implementace bezpečnosti pomocíios + eem · © 2010 cisco and/or its affiliates. all rights...
TRANSCRIPT
Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo
Cisco Expo
2011
Implementacebezpečnosti pomocí IOS + EEM T-SEC
Dimitar (Mitko) Vasilev
Routing and Switching CSE
2© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Twitter www.twitter.com/CiscoCZ
• Talk2cisco www.talk2cisco.cz/dotazy
• SMS 732 488 666
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 3
4© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Branch Office
Head QuarterInternet
Web surfing
DDoS on Router
Threats at the Branch Office and HQ
Worms/Viruses Wireless attacksVoice attacks
Attacks on branch servers
Branch Office
Branch Office
Attack on DMZ
5© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Cisco IOS Security
Branch Office
Head QuarterInternet
Regulate surfing
DDoS on Router
Worms congesting WAN
Voice attacks
Attacks on branch servers
Branch Office
Network Foundation Protection
Application Firewall
011111101010101011111101010101
FPM
ScanSafe Voice Security
Wireless attacks
Wireless Security
Secure Internet access to branch, without the need for additional devices
Control worms and viruses right at the remote site, conserve WAN bandwidth
Protect the router itself from hacking and DoS attacks
Securing the Branch Office and HQ
•Campus Edge
•DC Edge
•DMZ
6© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
7© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Zone Based Firewall
IOS Firewall
8© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Grouping of interfaces into zones
• Firewall policies are applied to traffic traversing zones
• Simple to add or remove interfaces and integrate into firewall policy
12.4(6)T
DMZ
UntrustedTrusted
Private-Public Policy
Public-DMZ Policy
DMZ-Private Policy
Private-DMZ Policy
InternetE0 S0
9© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Supported Features
Stateful inspection
Application inspection
HTTP, SMTP, ESMTP, POP3/IMAP, RPC, FTP/TFTP
IM, P2P, SIP, SCCP, H.323v3/v4
URL filtering
Per-Policy parameter
Transparent Firewall
VRF-aware firewall
User-group Firewall
IPv6
…
10© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Uses C3PL (Cisco Common Classification Policy Language) frameworkBased on existing MQC framework in IOS
• Only 3 constructs:
Class-map Specifies interesting traffic via “match” conditions
Policy-map Associates actions with the above class map
Parameter-map Operating parameters for the classification and action application
• Each of the constructs is a feature- or protocol-specific type
Example: class-map type inspect match-all my-cmap
11© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
class-map type inspect match-any myprotocol
match protocol smtp
match protocol ftp
match protocol http
class-map type inspect match-all myclass
match access-group 102
match class-map myprotocol
policy-map type inspect mypolicy
class type inspect myclass
inspect
zone security private
zone security public
zone-pair security priv-pub source private destination public
service-policy type inspect mypolicy
interface Ethernet0
zone-member security private
interface Serial0
zone-member security public
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
Services with ACL to
define permitted/denied
hosts (Optional)
Define services
inspected by policy
Assign interfaces to zones
Define firewall action for traffic
Establish zone-pair & apply the policy
Setup zones
12© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• We can use CSM to configure ZBFW
• Since CSM 3.3
• Zones are created as Interface role objects
13© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• To display zone and member interfaces
• To display zone-pair information
•
• Show policy stats and session
show policy-map type inspect { <policy name> [class <class
name>] | zone-pair [<zone-pair name>] [sessions | urlfilter
cache] }
show zone security [zone-name]
Router#show zone-pair security source private destination public
Zone-pair name priv-pub
source-Zone private Destination-Zone public
service-policy priv-pub-pol
14© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Measuring Mbps by 1400 byte packets, pps by 64 byte packets.
• FW test using stateless UDP.
Ingress 1400 byte UDP, same port number packet, hitting a single “let-me-through” policy.
• Result: 3945 RFP ( Drag strip ) performance
IP – 7.5 Gbps
Firewall – 3 Gbps
IP IP+NAT ZBFW IPSec/AES
Mbps pps Mbps pps Mbps pps Mbps pps
3945 7,500 982,318 3,040 288,684 2,928 272,331 848 80,356
3925 6,451 833,334 2,562 241,080 2,399 238,031 770 80,051
2951 4,800 579,948 1,844 159,221 1,262 150,360 282 51,930
2921 3,273 479,156 729 77,340 749 65,476 207 34,226
2911 3,150 352,868 670 60,068 632 56,521 164 26,762
2901 2,910 327,382 641 44,635 584 52,385 154 24,111
1941 2,740 333,334 512 46,130 532 47,618 146 23,808
15© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Users grouped based on Identity and IP addresses
• Policies applied on whole group
• Easy to segregate business specific functions
• Inspect class-maps support UG-ZBF
• Authentication Protocols supported – TACACS+, RADIUS
• Classification provided based on
• Device type (Computer, IP Phones etc.)
• Location (Building / Floor)
• Role (Engineer, Manager, Accountant)
12.4(20)T
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 16
Engineering
Authentication
Server
Vendor / guest network
IP Phone
Network
HR & Accounts
Server Farm
Internet Cloud
Firewall /Authproxy / NAC
Router Intercepts Auth-traffic
Updates its tag database
User-group policies applied
Traffic allowed/denied based on config
17© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Cisco IOS Firewall enables trusted media control and helps prevent
impersonation attacks
• Trusted Firewall authenticates/authorizes calls to ensure pinholes are only
opened for legitimate calls
• Trusted Firewall is voice protocol version independent and it secures:
Encrypted signaling paths
Asymmetric signalling and media paths
Unified Communication Trusted Firewall
Access
Switch
Cisco IOS Firewall
with TRP
Access
SwitchEndpoint
CUCM
Cisco IOS Firewall
with Trust Relay Point (TRP)Endpoint
Shared secret
configured in
TRPs and FWs
STUN/ICE
message with
crypto token
FW opens pinhole
after verifying
crypto token
IP WAN
12.4(22)T
18© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Coexists with ZBFW for IPv4
• MIBs are provided for TCP, UDP, ICMPv6 and FRP sessions
• Configuration steps:
Create Inspect-type Parameter map
Create Inspect-type Class map
Create Inspect-type Policy map
Setting Security Zones and Security Pairs
15.1(2)T
19© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
parameter-map type inspect v6-param-map sessions maximum 10000 ipv6 routing-header-enforcement loose
class-map type inspect match-any v6-classmatch protocol tcpmatch protocol udpmatch protocol icmpmatch protocol ftp
policy-map type inspect v6-policyclass type inspect v6-class inspect
zone security z1 zone security z2
zone-pair security zp source z1 destination z2 service-policy type inspect v6-policy
Backward compatibility
with legacy IPv6
inspection
20© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Zone Based FW design guide
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
• User Group Firewall
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_user_fw_supp.html
• ZBFW IPv6 configuration
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-sec_trfltr_fw.html#wp1072434
• VRF aware IPS
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_vrf_aware_ips.html
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 21
Insight provided by Management Instrumentation
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 22
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 23
IOS-ZFW# show flow record netflow-original
flow record netflow-original:
Description: Traditional IPv4 input NetFlow with origin ASs
