 3DES Lifetime SHA-1 PFS DH Group 2 (MODP) G2G Scenarios Scenario C Scenario D Friday, May 13, 2011 Alaa Al-Din Al-Radhi 76

77 5 Good IPSec Policy A MUST: IKE Phase 1 (ISAKMP): 3DES Lifetime SHA-1 DH Group 2 (MODP) IKE Phase 2 (IPSec): 3DES Lifetime SHA-1 PFS DH Group 2 (MODP) Scenario E H2G + G2H Scenario Friday, May 13, 2011 Alaa Al-Din Al-Radhi 77

78 6 Some IPv6 Security Tools Sniffers / Packet Capture Scanners Packet Forgers DoS Tools Snort Sun Solaris snoop COLD Wireshark Analyzer Windump WinPcap TCPdump IPv6 security scanner Halfscan6 Nmap Strobe Netcat Scapy6 Packit Spak6 SendIP 6tunneldos 4to6ddos Imps6-tools Friday, May 13, 2011 Alaa Al-Din Al-Radhi 78

79 6 Some IPv6 Security Tools Tool Alive6 PARSITE6 REDIR6 FAKE_ROUTER6 DETECT-NEW - IPv6 DOS-NEW - IPv6 SMURF6 RSMURF6 TOOBIG6 FAKE_MLD6 FAKE_MIPv6 SENDPEES6 Protocol Tester TCPdump Friday, May 13, 2011 Usage Find all local IPv6 systems, checks aliveness of remote systems ICMP Neighbor Spoofer for Man-In-The-Middle attacks Redirect traffic to your system on a LAN Fake a router, implant routes, become the default router, Detect new IPv6 systems on the LAN, automatically launch a script Denial any new IPv6 system access on the LAN (DAD Spoofing) Local Smurf Tool (attack you own LAN) Remote Smurf Tool (attack a remote LAN) Reduce the MTU of a target Play around with Multicast Listener Discovery Reports Reroute mobile IPv6 nodes where you want them if no IPSEC is required Neighbor solicitations with lots of CGAs Various tests Dumps traffic on IPv6 Networks Alaa Al-Din Al-Radhi 79

80 6 Some IPv6 Security Tools Tool IPTrap AESOP Netstat SendIP COLD Friday, May 13, 2011 Usage Listens to several TCP ports to simulate fake services (X11, Netbios, DNS, etc). When a remote client connects to one of these ports, his IP gets immediately firewalled & an alert is logged. It runs with iptables and ipchains, but any external script can also be launched. IPv6 is supported A TCP-proxy that supports many advanced and powerful features. Aesop makes use of strong cryptography for all its data-transmission up to the end-link. Another powerful feature of Aesop is that Aesop proxies can be transparently stacked into a secure chain. Aesop supports IPv6 and can be used as secure IPv4-to-IPv6 tunnel for TCP connections. Aesop is implemented using multiplexing and is therefore fast and lightweight Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IPv4 routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), the IPv6 routing table, & IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, & UDP over IPv6) For sending arbitrary IP packets Is a network monitoring & protocol analyzing tool which allows to study, maintain & troubleshoot networks by extracting flowing data & printing out the contents & structure. Alaa Al-Din Al-Radhi 80

81 Tool Nmap CH Scanner Hyenae 6 Some IPv6 Security Tools Usage The command syntax is the same for V4 except that you also add the -6 option. Also, in order to perform an IPv6 scan, both the source (your host) & the target of the scan must be configured for IPv6. It must have an IPv6 address & routing information. And, one must use IPv6 syntax if specifying an address rather than a hostname. An address might look like -> 3ffe:7501:4819:2000:210:f3ff:fe03:14d0, so hostnames are recommended. If your ISP (like most of them) does not allocate IPv6 addresses, free tunnel brokers are widely available and work fine with Nmap. For e.g., the free IPv6 tunnel broker service at 6to4 tunnels are another popular, free approach. The scan O/P looks the same as with IPv4, with IPv6 address on an interesting ports line being the only showed away. An ARP, IPv4 & IPv6 network scanner with 31 scan methods: it scans for open ports, protocols, NetBIOS information & Windows shares, SNMP information, & WMI (WBEM) information. It also has the ability to turn on (using Wake-On-LAN) & to shutdown or reboot a remote Windows host. Features an automatic (scriptable) working mode, a hunt mode, a passive mode &normal scanning mode. It allows you to reproduce low level Ethernet attack scenarios (such as MITM, & DDoS) to reveal the potential security vulnerabilities in a network. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 81

