Download abidah

IPv6 Transition :
Why a new security
mechanisms model is
necessary?
Abidah Hj Mat Taib
[email protected]
[email protected]
Universiti Teknologi Mara,
Perlis Malaysia
Outline







Transition / coexistence
Security Threats
Threats due to Transition Mechanisms
Current Security Mechanisms
Current IPv4 Security Model
New Security Model
Conclusion
Transition .. coexistence?
IPv4
IPv6
Security
Considerations
IPv6
Deployment
IPv6 Specific
Protocol
Transition
Mechanisms
Threats due to Transition
Mechanisms -- Dual stack


Applications on device can be subject to
attack on both IPv4 and IPv6.
Need parallel filtering/detection rules for IPv4
and IPv6 packets.
Internal
network
Internet
IPv4
IPv6
Server Server Server
Security Threats






Similar threats in IPv4 & IPv6 networks.
Reconnaissance
- exploit the site scope multicast address – flooding -- DoS
Misuse of routing headers – packets spoofed & redirect
attacked packets to initiate DoS
Fragmentation related attacks
Misuse of ICMPv6 and multicast
 ICMPv6 Stateless Auto-Configuration
 Route Implanting with ICMPv6 Redirects (use fake Echo
Request)
 Smurf IPv6 – source is target, destination is local
multicast address. Generates lots of local traffic that is
sent to source)
Autoconfiguration and Neighbor Discovery Vulnerabilities
Threats due to Transition
Mechanisms -- Tunneling





Injection packet
Exploiting the tunnel interface
Bypassing ingress filtering checks
Complexity for configuring devices as well as
logging and monitoring the traffic
IPv4 firewall has to open for protocol 41
(IPv6) and protocol 58 (ICMPv6) at the
remote end of the tunnel.
Tunneling Mechanisms
Security Issues
Tunneling
Threats
Configured Tunnel
Potential injecting IPv6 in IPv4 packet to the tunnel
decapsulator – must check the source of the tunnel.
Tunnel Broker
If the administrator is unaware of TB is used by the
users, he may not apply any guard against potential
security holes.
6to4
Attacks with Neighbor Discovery message.
Spoofing traffic to 6to4 nodes.
Reflecting traffic from 6to4 nodes.
Local IPv4 broadcast attacks.
ISATAP
Spoofing attack – bogus IP protocol 41 packets are
injected: into an ISATAP link from outside, from within
an ISATAP link by a node pretending to be a router.
Toredo
Bypassing security controls, reducing defense in depth,
allowing unsolicited traffic, laundering DoS attack from
IPv4 to IPv4, IPv4 to IPv6, IPv6 to IPv4.
Current Security Mechanisms
Mitigation
Techniques
Challenges
Firewalls
Lots of different ext. headers – hard for a
firewall to filter correctly and get it right not
to buffer overflow or DoS.
Not always a valid security option due to
bootstrapping problem.
IPsec
Logging/
Auditing
Intrusion
Detection
Most are implemented using IPv4 transport
– need IPv6 transport to successfully log
and audit dual stack network infrastructure
Lack of signature database
Current IPv4 Security Model :
network-based
INTERNET
IDS
Edge
Router
Stateful
Firewall
Internal
Network
Current IPv4 Network-based
Security Scheme


Peer – firewall – Internet – firewall – peer
Security policy enforced by firewalls



Blocking attackers from outside BUT no firewall
blocking attack coming from the same LAN
segment
Lack of secure end-to-end
IDS – to find potential security problems and
to detect unauthorized intrusion and misuse
of network resources.
Current IPv4 Network-based
Security Scheme .. cont…

Perimeter defense
IP firewalls, HTTP/HTTPS firewalls,
content analysis: antivirus, anti spam, etc
 Defense in depth and network
segmentation



DMZ, layered architecture
TLS/SSL based business application and
VPNs for remote access
Revised Model Host-based Security
IDS
INTERNET
Perimeter
Firewall
LAN-1
IDS
IDS
IDS
Internal
Network
Edge
Router
LAN-2
LAN-3
IDS
IDS
IDS
IDS
Host-based
firewalls /
IDS
New Security Model Distributed mechanisms
Centralized Security
Policy Repositories
INTERNET
IDS
IDS
Perimeter
Firewall
LAN-1
IDS
IDS
Internal
Network
Edge
Router
LAN-2
LAN-3
IDS
IDS
IDS
IDS
Host-based
firewalls /
IDS
New Security Model


End-to-End IPsec
Distributed security with the communicating hosts
providing the policy enforcement for their own
communication.


Creating specific policies for securing comm. based on
currently running appl. Rather than having a central
enforcement point try and provide a single group-based
policy.
Possible to create more dynamic security policies which
can vary over time based on changing trust relationships.
Distributed security endpoints



Consists of host-resident firewalls, intrusion
detection, security patching, and security status
monitoring – can be accomplished by kernel-mode
processes within an OS.
A managed distributed host-based firewall system
utilizing end-to-end IPsec can implement separate
multi-level security policies with fine granularity.
Using end-to-end model, it is possible to divide
users and servers into various trust groups and
interest communities to implement separate security
rules.
Conclusion
To design a new security mechanisms model



In depth understanding of IPsec
Define optimum security policies associated to
network requirements
Build a comprehensive distributed firewalls to
counter security issues in IPv4 as well as IPv6


As well as IDS and IPS, logging/auditing
Security test using available attacking tools
Bibliographies
• Kaeo, et. al., 2006, IPv6 Network Security Architecture 1.0,
NAv6tf, www.nav6tf.org.
• Van Hauser, The Hackers Choice, 2006, http://www.thc.org .
• J. Mohacsi, IPv6 Security:Threats and Solutions,
http://www.6net.org/events/workshop-2005/mohacsi.pdf
• P. Nikander, J. Kempf, and E. Nordmark, “IPv6 Neighbor
Discovery (ND) Trust Models and Threats”, RFC3756, May 2004.
• E. Davies, S. Krishnan and P. Savola, “IPv6 Transition/Coexistence Security Considerations”, draft-ietf-v6ops-securityoverview-06.txt (work in progress), Oct 2006.
• Alvaro Vives and Jordi Palet, IPv6 Distributed Security: Problem
Statement, Proceedings of the 2005 Symposium on Applications
and the Internet Workshops (SAINT-W’05), IEEE, 2005.
THANK YOU
Q&A