Implementation Strategies Accidentally
Historical Examples: ○ Unsecured Wireless Access Points ○ Non-Firewalled system/network ○ Starting IT projects without the ‘security guys’ involved ○ Last minute projects and ‘demos’
Deliberately Plan - Establish the objectives and processes necessary
to deliver results ○ Management and security staff buy in!
Do - Implement the new processes Check - Measure the new processes and compare the
results against the expected results Act - Analyze the differences, determine their cause,
Determine improvement
IPv6 Enable Systems Deployment Date Products V6 Capable V6 Enabled 1996 OpenBSD / NetBSD / FreeBSD Yes Yes
Linux 2.1.6 Kernel Yes No 1997 AIX 4.2 Yes No 2000 Window 95/98/ME/NT 3.5/NT 4.0 Yes, Add on No
Microsoft 2000 Yes No Solaris 2.8 Yes Yes
2001 Cisco IOS (12.x and Later) Yes No 2002 Juniper (5.1 and Later) Yes Mostly
IBM z/OS Yes Yes Apple OS/10.3 Yes Yes Microsoft XP Yes No Linux 2.4 Kernel Yes No AIX 6 Yes Yes IBM AS/400 Yes Yes
2006 Linksys Routers (Mindspring) Yes No Cell Phone – Many Yes Yes Solaris 2.10 Yes Yes Linux 2.6 Kernel Yes Yes
2007 Apple Airport Extreme Yes Yes Cell Phone – BlackBerry Yes No Microsoft Vista Yes Yes HP-UX 11iv2 Yes Yes Open VMS Yes Yes Macintosh OS/X Leopard Yes Yes
2009 Cloud Computing & Embedded systems Yes Yes
IPv6 Security Events 2001 Review of logs, after Honeynet Project announcement 2002 Honeynet Project : Lance Spitzner: Solaris
Snort : Martin Roesch : Added then removed IPv6 2003 Worm : W32.HLLW.Raleka : Download files from a predefined
location and connect to an IRC server 2005 Trojan : Troj/LegMir-AT : Connect to an IRC server
CERT : Covert Channels using IPv6 Teredo Mike Lynn : Blackhat : IOS' handling of IPv6 packets
2006 CAMSECWest : THC IPv6 Hacking Tools RP Murphy : DefCon : IPv6 Covert Channels
2007 Rootkit : W32/Agent.EZM!tr.dldr : TCP HTTP SMTP James Hoagland : Blackhat : Teredo/IPv6-related flaw in Vista
2008 HOPE : IPv6 Mobile Phone Vulnerability November : "Attackers are going to try it or use it as a transport mechanism for botnets. IPv6 has become a problem on the operational side.“ Arbor Networks
Malware Date Infec*on Name
2001 10/1/2001 DOSbot Ipv4.ipv6.tcp.connec*on2003 9/26/2003 Worm W32/Raleka!worm2004 7/6/2004 Worm W32/Sdbot‐JW2005 2/18/2005 Worm W32/Sdbot‐VJ
8/24/2005 Trojan Troj/LegMir‐AT9/5/2005 Trojan Troj/LegMir‐AX
2006 4/28/2006 Trojan W32/Agent.ABU!tr.dldr2007 1/2/2007 Trojan Cimuz.CS
4/10/2007 Trojan Cimuz.EL5/4/2007 Trojan Cimuz.FH11/5/2007 Worm W32/Nofupat11/15/2007 Trojan Trojan.Astry12/1/2007 Rootkit W32/Agent.EZM!tr.dldr12/16/2007 Trojan W32/Agent.GBU!tr.dldr12/29/2007 Worm W32/VB‐DYF
2008 4/22/2008 Trojan Troj/PWS‐ARA5/29/2008 Trojan Generic.dx!1DAEE3B9
IPv6 Vulnerability Trends
0
10
20
30
40
50
60
70
2000 2001 2002 2003 2004 2005 2006 2007 2008
Vuln
erab
ilitie
s
Published IPv6 Vulnerabilities over Time
Count
Sum
Impacts of Vulnerabilities IPv6 Vulnerabilities
DOS 62%
Other 22%
CodeExecution 5%
Overflow 5%
InfoDisclosure 5%
Privilege Escalation
2%
Published IPv6 Vulnerabilities by Classification
Core Problems
Firewall/Teredo 4%
IPSec/IKE 4% Teredo
6%
Network/Firewall 75%
Application 11%
Published IPv6 Vulnerabilities by Technology
Product Breakdown
Design Bugs/Vulnerabilities
13%
Implementation Vulnerabilities
56%
Configuration Vulnerabilities
2%
IPv6-specific Software
Vulnerabilities 27%
Other Vulnerabilities
2%
Core Problem
IPv6 Vulnerabilities – Product Breakdown
Attack Surfaces
IPv4 Native
Tunnels Encapsulation and/or