No. of users: 0
Total field space: 53 bytes
Fields:
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
match flow sampler
collect routing source as
collect routing destination as
collect routing next-hop address ipv4
collect ipv4 source mask
collect ipv4 destination mask
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
Campos que determinam o
―flow‖ são definidos com o
parâmetro ―match‖
Campos ―collect‖ são usados
para registrar informações sobre
cada ―flow‖ (grupo de pacotes
que possuem um conjunto de
características em comum)
24© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
IOS-ZFW# show ip cache flow
IP packet size distribution (5176 total packets):
1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480
.000 .022 .000 .113 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .090
512 544 576 1024 1536 2048 2560 3072 3584 4096 4608
.000 .000 .000 .000 .772 .000 .000 .000 .000 .000 .000
IP Flow Switching Cache, 278544 bytes
156 active, 3940 inactive, 1174 added
20229 ager polls, 0 flow alloc failures
Active flows timeout in 30 minutes
Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 34056 bytes
151 active, 873 inactive, 1179 added, 1179 added to flow
0 alloc failures, 0 force free
1 chunk, 0 chunks added
last clearing of statistics 00:12:37
Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)
-------- Flows /Sec /Flow /Pkt /Sec /Flow /Flow
TCP-FTP 433 0.5 1 460 0.5 0.0 15.4
TCP-SMTP 107 0.1 1 40 0.1 0.0 15.7
UDP-DNS 540 0.7 1 128 0.7 0.0 15.4
ICMP 2 0.0 2002 1398 5.3 26.9 15.5
Total: 1082 1.4 4 1155 6.7 0.0 15.5
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
Fa4.1250 172.16.250.85 Vl1252 172.16.252.10 06 20FD 0015 1
Fa4.1250 172.16.250.84 Vl1252 172.16.252.10 06 20FC 0015 1
Fa4.1250 172.16.250.80 Vl1252 172.16.252.10 06 20F8 0015 10
Fa4.1250 172.16.250.87 Vl1252 172.16.252.10 06 20FF 0015 12
Fa4.1250 172.16.250.86 Vl1252 172.16.252.10 06 20FE 0015 3
Fa4.1250 172.16.250.71 Fa4.1251 172.16.251.20 06 17DF 0019 1
Fa4.1250 172.16.250.70 Fa4.1251 172.16.251.20 06 17DE 0019 7
Fa4.1250 172.16.250.69 Fa4.1251 172.16.251.20 06 17DD 0019 1
Fa4.1250 172.16.250.78 Fa4.1251 172.16.251.20 06 17E6 0019 9
Fa4.1250 172.16.250.52 Fa4.1251 172.16.251.10 11 11F0 0035 1
Sample Flow Table
Input
Interface
Output
Interface
Distribution
of Flows per
Protocol
Distribution of
Flows considering
Packet Size
Packets
per Flow
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 25
Netflow v9 (basis for the IPFIX standard)
Template
Record
Template
ID #1
(Specific
Field
Types and
Lengths)
Template
Record
Template
ID #2
(Specific
Field
Types and
Lengths)
Template FlowSet
Template 1
Data
Record
(Field
Values)
Data
Record
(Field
Values)
Data FlowSetFlowSet ID #1
H
E
A
D
E
R
FlowSet ID #1
Template 2
Data
Record
(Field
Values)
FlowSet ID #2Data FlowSet
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 26
IOS-ZFW# show flow record FLEXRECORD1
flow record FLEXRECORD1:
Description: User defined
No. of users: 1
Total field space: 36 bytes
Fields:
match ipv4 precedence
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect ipv4 total-length
collect ipv4 fragmentation flags
collect ipv4 fragmentation offset
collect transport tcp flags
collect interface output
collect counter bytes
collect counter packets
flow exporter FLEXNETFLOW1
description *** Exporting to Cisco MARS
destination 192.168.1.114
source FastEthernet4.1102
transport udp 2055
!
flow monitor FLEX1
record FLEXRECORD1
exporter FLEXNETFLOW1
!
interface FastEthernet4.1250
ip flow monitor FLEX1 input
encapsulation dot1Q 1250
ip address 172.16.250.23 255.255.255.0
Allow definition of new Record Formats
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 27
Template # 259 (14 Fields)
Some user-defined
Fields in the template
Contains Data
Records described
by Template # 259
Number of Flow Records in this packet
(either Template or Data records)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 28
This packet carries several
Data Records described
by Template # 259
Data Flow Instance : each field
defined in the template
assumes a specific value
(parameter value or field value)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 29
IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 destination address ipv4 precedence
Processed 79 flows
Aggregated to 4 flows
IPV4 DST ADDR IP PREC flows bytes pkts
=============== ======= ========== ========== ==========
172.16.252.20 5 32 11520 32
172.16.252.10 4 16 7360 16
172.16.251.20 2 16 4160 16
172.16.251.10 3 15 1920 15
!
IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 destination address ipv4 protocol
Processed 79 flows
Aggregated to 4 flows
IPV4 DST ADDR IP PROT flows bytes pkts
=============== ======= ========== ========== ==========
172.16.252.20 6 32 11520 32
172.16.252.10 6 16 7360 16
172.16.251.20 6 16 4160 16
172.16.251.10 17 15 1920 15
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 30
IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 protocol transport destination-port ipv4 precedence
Processed 79 flows
Aggregated to 5 flows
TRNS DST PORT IP PREC IP PROT flows bytes pkts
============= ======= ======= ========== ========== ==========
80 5 6 32 11520 32
443 4 6 16 7360 16
25 2 6 16 4160 16
0 3 17 8 1024 8
53 3 17 7 896 7
!
IOS-FW# show flow monitor FLEX1 cache aggregate ipv4 fragmentation flags ipv4 protocol transport destination-port
Processed 75 flows
Aggregated to 5 flows
TRNS DST PORT IP PROT IP FRAG FLAGS flows bytes pkts
============= ======= ============= ========== ========== ==========
80 6 0x00 30 10800 30
443 6 0x00 15 6900 15
25 6 0x00 15 3900 15
0 17 0x01 8 1024 8
53 17 0x00 7 896 7
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 31
IOS-FW#show flow monitor FLEX1 cache aggregate interface output transport tcp flags
Processed 971 flows
Aggregated to 9 flows
TCP FLAGS INTF OUTPUT flows bytes pkts
========= ==================== ========== ========== ==========
0x12 Fa4.1251 6 1560 6
0x02 Vl1252 926 333560 926
0x18 Vl1252 8 3680 8
0x00 Fa4.1251 15 1920 15
0x18 Fa4.1251 5 1300 5
0x02 Fa4.1251 5 1300 5
0x01 Vl1252 2 920 2
0x10 Vl1252 2 920 2
0x12 Vl1252 2 920 2
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 32
Solution: Automate the comparison between ‗unknown‘ versus ‗total‘ traffic
Problem: Application protocols as well as user behavior are changing, hence the traffic mix changes too. We need to permanently assess how effective the NBAR deployment is – especially when using CBQoS with match protocol.
Router# show ip nbar protocol-discovery top-n 5 Serial0/0
Input Output
Protocol Packet Count Packet Count
Byte Count Byte Count
5 minute bit rate (bps) 5 minute bit rate (bps)
---------- ------------------------ ------------------------
: : :
unknown 205 204
14976 10404
0 0
Total 41304 40944
2649809 2619839
3000 3000
][
]100)[((%)
total
unknowntotalizedNBARrecogn
Upon low % of traffic recognized by NBAR, it‘s time to check for new PDLMs …
See: Available as an EASy Package:
http://www.cisco.com/go/easySee: Scripts available from CiscoBeyond:http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2101
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 33
The ERM framework tracks resource depletion and resource dependencies across processes and within a system
Monitor thresholds for CPU, buffer, and/or memory
For system or line card
ERM can define ―group‖, i.e. group of different CPU processes
CISCO-ERM-MIB
Interface into EEM
Service PlanningEmbedded Resource Manager (ERM)
Available from: IOS 12.2(33)SRB, 12.4(15)T Platforms: UC520, 800, x8xx ISR,x900x ISR, 65xx, 72xx, 73xx, 75xx, 76xx, 10xxx
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 34
resource policy
policy my-erm-policy-1 type iosprocess
system
cpu total
critical rising 90 interval 15 falling 20 interval 10 global
major rising 70 interval 15 falling 15 interval 10 global
minor rising 60 interval 15 falling 10 interval 10 global
!
