gogo6 IPv6 Video Series. Event, presentation and speaker details below:
EVENT
gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com
November 12 – 14, 2012 at San Jose State University, California
Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp
PRESENTATION
IPv6 Security
Abstract: http://www.gogo6.com/forum/topics/speaking-on-ipv6-security-at-gogo6-live
Presentation video: http://www.gogo6.com/video/ipv4-vs-ipv6-the-shifting-security-paradigm-by-joe-klein-at
Interview video: http://www.gogo6.com/video/interview-with-joe-klein-at-gogonet-live-3-ipv6-conference
SPEAKER
Joe Klein - Cyber Security Principal Architect, QinetiQ
Bio/Profile: http://www.gogo6.com/profile/JoeKlein749
MORE
Learn more about IPv6 on the gogoNET social network
http://www.gogo6.com
Get free IPv6 connectivity with Freenet6
http://www.gogo6.com/Freenet6
Subscribe to the gogo6 IPv6 Channel on YouTube
http://www.youtube.com/subscription_center?add_user=gogo6videos
Follow gogo6 on Twitter
http://twitter.com/gogo6inc
Like gogo6 on Facebook
http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777
[2024]Digital Global Overview Report 2024 Meltwater.pdf
IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference
1. IPv4 vs. IPv6
The Shifting Security Paradigm
Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma…
Scientific Hooligan, Longboat LLC
Cyber Security SME, North American IPv6 Task Force
Cyber Security SME, IPv6 Forum
Cyber Security SME, IPv6 Cyber Security Task Force
Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x,
“Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012”
JSKlein@gmail.com Voice: 703-594-1419
Blog: http://scientifichooligan.me/
2. Scope of the CyberSecurity problem
What is the cost of Cybercrime ?
Number of records compromised ?
Number of Systems/Networks/Applications
Compromised ?
Millions? Billions? Trillions? Estimates?
3. Classes of Attack - Targeted
Inbound Directed
Flaws in technology
Flaws in governance
Flaws in people
Flaws in adequate funding & staffing
Insiders
Disgruntled
Opportunistic
Untrained
Vendors
Supply Chain
4. Verizon - 2012 DATA BREACH
INVESTIGATIONS REPORT
Reference: http://securityblog.verizonbusiness.com/
5. What We Know About Today
Security measures?
“The best companies aren’t the ones who stop attacks, – that’s
important – it’s the companies that can spot intrusions
quickly and respond to them in ways that limit the damage.”
“This idea that you can stop intrusions…
just isn’t going to hold up against certain kinds of threats.”
- Richard Bejtlich – TaoSecurity Blog,
6. Our Current Security Model
Source: http://www.photographersdirect.com/buyers/stockphoto.asp?imageid=2249700
7. Two Models of Survivability
“What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
8. The Human Body Uses Both
“What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012
9. Trust Network Model (RFC 1918)| IPv4
Everyone
All nodes and routers trust each other that:
All devices behave correctly
X Layer 2 (MAC) and Layer 3 (IP)
Hosts always provide true information
Routers always provide true information
Behind the NAT: “Blind Trust behind the NAT”
All devices behave correctly
Layer 2 (MAC) and Layer 3 (IP)
Hosts always provide true information
Internal communications
Outbound Initiated communications trusted
Inbound Initiated communications trusted
Routers always provide true information
No one NETWORK CENTERIC – Fortress Model
10. Trust Node Model (RFC 3756) | IPv6
Everyone
Corporate Internet: “Blind Trust”
X All authenticated nodes and routers trust each other to:
Behave correctly at the IP layer
Not to send any network discovery message that contains false information
Not to send router discovery message that contains false information
Public wireless: “Trust transit, trust but verify nodes”
Router is trusted by the other nodes in the network to:
X
Be a legitimate router
Faithfully route packets between the local network
Faithfully route packets to any connected external networks
The router is trusted to:
Behave correctly at the IP layer
Not to send any network discovery messages that contain false information
Not to send router discovery messages that contain false information.
X
Ad hoc network: - “Trust but Verify hosts and transit”
Nodes do not directly trust each other at the IP layer nor trust routers
No one
HOST CENTERIC – Organism Model
11. Survivability model | Resilience/Agility
Preparing for, preventing, or otherwise resisting an adverse
event;
Absorbing, withstanding, or maintaining essential functions
in the face of the event;
Recovering from the event; and
Adapting to (changing processes, systems, or training based
on) the event, its consequences, and its implications for the
future.
This must be done as close to real-time as possible!
Reference: www.cyber.st.dhs.gov/wp-content/.../Dr_Steven_King-_ASD_RE.pdf
12. Techniques for Resilience/Agility
Adaptive Integrity Pro-active
Containment Isolation Randomness and
unpredictability
Cyber Modeling Least Privilege Reconstitution
Deception Monitoring Redundancy
Detection Cyber Maneuver Topology Hiding
Distributedness Precedence Attribution
Diversity Prioritization
IPv6 Features mapped to Resilience
Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures Workshop Oct 29, 2010
13. Why is your Internet Edge Scanned? ISR
Why?