Encryption
IPv4 + Tunnels
IPv6 Native Dual-Stack
IPv6 + Tunnels
Dual-Stack + Tunnels
7 Layer Target
L2/L3 Mismatch, MTU, etc
Improper Implementation
Improper Implementation Operations
User Interface Chopping of Addresses Bad Libraries Error Handling Coding issues Improper Logging Embedded Addresses
Security Tool Stages of IPv6 Compatibility
“Caveat emptor” – “Buyer Beware”
IPv6 Capable IPv6 Compliant IPv6 Compatible IPv6 Ready IPv6-Ready IPv6 Available IPv6 Enabled IPv6 Tested IPv6 DoD/DISA Ready DoD/DISA Tested JITC IPv6 Certified
NIST Certified 1.0 Host, Router, Network Protection Devices for Routing, Quality of Service, Transition, Link Technology, Addressing, IPsec, Application Environment, Network Management, Multicasting, Mobility http://www.antd.nist.gov/
DoD IPv6 Capable Certified 3.0 Host, Network appliances, Router layer 3 switch, Security device, Advanced server, Application http://jitc.fhu.disa.mil/apl/ipv6.html
Phase 1 Host, Router, Special Device for minimum IPv6 Core Protocols
IPv6 Ready Logo Program
http://www.ipv6ready.org/logo_db/approved_list_p2.php
http://www.ipv6ready.org/logo_db/approved_list.php
Phase 2 Host, Router, Special Device for minimum IPv6 Core Protocols plus IPsec, IKEv2, MIPv6, NEMO, DHCPv6, SIP, MLD, Transition, Management(SNMP-MIBs)
Layers of Testing Certified Product Marketing Terms
Perf
orm
ance
Con
form
ance
Inte
rope
rabi
lity
Secu
rity
DoD Third Party
Third Party
US Government
All Others
All Others Third Party
Third Party
Common Criteria http://www.commoncriteriaportal.org/ Third Party
Compliance What Who Problems FISMA US Federal Government
– Executive Branch • Few IPv6 NIST guidance documents/references
Sarbanes-Oxley Act
Publicly Traded Companies
• Identify Risk • Evaluate Controls
Gramm-Leach-Bliley Act
Banking, Brokerages and Financial
• Risk Management • Monitor and test
HIPAA Health Care • PHI protected from intrusion • risk analysis and risk management
Payment Card Industry (PCI)
Credit Card • Requires NAT/PAT and IP Masquerading • Base configuration on NIST, SANS and CSI • Disable all unnecessary and insecure services and protocols • Internal and external network vulnerability scans
Is IPv6 More Secure? Yes & No IPv6 is a bigger toolkit for defense and attack
Powerful tools for defense: ○ IPSec (Authentication and Encryption) ○ Secure Neighbor Discovery (SEND) ○ Crypto-generated Address (CGA) ○ Unique Local Addresses (ULAs) ○ Privacy Addresses
New Attack Vectors: ○ Automated Tunneling ○ Neighbor Discovery and Autoconfiguration ○ End-to-End (E2E) model ○ Newness and Complexity ○ LACK OF IA GUIDANCE, POLICY, TRAINING, TOOLS
Call To Action Early Security Team Involvement
Risk Management, IH/Forensics, Defenders Leverage Procurement
Obtain IPv6 Certified Security Products Education
At All Levels Security Tools, Processes and Infrastructure
Upgrade! Development
IPv6 Secure Coding Practices Testing & Validation
Use auditors/pen testers that know IPv6
Common Architecture Vulnerability
IPv4
IPv6
C:\Users\dbg1.000>ping68.247.18.13Pinging68.247.18.13with32bytesofdata: Pingsta*s*csfor68.247.18.13:Packets:Sent=4,Received=0,Lost=4(100%loss),
C:\Users\dbg1.000>tracert2002:44f7:120d::44f7:120dTracingrouteto2002:44f7:120d::44f7:120doveramaximumof30hops14ms2ms2ms2610:f8:c38::16622ms389ms444ms2002:44f7:120d::44f7:120d
Nmap Scan showed the following ports were open: 80, 113, 135, 137, 5980 (ephemeral), WAP Push, blackjack, SQL…
IPv4 68 247 18 13
IPv6 44 F7 12 0d DEFAULT 6to4 Tunnel!