Feb 17 13:32:18.283: %SYS-4-CPURESRISING: System is seeing global cpu util 62% at total level more than the configured minor limit 60%
Service Planning
Example – Monitoring Resources
Problem: During the planning cycle, we would like to understand if total CPU usage reaches critical levels
Solution: Define an ERM policy to notify upon resource depletion
If Total CPU usage count rises above 90% at an interval of 15s, a Critical Up notification is sent
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 35
resource policy
policy my-login-policy type iosprocess
system
cpu process
critical rising 30 interval 10 falling 20 interval 10
major rising 20 interval 10 falling 10 interval 10
minor rising 10 interval 10 falling 5 interval 10
user group my-login-group type iosprocess
instance "SSH Process"
instance "SSH Event handler“:
policy my-login-policy
*Aug 25 12:56:26.089: %SYS-4-CPURESRISING: Resource group my-login-group is seeing local cpu util 16% at process level more than the configured minor limit 10%
*Aug 25 12:56:41.089: %SYS-6-CPURESFALLING: Resource group my-login-group is no longer seeing local high cpu at process level for the configured minor limit 10%, current value 0%
Service Planning
Example – Monitoring Multiple Processes
Problem: In order to detect resource consumption caused by brute force login attempts, we want to keep an eye on CPU utilization by the login processes
Solution: Define an ERM policy to notify upon critical / suspicious levels
Syslog if Group CPU Usage Count Rises Above 10% at an Interval of 10s
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 36
• Developed and patented at Cisco® Systems in
1996
• NetFlow is the defacto standard for acquiring
IP operational data
• Provides network and security monitoring,
network planning, traffic analysis, and IP
accounting
• NetFlow v9 (RFC3954) serves as the basis for
IETF IPFIX Standard (RFC5101 & RFC5102)
What is NetFlow ?
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 37
• Traditional NetFlow with the v5, v7, or v8 NetFlow export
• NetFlow Version 9 (RFC3954)
Advantages: extensibility
Integrate new technologies/data types quicker(MPLS, IPv6, BGP next hop, etc.)
Integrate new aggregations quicker
Basis for IETF IPFIX Standard (RFC5101 & RFC5102)
• Flexible NetFlow
Advantages: cache and export content flexibility
User selection of flow keys
User definition of the records
Exporting Process
Metering Process
Service Planning
Flexible NetFlow (FNF)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 38
Router# show flow monitor <monitor> cache aggregate ipv4 source address sort highest counter bytes top 10
Router# show flow monitor <monitor> cache filter ipv4 destination address 10.10.10.0/24 aggregate ipv4 destination address sort highest counter bytes top 5
Router# show flow monitor <monitor> cache aggregate datalink dot1q vlan output sort lowest counter bytes top 5
Top five destination addresses to which we're routing most traffic from the 10.10.10.0/24 prefix
Top ten IP addresses that are sending the most packets
5 VLAN's that we're sending the least bytes to:
Top 20 sources of 1-packet flows:
Router# show flow monitor <monitor> cache filter counter packet 1 aggregate ipv4 source address sort highest flow packet top 20
39© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
TTL is:
• An IP Header field used to limit packet life time (upon routing loops)
• Each routing hop along a packet‘s path decrements this value
• Upon TTL==0 the packet is dropped
Low TTL Values are also (mis-)used:
to establish bidirectional TCP sessions across NAT (aka TCP hole-punching)
by some applications (multicast, load-balancing, …)
by security attacks (denial of service, break-in, ...)
Hence Low TTL can indicate:
Routing issues
Funny application behaviour
Security incidents (what is my normal low-TTL traffic ?)
How to report on low-TTL in my network ?
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 40
Problem: We want to know about low-TTL traffic
Solution: Use Flexible Netflow and Embedded Event Manager 3.0 to detect traffic flows with TTL < 5
flow record <my-record>
match ipv4 ttl
match ipv4 source address
match ipv4 destination address
:
flow monitor <my-monitor>
record <my-record>
:
1. Configure flexible Netflow to match on TTL, Source- and Destination Address
2. Configure the Netflow Event Detector in EEM to notify upon a new flow record
event manager applet my-ttl-applet
event nf monitor-name "my-ttl-monitor" event-type create event1
entry-value "5" field ipv4 ttl entry-op lt
action 1.0 syslog msg “Low-TTL flow from $_nf_source_address"
*Dec 2 17:39:31.221: %HA_EM-6-LOG: my-ttl-applet: Low-TTL flow from 192.168.2.248
3. Syslog message and/or use show flow monitor <my-monitor> cache command
-Top (unexpected) Talkers with low-TTL traffic ?- Deviation from Normal ?- Senders with many low-TTL flows ?- Take Actions (block suspicious senders) ?
Baseline Cache …
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 41
Router# show flow monitor <monitor> cache filter ipv4 destination address 10.10.10.0/24
counter packet regex[1-2] aggregate ipv4 source address
ipv4 destination address sort highest flow top 100
TCP SYN
attacks
Servers’ network
10.10.10.0/24
The top 100 pairs of IP addresses with one or two packet(s) that are destined for my servers' network
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 42
Beyond Auto SmartPorts
Automatic Port Configuration With EEM• Pre-built port configuration templates for various devices simplify user
experience and minimize configuration error
• Automatic event detection (CDP/LLDP/MAC) triggers auto configuration
• Authentication (802.1x, MAB) and authorization can be conducted before port configuration applied
• Automatic notification can be sent to NMS system to help with asset tracking
• Plug-n-play device deployment lowers overall management cost
CDP
MAC Addr
Radius
Server
802.1x
LLDP
NMS station
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 43
Beyond Auto SmartPorts
Take Full Control With EEM• Auto SmartPorts are powered by EEM
• When a printer is added to the network, use an EEM applet to create a new ASP event
event manager applet dectect-printer
event neighbor-discovery interface regexp FastEthernet.* cdp add
action 001 regexp ".*LasterJet.*" "$_nd_cdp_platform"
action 002 if $_regexp_result eq 1
action 003 cli command "enable"
action 004 cli command "config t"
action 005 cli command "interface $_nd_local_intf_name"
action 006 cli command "switchport access vlan $printer_vlan"
action 007 cli command "switchport mode access"
action 008 cli command "switchport port-security"
action 009 cli command "switchport port-security violation restrict"
action 010 cli command "switchport port-security aging time 2"
action 011 cli command "switchport port-security aging type inactivity"
action 012 cli command "spanning-tree portfast"
action 013 cli command "spanning-tree bpduguard enable"
action 014 cli command "end"
action 015 syslog msg "New printer added: $_nd_cdp_entry_name , type:
$_nd_cdp_platform"
action 016 end
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 44
Interface
Source IP Address
SourcePort
DestinationPort
Testing, Verification & Assurance
NetFlow and NBAR
NetFlow
Monitors data in Layers 2 - 4
Determines applications by port
Utilizes a seven-tuple for flow
Flow information who, what, when, where
NBAR
Examines data from Layers 3 - 7
Utilizes Layers 3 and 4 plus packet inspection for classification
Stateful inspection of dynamic-port traffic
Packet and byte counts
Protocol
Link Layer Header
Deep Packet (Payload)Inspection
ToSNetFlow
NBAR
Destination IP Address
IP Header
TCP/UDP Header
Data Packet
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 45
Example: Application Flow Aware – 1/4Problem: We want to be aware of application traffic flows
(ie.: who, when, where, what)
Solution: Use Flexible Netflow and NBAR Integration
flow exporter <my-exporter>
destination 10.10.10.1
:
flow record <my-record>
match ipv4 source address
match ipv4 destination address
match application name
collect counter bytes
:
flow monitor <my-monitor>
record <my-record>
exporter <my-exporter>
:
interface <my-interface>
ip flow monitor <my-monitor> input
:
1. Configure flexible Netflow to match Application Name, Source- andDestination Address
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 46
Example: Application Flow Aware – 2/42. Then either handle within IOS and/or …
router# show flow monitor <my-monitor> cache
Cache type: Normal
Cache size: 4096
Current entries: 2
High Watermark: 9
Flows added: 4464
Flows aged: 4463
- Active timeout ( 1800 secs) 0
- Inactive timeout ( 15 secs) 4463
- Event aged 0
- Watermark aged 0
- Emergency aged 0
IPV4 SRC ADDR IPV4 DST ADDR APP NAME bytes
=============== =============== ================== ==========
10.55.146.53 10.51.89.177 nbar ssh 10484
10.51.81.117 10.51.89.177 nbar icmp 1000
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 47
Example: Application Flow Aware – 3/43. Export to your favorite Reporting System (Screenshot courtesy of Plixer)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 48