Money
Pre-Attack Preparation
Research
How:
Inbound – Packets against your infrastructure
Outbound – Outbound Queries & Cookies
Steps:
Intelligence – Footprinting
Data retrieved ‘Third Party Sources’
Surveillance – Scanning
Directly or In-directly (services)
Layer 3-7, 8-10
Reconnaissance – Enumeration
Directly or In-directly (services)
Layer 3-7, 8-10
Our Focus is layer 3-7
14. Attackers Assumption
One address per physical Interface
Inbound addresses = Outbound addresses
Device addresses say the same over time
Inside the same network
With the same local address
If a system is not responding,
Do a port scan to find if it was crashed or now blocked
Check back later to see if it was rebooted
IPv4 thinking in an IPv6 Resilient World
15. Problems in IPv4
Even a Script Kiddie can do it!
Destination – Your Network
Densely Populated, ‘Fast’ brute-force tools, Single Interface Address
Source of scan
Needle in a haystack, Fast vs. Slow, limited context due to address
fragmentation
NAT and Tunnels hide true sources
Attribution is hard
16. Detecting | Impact of Host Density - 2006
IPv4 Brute Force Attack -Internet Survival Time
Attacker
Find & compromise an
un-patched computer
with a Windows
operating system.
Less than 6 minutes
5+ min to find
>1min to compromise
Identifying attacker
Noise hides indications of
an attack
Reference: SANS Institute’s Internet Storm Center
17. IPv6 Brute Force Attack - Internet Survival
Time
IPv4 Internet:
1 Day
Internet 298.26162 Days
24 0.02560 Minutes
27 0.00320 Minutes
28 0.00160 Minutes
IPv6 Internet:
Internet 89,088,482,281,112,800,000,000,000 Millennium
32 20,742,528,671,657,900 Millennium
56 1,236,351,053 Millennium
64 4,829,496 Millennium
Assumption: 10,000 Scans per minutes, to identify endpoints,
non-optimized, non-distributed scanners
Brute Force Target scan is now indicator of an attack
Detectable at Firewall and DNS Server
18. Smart Targeting IPv6
Identify end devices based on IPv4 address (Dual-Stack)
• Scan IPv4 Range, obtain host names.domains
• Query AAAA based on names.domains
Identify end devices based on IPv6 Address Identifier
Linear search find one device, scan up 1, 2, 3 or a, b, c
Bracketed Search Find 1 device, scan around it Find 5, Scan 1-4 & 5-9
Pronounceable Search DEAD, BEEF, DEED,
ABED,…
Pattern Search Based on an identified pattern 1, 10, 100, 1000, …
Ports Search 53, 80, 25, etc
Based on function Routers .1, .2
Smart Target Scanning is indicator of “Interest”
Detectable at Firewall and DNS Server?
19. Static Addresses | Use of Deception
In A Record
Insert host names which do not exist with AAAA records
Impact:
Additional scanning of the address shows intention
Poisons attackers current and future targeting list
Insert HoneyPot
Linked to all AAAA addresses listed in AAAA deception record
Detect attempts at compromise
Management
Addresses assigned and AAAA records - IPAM
20. Survivability model | IPv6 Abundance
Summary:
Little noise based on scanning – easier to ID attackers
IPv6 devices with obscure names and random addresses are
undiscoverable for inbound connections
Separating inbound and outbound connections breaks attacker
preconceptions
Use of dual stack improves the target list for attackers
Techniques exist to provide pre-attack
21. Evolving IPv6 Defensive Tool Kit – Can’t
be done on IPv4!
Large Local Segments
Large Network
Non Routable Addresses (aka RFC 1918) via ULA
Secure Neighbor Discovery (SEND) - Crypto-Generated Address (CGA)
IPSEC (AH & ESP) H-G | G-G | H-H | Tunnel & Transport
With Extension Headers | H-G-G-H
Server Enclave Domain Isolation (SEDI)
Common Architecture Label IPv6 Security Option (CALIPSO)
DHCPv6 – Multi-Interface setup & signed
Multicast NTPv4 with Autokey public key authentication
Leverage DNSSec to storage or public Keys of registered devices
Leverage DNSSec with ‘split-brain’ to limit disclosure
Multicast Signature and Security Information – “Parallel Push”
Fast Address Maneuvering
Attribution
Infrastructure Hiding
22. Take away
Security methods have failed
Resilience and Agility provides a solution
IPv6 is not about the numbers, but about bringing resilience
and agility tools to the defender
Many resilience techniques have yet to be implemented by
vendors, ask for them repeatedly or call me
Enjoy the remainder of the conference!
23. IPv4 vs. IPv6
The Shifting Security Paradigm
Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma…
Scientific Hooligan, Longboat LLC
Cyber Security SME, North American IPv6 Task Force
Cyber Security SME, IPv6 Forum
Cyber Security SME, IPv6 Cyber Security Task Force
Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x,
“Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012”
JSKlein@gmail.com Voice: 703-594-1419
Blog: http://scientifichooligan.me/
24. Where do attackers find
vulnerabilities?
All systems have vulnerabilities
1. Design and Architecture Phase (RFC, IEEE, WC3, ITU, etc)
2. Development Phase (Coding)
3. Architecting, Implementation and Deployment (Staff,
Procedures, Governance, etc)
4. Management (Patching, Configuration Management, etc)
5. End of Life, Refresh & Replacement