82 6 Some IPv6 Security Tools Tool Alive6 Usage Find all local IPv6 systems & checks aliveness of remote systems For Local / Remote unicast targets, & local multicast addresses Sends three different type of packets: ICMP6 Echo Request IP6 packet with unknown header IP6 packet with unknown hop-by-hop option Routing header attack, (like IPv4 Source Routing): Use alive6 for checking if routing headers are allowed to target 1. Check if your ISP does ingress filtering: Send a packet from yourself to yourself via a remote system: alive6 eth0 YOUR-IP VICTIM-IP 2. Find all servers in the world for an anycast address: Send packets to an anycast address via several remote systems: - alive6 eth0 AnyCastAddr VICTIM-IP1; - alive6 eth0 AnyCastAddr VICTIM-IP2; etc. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 82

83 Tool 6 Some IPv6 Security Tools Usage REDIR6 Redirect traffic to your system on a LAN Route Implanting with ICMP6 Redirects 1. (A)ttacker sends Echo Request: Source: (T)arget, Destination: (V)ictim 2. (V)ictim received Echo Request, and send a Reply to (T) 3. (A)ttacker crafts Redirect, Source: (R)outer, Destination: (V)ictim, redirects all traffic for (T) to (A) Friday, May 13, 2011 Alaa Al-Din Al-Radhi 83

84 6 Some IPv6 Security Tools Tool FAKE_ MIPv6 Usage Reroute mobile IPv6 nodes where you want them if no IPSEC is required Protocol specification is secure L because IPSEC is mandatory All implementations have the option to disable IPSEC requirement If this is the done, use fake_mipv6 to redirec traffic for any mobile IPv6 node to a destination of your choice Tool Usage SMURF6 Local Smurf Tool (attack you own LAN) Source is target, destination is local multicast Address Generates lots of local traffic that is sent to source Tool Usage RSMURF6 Remote Smurf Tool (attack a remote LAN) Source is local All-Nodes multicast address, destination is our target If target has mis-implemented IPv6, it responds with an Echo Reply to the All- Nodes multicast address Friday, May 13, 2011 Alaa Al-Din Al-Radhi 84

85 7 Some IPSec Tools Tool Usage Publisher IPSec Assists Network admin. with troubleshooting network Diagnostic related failures; Applicable on Windows XP, Windows Tool 1.0 Server 2003, Windows Vista & Windows Server IP A client for Mac OS X. It supports virtually every available Securitas IPSec compliant firewall, allowing you to Connect safely 3.3 IPSec Scan 1.1 IPSec VPN Client IPSec-Tools to your office or home network from any location Scans either a single IP address or a range of IP addresses looking for systems that are IPSec enabled Compliant with most of popular VPN gateways allowing fast integration in existing networks. Full IPSec standards, full IKE NAT Traversal, IP address emulation, strong encryption (X509, AES...), strong authentication mechanisms, high performances, no system overhead, DNS and WINS resolutions supported, operates as a Service, allowing the use on unattended Servers, accepts incoming IPSec Tunnels, optional 'IPSec only' traffic filtering. A port of KAME's IPSec utilities to the Linux-2.6 IPSec implementation. It supports NetBSD and FreeBSD as well Friday, May 13, 2011 Alaa Al-Din Al-Radhi 85

86 IPv6 Security Road-Map & How-To Wrap-up Friday, May 13, 2011 Alaa Al-Din Al-Radhi 86

87 IPv6 is NO more secure than IPv4 if we do NOT :: Gap the IPv6 Security-Perspectives knowledge: Training! Have an understood & enforced IPv6 Security Plan Configure Security Parameters (i.e. NOT implementing Security ONLY) Allow for full IPSec + Use IPSec to secure OSPFv3 & RIPng Ingress / Egress IPv6 the perimeter Use manual tunnels instead of dynamic tunnels Program Routers / Switches to Disable IPv6 Tunnels Filter internal-use IPv6 at the enterprise border routers Filter ICMP & Determine which ICMPv6 messages are required Use IPv6 Network Protection Tools & Enable IPv6 IDS / IPS Drop all fragments with less than 1280 octets Use cryptographic protections where critical Use static neighbor entries for critical systems Use IPv6 hop limits to protect network devices Separate Routing Registry for IPv4 and IPv6 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 87