Example: Application Flow Aware – 4/43. Export to your favorite Reporting System (Screenshots from Cisco NME-NAM)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 49
Embedded Packet Capture (EPC)
• Capture packets flowing from, to, or through a given device
• Captures can be filtered using ACLs
• Captured packets can be exported for analysis in sniffer programs such as Wireshark
• CEF and process switched flows are supported
• IPv4 and IPv6 are supported
Overview
Available from: 12.4(20)T and 12.2(33)SRE (7200 only)
Platforms: 8xx, 18xx, 28xx, 38xx ISRs, 19xx, 29xx, 39xx ISRG2s, 72xx
Source:http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps10592_TSD_Products_Configuration_Guide_Chapter.html
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 50
Embedded Packet Capture (EPC)• Define a Capture Point
Configuration – 1/3
Router#monitor capture point ip cef cappnt GigabitEthernet0/0 both
Switching path
(either cef or
process-switched)
Capture point
name
Interface on which
to capture (or all)
Traffic flow
direction (in, out,
or both)
cef cappnt GigabitEthernet0/0 both
Protocol (either ip
for IPv4 or ipv6 for
IPv6)
ip
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 51
• Define a Capture Buffer
Configuration – 2/3
Router#monitor capture buffer capbuf size 512 max-size 1518 circular
Capture buffer
name
Router#monitor capture buffer capbuf limit duration 600
Maximum in-
memory size in
kilobytes (KB)
Maximum packet
slice size
Buffer type (linear
locks when full,
circular wraps)
Optionally limit the packets captured
By time
By number of packets captured
Drop every Nth packet
Limit packet rate
capbuf 512 1518 circular
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 52
Embedded Packet Capture (EPC)
• Optionally define an access-list for filtering (e.g. capture WWW traffic only)
• Configure the ACL on the buffer
• Associate the capture buffer to the capture point
Configuration – 3/3
Router(config)#access-list 101 permit tcp any any eq 80
Router(config)#access-list 101 permit tcp any eq 80 any
Router#monitor capture buffer capbuf filter access-list 101
Router#monitor capture point associate cappnt capbuf
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 53
Embedded Packet Capture (EPC)
• Start the capture
• If the buffer is linear, the capture will run until the buffer is full or until the limiting criterion is met
• The capture can also be manually stopped
Using EPC – 1/3
Router#monitor capture point start cappnt
Router#monitor capture point stop cappnt
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 54
Embedded Packet Capture (EPC)
• The contents of the buffer can be viewed on the device
• If the buffer is linear, the capture will run until the buffer is full or until the limiting criterion is met
• The capture can also be manually stopped
• Or the buffer can be exported to a network server (or local file) in PCAP format for more detailed analysis
Using EPC – 2/3
Router#show monitor capture buffer capbuf dump
12:55:47.942 EDT Apr 2 2010 : IPv4 CEF Turbo : Gi0/0 None
6A89A4F0: 00101433 D4000017 085A1B16 08004500 ...3T....Z....E.
6A89A500: 002851A4 40003F06 05800E20 64210E20 .(Q$@.?.... d!.
6A89A510: 644BDE23 00171ED3 5BAAF4EC 4C215010 dK^#...S[*tlL!P.
6A89A520: FFFF3162 00000000 00000000 00 ..1b.........
Router#monitor buffer export capbuf tftp://172.18.123.33/http.pcap
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 55
Embedded Packet Capture (EPC)Using EPC – 3/3
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 56
Embedded Packet Capture (EPC)• Make sure there is enough free memory to hold the maximum
configured capture buffer size
• In 12.4T, capture buffers could only be exported to network servers
Local export was made available in 15.0
• Large frame support (packets over 1024 bytes) was added in 15.0
• Access-list filtering does not match on packets generated by the device itself
• MPLS frames are not currently captured
• Multicast frames are only captured on ingress
Other Considerations
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 57
Diagnosing Transient Problems• Problem: you are seeing VPN tunnel drops on your VPN head-end
router at 3:00 am every day. The tunnels continue to flap until the physical interface is reset. You want to analyze the traffic on the wire at that time.
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 58
Diagnosing Transient ProblemsDoing Things the Long Way
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 59
Diagnosing Transient Problems• Solution: Use Embedded Packet Capture together with Embedded
Event Manager to start a capture session at 3:00 am. When the VPN tunnels first go down, stop the capture, and email the binary capture file as a MIME attachment for analysis at a reasonable hour.
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 60
Router#monitor capture point ip cef cappnt Serial2/0 both
Router#monitor capture buffer capbuf size 512 max-size 1518
circular
Router#monitor capture point associate cappnt capbuf
Troubleshooting Transient ProblemsConfiguring EPC• Setup EPC to use a circular buffer, and run forever
• EEM will take care of stopping the capture
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 61
::cisco::eem::event_register_timer cron cron_entry "55 2 * * *"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
error "Failed to open CLI session: '$result'" $errorInfo
}
array set cliarr $result
if { [catch {cli_exec $cliarr(fd) "enable"} result] } {
error "Failed to enable CLI session: '$result'" $errorInfo
}
if { [catch {cli_exec $cliarr(fd) "monitor capture point start cappnt"}
result] } {
error "Failed to start packet capture: '$result'" $errorInfo
}
catch {cli_close $cliarr(fd) $cliarr(tty_id)} result
Troubleshooting Transient ProblemsStarting the Capture With EEM
Initiate the packet
Capture
Start the capture five
Minutes before the
Event.
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 62
::cisco::eem::event_register_syslog pattern "%CRYPTO-4-RECVD_PKT_MAC_ERR:
decrypt: mac verify failed"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
error "Failed to open CLI session: '$result'" $errorInfo
}
array set cliarr $result
if { [catch {cli_exec $cliarr(fd) "enable"} result] } {
error "Failed to enable CLI session: '$result'" $errorInfo
}
if { [catch {cli_exec $cliarr(fd) "monitor capture point stop cappnt"} result]
} {
error "Failed to start packet capture: '$result'" $errorInfo
}
…
Stop the capture.
React to a syslog
Indicating that the
Tunnels have detected
A problem.
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 63
::cisco::eem::event_register_timer cron cron_entry "55 2 * * *"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
error "Failed to open CLI session: '$result'" $errorInfo
}
array set cliarr $result
if { [catch {cli_exec $cliarr(fd) "enable"} result] } {
error "Failed to enable CLI session: '$result'" $errorInfo
}
if { [catch {cli_exec $cliarr(fd) "monitor capture point start cappnt"}
result] } {
error "Failed to start packet capture: '$result'" $errorInfo
}
catch {cli_close $cliarr(fd) $cliarr(tty_id)} result
Troubleshooting Transient ProblemsStarting the Capture With EEM
Initiate the packet
Capture
Start the capture five
Minutes before the
Event.
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 64
::cisco::eem::event_register_syslog pattern "%CRYPTO-4-RECVD_PKT_MAC_ERR:
decrypt: mac verify failed"
namespace import ::cisco::eem::*
namespace import ::cisco::lib::*
if { [catch {cli_open} result] } {
error "Failed to open CLI session: '$result'" $errorInfo
}
array set cliarr $result
if { [catch {cli_exec $cliarr(fd) "enable"} result] } {
error "Failed to enable CLI session: '$result'" $errorInfo
}
if { [catch {cli_exec $cliarr(fd) "monitor capture point stop cappnt"} result]
} {
error "Failed to start packet capture: '$result'" $errorInfo
}
…
Stop the capture.
React to a syslog
Indicating that the
Tunnels have detected
A problem.
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 65
if { [catch {cli_exec $cliarr(fd) "monitor capture buffer capbuf export flash:vpn.pcap"}
result] } {
error "Failed to export capture buffer: '$result'" $errorInfo
}
set email_body_pre "Mailservername: $_email_server
From: $_email_from
To: $_email_to
Cc:
Subject: Email from Router $_router_name
MIME-Version: 1.0
Content-type: multipart/mixed; boundary=\"EEM_email_boundary\"
\n--EEM_email_boundary\n
\n--EEM_email_boundary
Content-Type: application/octet-stream
Content-Transfer-Encoding: Base64
Content-Disposition: attachment; filename=\"vpn.pcap\"\n\n"
if [catch {open "flash:vpn.pcap"} result] {
error "Failed to open flash:vpn.pcap: '$result'" $errorInfo
}
set fd $result
fconfigure $fd –translation binary
set email_b64 [::base64::encode [read $fd]]
close $fd
set email_body_mime "\n--EEM_email_boundary--"
set email_body [format "%s%s%s" $email_body_pre $email_b64 $email_body_mime]
if [catch {smtp_send_email $email_body} result] {
error "Failed to send email: '$result'" $errorInfo
}
Export the capture
To a file on flash.
