Contenu connexe Similaire à ciso-platform-annual-summit-2013-ipv6-implications-on-ipv4-nets-dynamic (20) Plus de Priyanka Aash (20) ciso-platform-annual-summit-2013-ipv6-implications-on-ipv4-nets-dynamic1. Why Should You Worry About IPv6 Security
Even If Your Network Runs On IPv4?
Fernando Gont
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
2. Motivation for this presentation
●
●
Widespread idea: “I do not need to care about IPv6 security
because my network runs on IPv4”
Possible approaches:
Option #1
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
Option #2
© 2013 SI6 Networks. All rights reserved
Option #3
3. Myth:
“My network does not support IPv6”
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
3
© 2013 SI6 Networks. All rights reserved
4. Myth: IPv4-only networks
●
Most operating systems support IPv6 and enable it by default
●
IPv6 connectivity is just “dormant”:
●
●
Waiting for “activation” -- legitimate or otherwise
Most networks have (at least) partial deployment of IPv6
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
© 2013 SI6 Networks. All rights reserved
5. IPv6/IPv4 co-existence
(how the two protocols are glued together)
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
5
© 2013 SI6 Networks. All rights reserved
6. IPv6/IPv4 co-existence
●
For every domain name, the DNS may contain:
●
●
●
●
A resource records (IPv4 addresses), and/or,
AAAA (Quad-A) resource records (IPv6 addresses)
Host may query for A and/or AAAA resource records
Based on the available resource records, supported protocols,
and local policy, IPv6 and/or IPv4 could be employed
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
© 2013 SI6 Networks. All rights reserved
7. How can IPv6 be exploited?
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
7
© 2013 SI6 Networks. All rights reserved
8. How can IPv6 be exploited?
●
An attacker poses as a local router/server
●
●
●
●
e.g. responds to DHCPv6 requests
An attacker possibly forges DNS responses
This allows for e.g. IPv6-based Man In The Middle (MITM)
attacks
You might not even detect these attacks if you are not
prepared
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
© 2013 SI6 Networks. All rights reserved
9. Mitigating IPv6 implications
(on “IPv4-only” networks)
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
9
© 2013 SI6 Networks. All rights reserved
10. Mitigating IPv6 implications
●
Deploy IPv6-security controls
●
●
●
Same as you do for IPv4
Might be difficult to implement
Filter IPv6 traffic on your network
●
●
●
Native traffic (ideally at layer 2)
Tunnels (Teredo, etc.)
Whatever the outcome, it should be the result of an explicit
decision
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
© 2013 SI6 Networks. All rights reserved
11. VPN traffic leakages
(the good, the bad, and... the ugly)
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
11
© 2013 SI6 Networks. All rights reserved
12. VPN leakages
●
Typical scenario:
●
You connect to an insecure network
●
You establish a VPN with your home/office
●
Your VPN software does not support IPv6
●
An attacker (or legitimate system!) triggers IPv6 connectivity
●
Your traffic now goes in the clear...
●
... while you thought your traffic was being secured
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
© 2013 SI6 Networks. All rights reserved
13. Mitigating VPN leakages
●
Short answer:
Disable IPv6 support on your laptop when employing VPNs
CISO Platform Annual Summit
Mumbai, India. November 15-16, 2013
© 2013 SI6 Networks. All rights reserved