88 IPv6 Security Issues To Be Kept In Mind! OSI Layers & IPv6 Security Issues Friday, May 13, 2011 Alaa Al-Din Al-Radhi 88

89 IPv6 Security Issues To Be Kept In Mind! IPv6 Defenses Defense SEND: Secure Neighbor Discovery CGA: Crypto- Generated Address ULAs: Unique Local Addresses IPSec Used For a security extension of the Neighbor Discovery Protocol (NDP) in IPv6. NDP replaces IPv4 ARP and is responsible for discovery of other nodes on the link, determining the link layer addresses of other nodes, finding available routers, and maintaining reachability information about the paths to other active neighbor nodes. A method for binding a public signature key to an IPv6 address in the Secure Neighbor Discovery Protocol (SEND). An IPv6 address in the block fc00::/7 defined in RFC They are supposed to be used for systems that are NOT connected to the Internet. IPSec with Authentication Header (AH) & Encrypted Security Payload (ESP) can protect IPv6 hosts from all kinds of DoS attacks & have the ability to recognize the spoofed source address (or original identity) of the malicious packets received. IPSec also able to protect the IPv6 hosts from DDoS attacks with the spoofed address. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 89

90 A MUST: A MUST: IPv6 FW Policies Avoid IPv6 Tunneling 6 to 4 does NOT support source address filtering Teredo = holes into the NAT device Any Tunneling-Mechanism may be prone to spoofing With any Tunneling- Mechanism you trust the relay-servers. Do NOT just use your IPv4 FW for IPv6 rules Do NOT just allow IPSec or IPv4 Protocol 41 through FW On networks that are IPv4-only, block all IPv6 traffic Procure FW for IPv6 policy Look for vendor support of Extension Headers FW should have granular filtering of ICMPv6 & multicast Layer-2 FW are trickier with IPv6 because of ICMPv6 ND / NS / RA / RS messages Friday, May 13, 2011 Alaa Al-Din Al-Radhi 90

91 Some IPv6 Security Recommendations 1 If NOT deploying IPv6 Completely: 1. Block all IPv6 traffic, native & organization's FW. Both incoming & outgoing traffic should be blocked. 2. Disable all IPv6-compatible ports, protocols & services on all software and hardware. 3. Begin to acquire familiarity and expertise with IPv6, through laboratory experimentation &/or limited pilot deployments. 4. Make organization web servers, located outside of the organizational FW, accessible via IPv6 connections. This will enable IPv6-only users to access the servers & aid organization in acquiring familiarity with some aspects of IPv6 deployment. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 91

92 Some IPv6 Security Recommendations 2 If deploying IPv6 : Apply an appropriate mix of different types of IPv6 addressing (privacy addressing, ULA, etc) to limit access & knowledge of IPv6-addressed environments. Leverage IPSec to secure IPv6 when suitable Use automated address management tools to avoid manual entry of IPv6 addresses, which is prone to error because of their length. Develop ICMPv6 filtering policy. Ensure that ICMPv6 messages that are essential to IPv6 operation are allowed, but others are blocked Use IPSec to authenticate & provide confidentiality to critical assets Enable controls that might not have been used in IPv4 due to a lower threat level during initial deployment (implementing default deny access control policies, implementing routing protocol security, etc). Pay close attention to the security aspects of transition (tunneling, etc) Ensure that IPv6routers, packet filters, firewalls, and tunnel endpoints enforce multicast scope boundaries and make sure that Multicast Listener Discovery (MLD) packets are not inappropriately routable Friday, May 13, 2011 Alaa Al-Din Al-Radhi 92

93 Some IPv6 Simple Best Security Practices Always null route unused address space within your network: If you have prefixes you know are unused, route them towards null0 on your routers. Enable port security & limit the number of MACs on customer ports Always filter ingress traffic from customers with urpf or ACLs Authenticate All of your network protocols ALWAYS ENCRYPT YOUR MANAGEMENT TRAFFIC! Filter BGP sessions ingress and egress Set maximum-prefix/prefix-limit on BGP sessions (including customers, transits, and peers) Give high priority to network control traffic Ideally, have an out-of-band management path to all POPs. Restrict DHCP & Router Advertisements on customer ports Separate customers into separate VLANs if you can Monitor critical network element resources, e.g. memory, bandwidth, etc Keep Patching up-to-date Have a security plan that includes incident management processes: Identify who, what, and how; Practice and test the plan; Make sure you know how to reach your peers and transit providers, and how their security plans work! Friday, May 13, 2011 Alaa Al-Din Al-Radhi 93