Create an email with
A MIME header.
Send the email.
66© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
1-3. Define a capture buffer, capture point and associate the two
Router# monitor capture buffer my-buffer size 100 max-size 1000 circular
Router# monitor capture point ip process-switched my-capture in
Router# monitor capture point associate my-capture my-buffer
We want to capture process-switched traffic:
4. Start capturing traffic
Router# monitor capture point start all
*Nov 25 10:00:58.990: %BUFCAP-6-ENABLE: Capture Point my-capture enabled.
Router# show monitor capture buffer all parameters
Capture buffer my-buffer (circular buffer)
Buffer Size : 102400 bytes, Max Element Size : 1000 bytes, Packets : 28
Allow-nth-pak : 0, Duration : 0 (seconds), Max packets : 0, pps : 0
Associated Capture Points:
Name : my-capture, Status : Active
Configuration:
monitor capture buffer my-buffer size 100 max-size 1000 circular
monitor capture point associate my-capture my-buffer
.We have some traffic
Router# show monitor capture buffer my-buffer dump
10:14:05.914 UTC Nov 25 2008 : IPv4 Process : Fa0/0 None
66A3C5B0: FFFFFFFF FFFF0001 64FF4C01 ........d.L.
66A3C5C0: 080045C0 00300000 00000111 0B5AACA1 [email protected],!
66A3C5D0: 0103FFFF FFFF02C7 02C7001C 85F60001 .......G.G...v..
66A3C5E0: 0010AC12 01020000 5D4C0F03 0004AC12 ..,.....]L....,.
5. Show / Analyze on the router …
67© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
5. … or export as PCAP file and analyze externally
Router# monitor capture buffer my-buffer export tftp://10.10.10.10/mypcap
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 68
69© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 vs. to IPv4 from a threat and mitigation perspective
• Advanced IPv6 security topics like transition options and dual stack environments
• Requirements: basic knowledge of the IPv6 and IPSec protocols as well as IPv4 security best practices
70© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Shared Issues by IPv4 and IPv6
• Specific Issues for IPv6
IPsec everywhere, dual-stack, tunnels and 6VPE
• Enforcing a Security Policy in IPv6
ACL, Firewalls and IPS
• Secure Deployment
Secure IPv6 transport over public network
• IPv6 Security Best Common Practice
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 71
Shared Issues
Security Issues Shared by IPv4 and IPv6
IPv4 Vul. IPv6 Vul.
72© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Public servers will still need to be DNS reachable
More information collected by Google...
• Increased deployment/reliance on dynamic DNS
More information will be in DNS
• Using peer-to-peer clients gives IPv6 addresses of peers
• Administrators may adopt easy-to-remember addresses (::10,::20,::F00D, ::C5C0 or simply IPv4 last octet for dual stack)
• By compromising hosts in a network, an attacker can learn new addresses to scan
• Transition techniques (see further) derive IPv6 address from IPv4 address
can scan again
73© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Potential router CPU attacks if aggressive scanning
Router will do Neighbor Discovery... And waste CPU and memory
Built-in rate limiter but no option to tune it
• Using a /64 on point-to-point links => a lot of addresses to scan!
• Using infrastructure ACL prevents this scanning
iACL: edge ACL denying packets addressed to your routers
Easy with IPv6 because new addressing scheme can be done
74© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Viruses and email, IM worms: IPv6 brings no change
• Other worms:
IPv4: reliance on network scanning
IPv6: not so easy (see reconnaissance) => will use alternative techniques
Worm developers will adapt to IPv6
IPv4 best practices around worm detection and mitigation remain valid
75© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Access
Layer
Inter-Networking Device
with uRPF Enabled
Spoofed IPv6
Source Address
X IPv6
Intranet/Internet
No Route to Src Addr prefix
=> Drop
Access
Layer
Inter-Networking Device
with uRPF Enabled
Spoofed IPv6
Source Address
X IPv6
Intranet/Internet
No Route to Src Addr prefix out the
packet inbound interface => Drop
uRPF Loose Mode
uRPF Strict Mode
uRPF Remains the Primary Tool for Protecting Against L3
Spoofing
76© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Significant changes
• More relied upon
• => ICMP policy on firewalls needs to change
ICMP Message Type ICMPv4 ICMPv6
Connectivity Checks X X
Informational/Error Messaging X X
Fragmentation Needed Notification X X
Address Assignment X
Address Resolution X
Router Discovery X
Multicast Group Management X
Mobile IPv6 Support X
77© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Internet
Internal Server A
Action Src DstICMPv4
TypeICMPv4
CodeName
Permit Any A 0 0 Echo Reply
Permit Any A 8 0 Echo Request
Permit Any A 3 0Dst. Unreachable—Net Unreachable
Permit Any A 3 4Dst. Unreachable—Frag. Needed
Permit Any A 11 0Time Exceeded—TTL Exceeded
For Your
Reference
Border Firewall Policy
78© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
For Your
Reference
RFC 4890: Border Firewall Transit Policy
Internet
Internal Server A
Action Src DstICMPv6
TypeICMPv6
CodeName
Permit Any A 128 0 Echo Reply
Permit Any A 129 0 Echo Request
Permit Any A 1 0 No Route to Dst.
Permit Any A 2 0 Packet Too Big
Permit Any A 3 0Time Exceeded—TTL Exceeded
Permit Any A 4 0 Parameter Problem
79© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Internet
Internal Server A
Firewall B
Action Src DstICMPv6
TypeICMPv6
CodeName
Permit Any B 2 0 Packet too Big
Permit Any B 4 0 Parameter Problem
Permit Any B 130–132 0 Multicast Listener
Permit Any B 133/134 0Neighbor Solicitation and Advertisement
Deny Any Any
For Your
Reference
RFC 4890: Border Firewall Receive Policy
For locally
generated
traffic
80© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Fragment Header
• In IPv6 fragmentation is done only by the end system
Tunnel end-points are end systems => Fragmentation / re-assembly can happy inside the network
• Reassembly done by end system like in IPv4
• Attackers can still fragment in intermediate system on purpose
• ==> a great obfuscation tool
Next Header Reserved
Fragment Data
IPv6 Basic HeaderNext Header = 44
Fragment
Header
Fragment Header
Identification
Fragment Offset
81© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Routing TypeExt Hdr Length
• An extension header
• Processed by the listed intermediate routers
• Two types
Type 0: similar to IPv4 source routing (multiple intermediate routers)
Type 2: used for mobile IPv6
Next Header RH Type
IPv6 Basic Header
Routing Header
Next Header = 43
Routing Header
Routing Header
Segments Left
Routing Header Data
82© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• What if attacker sends a packet with RH containing
A -> B -> A -> B -> A -> B -> A -> B -> A ....
• Packet will loop multiple time on the link R1-R2
• An amplification attack!
A B
83© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Apply same policy for IPv6 as for Ipv4:
Block Routing Header type 0
• Prevent processing at the intermediate nodes
no ipv6 source-route
Windows, Linux, Mac OS: default setting
• At the edge
With an ACL blocking routing header
• RFC 5095 (Dec 2007) RH0 is deprecated
Default IOS changed in 12.4(15)T to ignore and drop RH0
84© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
1. RS:
Src = ::
Dst = All-Routers multicast Address
ICMP Type = 133
Data = Query: please send RA
2. RA:
Src = Router Link-local Address
Dst = All-nodes multicast address
ICMP Type = 134
Data= options, prefix, lifetime, autoconfig flag
2. RA2. RA1. RS
RA/RS w/o Any
Authentication
Gives Exactly Same
Level of Security as
ARP for IPv4 (None)
Router Solicitations Are Sent by Booting
Nodes to Request Router Advertisements for
Stateless Address Auto-ConfiguringAttack Tool:
fake_router6
Can Make Any
IPv6 Address the
Default Router
85© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Src = A
Dst = Solicited-node multicast of B
ICMP type = 135
Data = link-layer address of A
Query: what is your link address?
A B
Src = B
Dst = A
ICMP type = 136
Data = link-layer address of B
A and B Can Now Exchange
Packets on This Link
Security Mechanisms
Built into Discovery
Protocol = None
=> Very similar to ARP
Attack Tool:
Parasite6
Answer to all NS,
Claiming to Be All
Systems in the LAN...
86© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• BAD NEWS: nothing like dynamic ARP inspection for IPv6
Will require new hardware on some platforms
Not before mid-2010...
• GOOD NEWS: Secure Neighbor Discovery
SEND = NDP + crypto
IOS 12.4(24)T
But not in Windows Vista, 2008 and 7
Crypto means slower...
• Other GOOD NEWS:
Private VLAN works with IPv6
Port security works with IPv6
801.x works with IPv6
For FTTH & other broadband, DHCP-PD means not need to NDP-proxy
87© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Certification paths
Anchored on trusted parties, expected to certify the authority of the routers on some prefixes
• Cryptographically Generated Addresses (CGA)
IPv6 addresses whose interface identifiers are cryptographically generated
• RSA signature option
Protect all messages relating to neighbor and router discovery
• Timestamp and nonce options
Prevent replay attacks
• Requires IOS 12.4(24)T
88© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Each devices has a RSA key pair (no need for cert)
• Ultra light check for validity
• Prevent spoofing a valid CGA address
SHA-1
RSA KeysPriv Pub
Subnet
Prefix
Interface
Identifier
Crypto. Generated Address
Signature
SEND Messages
Modifier
Public
Key
Subnet
Prefix
CGA Params
89© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Adding a X.509 certificate to RA
• Subject Name contains the list of authorized IPv6 prefixes
Neighbor AdvertisementSource Addr = CGACGA param block (incl pub key)Signed
TrustAnchor X.509
cert
Router AdvertisementSource Addr = CGA
CGA param block (incl pub key)Signed
X.509cert
90© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Private/public key pair on all devices for CGA
• Overhead introduced
Routers have to do many public/private key calculation (some may be done in advance of use)
=> Potential DoS target
Routers need to keep more state
• Available:
Unix (DoCoMo)
Cisco IOS 12.4(24)T
• Microsoft:
no support in Vista, Windows 2008 and Windows7
91© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ICMP REQ D=160.154.5.255 S= 172.18.1.2
160.154.5.0
Attempt to
Overwhelm
Destination
ICMP REPLY D=172.18.1.2 S=160.154.5.19
ICMP REPLY D=172.18.1.2 S=160.154.5.18
ICMP REPLY D=172.18.1.2 S=160.154.5.17
ICMP REPLY D=172.18.1.2 S=160.154.5.16
ICMP REPLY D=172.18.1.2 S=160.154.5.15
ICMP REPLY D=172.18.1.2 S=160.154.5.14
172.18.1.2
Belgian
Schtroumpf
92© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• There are no broadcast addresses in IPv6
• Broadcast address functionality is replaced with appropriate link local multicast addresses
Link Local All Nodes Multicast—FF02::1
Link Local All Routers Multicast—FF02::2
Link Local All mDNS Multicast—FF02::FB
Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot masquerade as his victim
http://iana.org/assignments/ipv6-multicast-addresses/
93© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IOS implements correctly RFC 4443 ICMPv6
No ping-pong on a physical point-to-point link Section 3.1
No ICMP error message should be generated in response to a packet with a multicast destination address Section 2.4 (e.3)
Exceptions for Section 2.4 (e.3)
– packet too big message
– the parameter problem message
•Rate Limit egress ICMP Packets
•Rate limit ICMP messages generation
•Secure the multicast network (source specific multicast)
•Note: Implement Ingress Filtering of Packets with IPv6
Multicast Source Addresses
94© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• BGP, ISIS, EIGRP no change:
An MD5 authentication of the routing update
• OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec
• RIPng, PIM also rely on IPSec
• IPv6 routing attack best practices
Use traditional authentication mechanisms on BGP and IS-IS
Use IPSec to secure protocols such as OSPFv3 and RIPng
95© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Sniffing
IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
• Application layer attacks
The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent
• Rogue devices
Rogue devices will be as easy to insert into an IPv6 network as in IPv4
• Man-in-the-Middle Attacks (MITM)
Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4
• Flooding
Flooding attacks are identical between IPv4 and IPv6
96© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 stacks are new and could be buggy
• Some examplesCVE-2008-2476 Oct 2008 FreeBSD
OpenBSD NetBSD and others
Lack of validation of NDP messages
CVE-2008-2136 May 2008 Linux DoS caused by memory leak in IPv6 tunnels
CVE-2008-1153 Mar 2008 IOS Cisco IOS dual-stack router IPv6 DoS
CVE-2007-4689 Nov 2007 Apple Mac OS X Packet processing double-free memory corruption
CVE-2007-3038 Aug 2007 Microsoft Microsoft Windows Vista Teredo interface firewall bypass
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 97
Specific IPv6 Issues
Issues Applicable only to IPv6
IPv4 Vul. IPv6 Vul.
98© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Temporary addresses for IPv6 host client application, e.g. web browser
Inhibit device/user tracking
Random 64 bit interface ID, then run Duplicate Address Detection before using it
Rate of change based on local policy
2001
/32 /48 /64/23
Interface ID
Recommendation: Use Privacy Extensions for
External Communication but not for Internal
Networks (Troubleshooting and Attack Trace Back)
99© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Unlimited size of header chain (spec-wise) can make filtering difficult
• Potential DoS with poor IPv6 stack implementations
More boundary conditions to exploit
Can I overrun buffers with a lot of extension headers?
Perfectly Valid IPv6 Packet
According to the Sniffer
Destination Options Header Should
Be the Last
Header Should Only Appear Once
Destination Header Which Should
Occur at Most Twice
See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html
100© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Finding the layer 4 information is not trivial in IPv6
Skip all known extension header
Until either known layer 4 header found => SUCCESS
Or unknown extension header/layer 4 header found... => FAILURE
IPv6 hdr HopByHop Routing AH TCP data
IPv6 hdr HopByHop Routing AH Unknown L4???
IPv6 hdr HopByHop Unk. ExtHdr AH TCP data
101© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Extension headers chain can be so large than it is fragmented!
• Finding the layer 4 information is not trivial in IPv6
Skip all known extension header
Until either known layer 4 header found => SUCCESS
Or unknown extension header/layer 4 header found... => FAILURE
Or end of extension header => FAILURE
IPv6 hdr HopByHop Routing Destination Destination Fragment1
IPv6 hdr HopByHop Fragment2 TCP Data
Layer 4 header is
in 2nd fragment
102© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 mandates the implementation of IPsec
• IPv6 does not require the use of IPsec
• Some organizations believe that IPsec should be used to secure all flows...
Interesting scalability issue (n2 issue with IPsec)
Need to trust endpoints and end-users because the network cannot secure the traffic: no IPS, no ACL, no firewall
IOS 12.4(20)T can parse the AH
Network telemetry is blinded: NetFlow of little use
Network services hindered: what about QoS?
Recommendation: do not use IPsec end to end within an
administrative domain.
Suggestion: Reserve IPsec for residential or hostile environment or
high profile targets.
103© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• 16+ methods, possibly in combination
• Dual stack
Consider security for both protocols
Cross v4/v6 abuse
Resiliency (shared resources)
• Tunnels
Bypass firewalls (protocol 41 or UDP)
Can cause asymmetric traffic (hence breaking stateful firewalls)
104© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Host security on a dual-stack device
Applications can be subject to attack on both IPv6 and IPv4
Fate sharing: as secure as the least secure stack...
• Host security controls should block and inspect traffic from both IP versions
Host intrusion prevention, personal firewalls, VPNclients, etc.