94 Check IPv6-Ready Compliance Requirements 1 IPv6 Compliance Network Security: Firewalls, IDS, IPS, etc Mandatory RFC Support Standard IPv6 Basic specification 2460 IPv6 Addressing Architecture 4291 Default Address Selection 3484 ICMPv SLAAC 4862 Router-Alert option 2711 Path MTU Discovery 1981 Neighbor Discovery 4861 BGP4 protocol 4760 OSPF-v RIPng 2080 IS-IS 5308 Support for QoS 3140 Basic Transition Mechanisms for IPv6 Hosts and 4213 Routers Using IPsec to Secure IPv6-in-IPv4 Tunnels 4891 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 94

95 IPv6 Compliance Router / Layer 3 Switch Check IPv6-Ready Compliance Requirements 2 Mandatory Support RFC Standard IPv6 Basic specification 2460 IPv6 Addressing Architecture 4291 Default Address Selection 3484 ICMPv SLAAC 4862 MLDv2 snooping 4541 Router-Alert option 2711 Path MTU Discovery 1981 Neighbor Discovery 4861 Classless Inter-domain Routing 4632 Dynamic Internal Guidance Protocol (IGP) RIPng 2080 OSPF-v IS-IS 5308 BGP Support for QoS 3140 Basic Transition Mechanisms for IPv6 Hosts and Routers 4213 Using IPsec to Secure IPv6-in-IPv4 tunnels 4891 Generic Packet Tunneling and IPv Mobile IPv6 (MIPv6) 4877 MPLS functionality 4798 Layer-3 VPN functionality 4659 MPLS Traffic Engineering 5120 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 95

96 Check IPv6-Ready Compliance Requirements 3 IPv6 Compliance Host: Client / Server Mandatory Support RFC Standard IPv6 Basic specification 2460 IPv6 Addressing Architecture 4291 Default Address Selection 3484 ICMPv DHCPv6 client 3315 SLAAC 4862 Path MTU Discovery 1981 Neighbor Discovery 4861 Basic Transition Mechanisms for IPv6 Hosts and Routers 4213 IPsec-v IKE version 2 (IKEv2) 4718 Mobile IPv6 (MIPv6) 4877 DNS protocol extensions for incorporating IPv6 DNS resource records 3596 DNS message extension mechanism 2671 DNS message size requirements 3226 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 96

97 Check IPv6-Ready Compliance Requirements 4 IPv6 Compliance Mandatory Support RFC Standard MLDv2 snooping 4541 DHCPv6 snooping 3315 Layer 2 Switch Router Advertisement (RA) filtering 5006 Dynamic "IPv6 NA / NS inspection 4861 Neighbor Un-Reachability Detection NUD 4861 IPv6 support in software Duplicate Address Detection 4429 All software must support IPv4 and IPv6 and be able to communicate over both types of Networks. If software includes network parameters in its local or remote server settings, it should also support configuration of IPv6 parameters. Functional differences must not be significantly different between IPv4 and IPv6. The user should not experience any significant difference when software is communicating over IPv4 or IPv6. Friday, May 13, 2011 Alaa Al-Din Al-Radhi 97

98

99 So: Is IPv6 more secure? Yes & No! Yes: NO: IPSec (Authentication + Encryption) Secure Neighbor Discovery (SEND) Crypto-generated Address (CGA) Unique Local Addresses (ULAs) Privacy Addresses Automated Tunneling Neighbor Discovery & Auto-Configuration End-To-End-Model Newness & Complexity Lack of Guidance, Policy & Training Tools Using Friday, May 13, 2011 Alaa Al-Din Al-Radhi 99

100 Friday, May 13, 2011 Alaa Al-Din Al-Radhi 100

101 IPv6 Security Issues Are Evolving & In Continous Progress Stay Tuned! Friday, May 13, 2011 Alaa Al-Din Al-Radhi 101