Dual Stack Client
IPv4 IPsecVPN with
No Split Tunneling
Does the IPsec Client Stop an
Inbound IPv6 Exploit?
IPv6 HDR IPv6 Exploit
105© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Your host:
IPv4 is protected by your favorite personal firewall...
IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...)
• Your network:
Does not run IPv6
• Your assumption:
I‘m safe
• Reality
You are not safe
Attacker sends Router Advertisements
Your host configures silently to IPv6
You are now under IPv6 attack
• => Probably time to think about IPv6 in your network
106© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
IPv6 in IPv4
Tunnel
• Most IPv4/IPv6 transition mechanisms have no authentication built in
• => an IPv4 attacker can inject traffic if spoofing on IPv4 and IPv6 addresses
Public IPv4
Internet
Server B Server A
Tunnel
Termination
Tunnel
Termination
IPv6 Network IPv6 Network
IPv6 ACLs Are Ineffective
Since IPv4 & IPv6 Is Spoofed
Tunnel Termination Forwards
the Inner IPv6 PacketIPv4
IPv6
107© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Unauthorized tunnels—firewall bypass (protocol 41)
• IPv4 infrastructure looks like a Layer 2 network to ALL ISATAP hosts in the enterprise
This has implications on network segmentation and network discovery
• No authentication in ISATAP—rogue routers are possible
Windows default to isatap.example.com
• IPv6 addresses can be guessed based on IPv4 prefix (scanning is back!)
ISATAP Router
ISATAP Tunnels
Direct
Communication
Any Host Can Talk
to the Router
IPv4 Network ~ Layer 2 for IPv6 Service
108© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Root cause
ISATAP routers ignore each other
• ISATAP router:
accepts native IPv6 packets
forwards it inside its ISATAP tunnel
Other ISATAP router decaps and forward as native IPv6
ISATAP router 1
Prefix 2001:db8:1::/64
192.0.2.1
ISATAP router 2
Prefix 2001:db8:2::/64
192.0.2.2
1. Spoofed IPv6 packet
S: 2001:db8:2::200:5efe:c000:201
D: 2001:db8:1::200:5efe:c000:202
http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf
Repeat until Hop Limit == 0
Mitigation:IPv6 anti-spoofing everywhereACL on ISATAP routers accepting IPv4 from valid
clients onlyWithin an enterprise, block IPv4 ISATAP traffic
between ISATAP routersWithin an enterprise block IPv6 packets between
ISATAP routers
2. IPv4 ISATAP packet containing
S: 2001:db8:2::200:5efe:c000:201
D: 2001:db8:1::200:5efe:c000:202
3 IPv6 packet
S: 2001:db8:2::200:5efe:c000:201
D: 2001:db8:1::200:5efe:c000:202
109© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Teredo navalis
A shipworm drilling holes in boat hulls
• Teredo Microsoftis
IPv6 in IPv4 punching holes in NAT devices
Source: United States Geological Survey
110© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• All outbound traffic inspected: e.g., P2P is blocked
• All inbound traffic blocked by firewall
IPv4 Intranet
IPv4 Firewall
IPv6 Internet
Teredo RelayIPv4 Internet
111© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Internal users wants to get P2P over IPv6
• Configure the Teredo tunnel (already enabled by default!)
• FW just sees IPv4 UDP traffic (may be on port 53)
• No more outbound control by FW
IPv4 Intranet
IPv4 Firewall
Teredo RelayIPv4 Internet
IPv6 Internet
Teredo threats—IPv6 over UDP (port 3544)
112© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Inbound connections are allowed
• IPv4 firewall unable to control
• IPv6 hackers can penetrate
• Host security needs IPv6 support now
IPv4 Intranet
IPv4 Firewall
Teredo RelayIPv4 Internet
IPv6 Internet
Once Teredo Configured
113© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Note: on Windows Teredo is:
-Disabled when firewall is disabled
-Disabled when PC is part of Active Directory domain
-Else enabled
-User can override this protection
114© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Rogue tunnels by naïve users:
Sure, block IP protocol 41 and UDP/3544
In Windows:
• Really rogue tunnels (covert channels)
No easy way...
Teredo will run over a different UDP port of course
Network devices can be your friend (more to come)
• Deploying native IPv6 (including IPv6 firewalls and IPS) is probably a better alternative
• Or disable IPv6 on Windows through GPO or CSA 6.0But Microsoft does not test any Windows application with IPv6 disabled
netsh interface 6to4 set state state=disabled undoonstop=disabled
netsh interface isatap set state state=disabled
netsh interface teredo set state type=disabled
115© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Use Flexible Packet Matching (FPM)
Blocking all Teredo addresses 2001::/32 in the UDP payload
• FPM
Available in software since 12.4(4)T
Hardware implementation in PISA (requires Sup32 and Cat6K)
Classify on multiple attributes within a packet
String match and regex
Expressed in XML
0111111010101010000111000100111110010001000100100010001001
Match Pattern And Or Not
Cisco.com/go/fpm
116© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
load protocol bootdisk:ip.phdf
load protocol bootdisk:udp.phdf
class-map type stack match-all cm-ip-udp
match field IP protocol eq 17 next UDP
class-map type access-control match-all cm-teredo1
match start udp payload-start offset 0 size 1 eq 0x60 mask 15
match start udp payload-start offset 8 size 4 eq 0x20010000
class-map type access-control match-all cm-teredo2
match start udp payload-start offset 0 size 1 eq 0x60 mask 15
match start udp payload-start offset 24 size 4 eq 0x20010000
policy-map type access-control pm-teredo
class cm-teredo1
drop
class cm-teredo2
drop
policy-map type access-control pm-udp-teredo
class cm-ip-udp
service-policy pm-teredo
interface GigabitEthernet1/36
service-policy type access-control in pm-udp-teredo
For Your
Reference
The trick is to block
all packets
containing a
Teredo source or
destination
address in the
UDP payload.
Teredo addresses
are in the 2001::/32 (note 32) prefix
IP version = 6
Teredo prefix as
embedded address
117© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• 6VPE: the MPLS-VPN extension to also transport IPv6 traffic over a MPLS cloud and IPv4 BGP sessions
PE1
2001:db8:1:1:/64
PE3
PE4
IPv4 only MPLS
10.1.1.0/24
PE2
v4 and v6 VPN
10.1.1.0/24
2001:db8:1:1:/64
v4 only VPN
2001:db8:1:2:/64
v4 and v6 VPN
10.1.2.0/24
2001:db8:1:2:/64
v4 only VPN
10.1.2.0/24
v6 VPN v6 VPN
Dual-Stack
IPv4-IPv6
PE Routers
Dual-Stack
IPv4-IPv6
PE Routers
VR
FVR
F
VR
FVR
F
VR
F
VR
F
118© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• 6PE (dual stack without VPN) is a simple case
• Security is identical to IPv4 MPLS-VPN, see RFC 4381
• Security depends on correct operation and implementation
QoS prevent flooding attack from one VPN to another one
PE routers must be secured: AAA, iACL, CoPP …
• MPLS backbones can be more secure than ―normal‖ IP backbones
Core not accessible from outside
Separate control and data planes
• PE security
Advantage: Only PE-CE interfaces accessible from outside
Makes security easier than in ―normal‖ networks
IPv6 advantage: PE-CE interfaces can use link-local for routing
=> completely unreachable from remote (better than IPv4)
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 119
Enforcing a Security Policy
120© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Very much like in IPv4
Filter traffic based on
Source and destination addresses
Next header presence
Layer 4 information
Implicit deny all at the end of ACL
Empty ACL means traffic allowed
Reflexive and time based ACL
• Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned until:
Layer 4 header found
Unknown extension header is found
• Side note for 7600 & other switches:
No VLAN ACL
Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (end 2010), Cat 6K (mid 2010)
121© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Can match on
Upper layers: TCP, UDP, SCTP port numbers
TCP flags SYN, ACK, FIN, PUSH, URG, RST
ICMPv6 code and type
Traffic class (only six bits/8) = DSCP
Flow label (0-0xFFFFF)
• IPv6 extension header
routing matches any RH, routing-type matches specific RH
mobility matches any MH, mobility-type matches specific MH
dest-option matches any, dest-option-type matches specific destination options
auth matches AH
Can skip AH (but not ESP) since IOS 12.4(20)T
• fragments keyword matches
Non-initial fragments (same as IPv4)
And the first fragment if the L4 protocol cannot be determined
• undetermined-transport keyword matches (only for deny)
Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header
122© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ipv6 access-list ACCESS_PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit any any
Interface gigabitethernet 1/0/1
switchport
ipv6 traffic-filter ACCESS_PORT in
Note: PACL replaces RACL for the interface
In December 2009, only on Nexus-7000 and Cat 3750 12.2(46)SE
123© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:
• Be careful when adding « deny ipv6 any any log » at the end
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log
124© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ipv6 access-list VTY
permit ipv6 2001:db8:0:1::/64 any
line vty 0 4
ipv6 access-class VTY in
For Your
Reference
125© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP, ICMP and FTP traffic
• IOS 12.3(7)T (released 2005)
• Stateful inspection of IPv4/IPv6 packets
• IPv6 DoS attack mitigation
• Recognizes IPv6 extension headers
IPv4
Site 3
IPv6
Site 2IPv6 IPv6
Dual Stack
Router
IPv6 Router with
Cisco IOS Firewall
Internet
(IPv4)
IPv6
Site 1IPv6 Router with
Cisco IOS Firewall
IPv6 Router with
Cisco IOS Firewall
IPv6 Router with
Cisco IOS Firewall
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 126
• Since version 7.0 (April 2005)
• Dual-stack, IPv6 only, IPv4 only
• Extended IP ACL with stateful inspection
• Application awareness
HTTP, FTP, telnet, SMTP, TCP, SSH, UDP
• uRPF and v6 Frag guard
• IPv6 header security checks
Always block routing-header (type 0 and 2)
• Management access via IPv6
Telnet, SSH, HTTPS
• ASDM support (ASA 8.2)
• Routed & transparent mode (ASA 8.2)
• Fail-over support (ASA 8.2.2)
• Caveats:
Cannot block specific extension headers
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 127
128© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
interface Ethernet0
nameif outside
ipv6 address 2001:db8:c000:1051::37/64
ipv6 enable
interface Ethernet1
nameif inside
ipv6 address 2001:db8:c000:1052::1/64
ipv6 enable
ipv6 route outside ::/0 2001:db8:c000:1051::1
ipv6 access-list SECURE permit tcp any host
2001:db8:c000:1052::7 eq telnet
ipv6 access-list SECURE permit icmp6 any
2001:db8:c000:1052::/64
access-group SECURE in interface outside
For Your
Reference
129© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
interface Ethernet0
nameif outside
ipv6 address 2001:db8:c000:1051::37/64
ipv6 enable
interface Ethernet1
nameif inside
ipv6 address 2001:db8:c000:1052::1/64
ipv6 enable
ipv6 route outside ::/0 2001:db8:c000:1051::1
ipv6 access-list SECURE permit tcp any host
2001:db8:c000:1052::7 eq telnet
ipv6 access-list SECURE permit icmp6 any
2001:db8:c000:1052::/64
access-group SECURE in interface outside
For Your
Reference
130© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPS supports IPv6 since IPS 6.2 (November 2008)
• Engines
Specific to IPv6
Common to IPv4 and IPv6
TCP reset works over IPv4
• IPS Manager Express can view IPv6 events
• IPS Device Manager can configure IPv6
• All management plane is over IPv4 only
Not critical for most customers
See also BRKSEC-3030
Advanced Intrusion Prevention Systems
131© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 132
Secure IPv6 Connectivity
How to Secure IPv6 over the WAN
133© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• No traffic sniffing
• No traffic injection
• No service theft
Public Network Site 2 Site Remote Access
IPv4
6in4/GRE Tunnels Protected by IPsec
DMVPN 12.4(20)T
ISATAP Protected by RA IPsec
SSL VPN Client AnyConnect
IPv6IPsec VTI 12.4(6)T N/A
134© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
IPv6 in IPv4 tunnel
IPv4
IPv6
Ne
two
rk
IPv6
Ne
two
rk
GRE tunnel can be used to transport both IPv4 and IPv6 in the same
tunnel
IPsec protects IPv4 unicast
traffic... The encapsulated IPv6
packets
IPsec
135© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• IPv6 packets over DMVPN IPv4 tunnels
In IOS release 12.4(20)T (July 2008)
IPv6 and/or IPv4 data packets over same GRE tunnel
• Complete set of NHRP commands
network-id, holdtime, authentication, map, etc.
• NHRP registers two addresses
Link-local for routing protocol (Automatic or Manual)
Global for packet forwarding (Mandatory)
See also BRKSEC-3112
Advanced Concepts of DMVPN
136© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Since 12.4(6)T, IPsec also works for IPv6
• Using the Virtual Interface
interface Tunnel0
no ip address
ipv6 address 2001:DB8::2811/64
ipv6 enable
tunnel source Serial0/0/1
tunnel destination 2001:DB8:7::2
tunnel mode ipsec ipv6
tunnel protection ipsec profile ipv6
For Your
Reference
137© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Enabling IPv6 traffic inside the Cisco VPN Client tunnel
NAT and Firewall traversal support
Allow remote host to establish a v6-in-v4 tunnel either automatically or manually
ISATAP—Intra Site Automatic Tunnel Addressing Protocol
Fixed IPv6 address enables server‘s side of any application to be configured on an IPv6 host that could roam overthe world
• Use of ASA 8.0 and SSL VPN Client AnyConnect
Can transfer IPv6 traffic over public IPv4
138© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ISATAP
IPv4IPv6 PC
IPv6
Ne
two
rk
IPsec with NAT-T can traverse NAT
ISATAP encapsulates IPv6 into IPv4
IPsec protects IPv4 unicast traffic... The
encapsulated IPv6 packets
IPsec
ISATAP
Tunnel server
on dual stack
router
Enterprise
VPN head-end
(ASA, IOS, ...)
139© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
IPv4 and IPv6 Transport in SSL
IPv4IPv6 PC
AnyConnect
IPv6
Ne
two
rk
ASA 8.0
SSL VPN Concentrator
Dual Stack
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 140
IPv6 SecurityBest Common Practice
141© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Train your network operators and security managers on IPv6
• Selectively filter ICMP (RFC 4890)
• Implement RFC 2827-like filtering
• Block Type 0 Routing Header at the edge
• Determine what extension headers will be allowed through the access control device
• Deny IPv6 fragments destined to an internetworking device when possible
• Use traditional authentication mechanisms on BGP and IS-IS
• Use IPsec to secure protocols such as OSPFv3 and RIPng
• Document procedures for last-hop traceback
For Your
Reference
142© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Implement privacy extensions carefully
• Filter internal-use IPv6 addresses & ULA at the border routers
• Filter unneeded services at the firewall
• Maintain host and application security
• Use cryptographic protections where critical
• Implement ingress filtering of packets with IPv6 multicast source addresses
• Use static tunneling rather than dynamic tunneling
• Implement outbound filtering on firewall devices to allow only authorized tunneling endpoints
For Your
Reference
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 143
Conclusion
144© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• So, nothing really new in IPv6
• Lack of operation experience may hinder security for a while: training is required
• Security enforcement is possible
Control your IPv6 traffic as you do for IPv4
• Leverage IPsec to secure IPv6 when suitable
145© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Easy to check!
• Look inside NetFlow records
Protocol 41: IPv6 over IPv4 or 6to4 tunnels
IPv4 address: 192.88.99.1 (6to4 anycast server)
UDP 3544, the public part of Teredo, yet another tunnel
• Look into DNS server log for resolution of ISATAP
• Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 146
Questions?
And Answers
147© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Twitter www.twitter.com/CiscoCZ
• Talk2Cisco www.talk2cisco.cz/dotazy
• SMS 732 488 666
You are invited to Ptali jste se… TAURUS, 17:45 – 18:30
148© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Prosíme, ohodnoťtetuto přednášku.
T-SEC