IPv6 Security. Are you ready? You better be


IPv6 Security. Are you ready? You better be

Joe Klein, CISSPIPv6 Security Researcherjsklein@gmail.com

Implementation Strategies Accidentally Historical Examples:○ Unsecured Wireless Access Points○ Non-Firewalled system/network○ Starting IT projects without the ‘security guys’ involved○ Last minute projects and ‘demos’ Deliberately Plan - Establish the objectives and processes necessaryto deliver results○ Management and security staff buy in! Do - Implement the new processes Check - Measure the new processes and compare theresults against the expected results Act - Analyze the differences, determine their cause,Determine improvement

IPv6 Enable Systems DeploymentDate Products V6 Capable V6 Enabled1996 OpenBSD / NetBSD / FreeBSD Yes YesLinux 2.1.6 Kernel Yes No1997 AIX 4.2 Yes No2000 Window 95/98/ME/NT 3.5/NT 4.0 Yes, Add on NoMicrosoft 2000 Yes NoSolaris 2.8 Yes Yes2001 Cisco IOS (12.x and Later) Yes No2002 Juniper (5.1 and Later) Yes MostlyIBM z/OS Yes YesApple OS/10.3 Yes YesMicrosoft XP Yes NoLinux 2.4 Kernel Yes NoAIX 6 Yes YesIBM AS/400 Yes Yes2006 Linksys Routers (Mindspring) Yes NoCell Phone – Many Yes YesSolaris 2.10 Yes YesLinux 2.6 Kernel Yes Yes2007 Apple Airport Extreme Yes YesCell Phone – BlackBerry Yes NoMicrosoft Vista Yes YesHP-UX 11iv2 Yes YesOpen VMS Yes YesMacintosh OS/X Leopard Yes Yes2009 Cloud Computing & Embedded systems Yes Yes

IPv6 Security Events2001 Review of logs, after Honeynet Project announcement2002 Honeynet Project : Lance Spitzner: SolarisSnort : Martin Roesch : Added then removed IPv62003 Worm : W32.HLLW.Raleka : Download files from a predefinedlocation and connect to an IRC server2005 Trojan : Troj/LegMir-AT : Connect to an IRC serverCERT : Covert Channels using IPv6 TeredoMike Lynn : Blackhat : IOS' handling of IPv6 packets2006 CAMSECWest : THC IPv6 Hacking ToolsRP Murphy : DefCon : IPv6 Covert Channels2007 Rootkit : W32/Agent.EZM!tr.dldr : TCP HTTP SMTPJames Hoagland : Blackhat : Teredo/IPv6-related flaw in Vista2008 HOPE : IPv6 Mobile Phone VulnerabilityNovember : "Attackers are going to try it or use it as a transportmechanism for botnets. IPv6 has become a problem on theoperational side.“ Arbor Networks

MalwareDate Infec*on Name2001 10/1/2001 DOSbot Ipv4.ipv6.tcp.connec*on2003 9/26/2003 Worm W32/Raleka!worm2004 7/6/2004 Worm W32/Sdbot‐JW2005 2/18/2005 Worm W32/Sdbot‐VJ8/24/2005 Trojan Troj/LegMir‐AT9/5/2005 Trojan Troj/LegMir‐AX2006 4/28/2006 Trojan W32/Agent.ABU!tr.dldr2007 1/2/2007 Trojan Cimuz.CS4/10/2007 Trojan Cimuz.EL5/4/2007 Trojan Cimuz.FH11/5/2007 Worm W32/Nofupat11/15/2007 Trojan Trojan.Astry12/1/2007 Rootkit W32/Agent.EZM!tr.dldr12/16/2007 Trojan W32/Agent.GBU!tr.dldr12/29/2007 Worm W32/VB‐DYF2008 4/22/2008 Trojan Troj/PWS‐ARA5/29/2008 Trojan Generic.dx!1DAEE3B9

IPv6 Vulnerability Trends70Published IPv6 Vulnerabilities over Time6050Vulnerabilities4030CountSum201002000 2001 2002 2003 2004 2005 2006 2007 2008

IPv6 VulnerabilitiesImpacts of VulnerabilitiesPublished IPv6 Vulnerabilities by ClassificationCodeExecution5%Overflow5%InfoDisclosure5%PrivilegeEscalation2%Other22%DOS62%

Core ProblemsPublished IPv6 Vulnerabilities by TechnologyApplication11%Firewall/Teredo4%Teredo6%IPSec/IKE4%Network/Firewall75%

Attack SurfacesIPv4NativeDual-StackIPv6NativeDual-Stack +TunnelsIPv4 +TunnelsIPv6 +TunnelsTunnelsEncapsulation and/orEncryption

7 Layer TargetUser InterfaceChopping of AddressesBad LibrariesError HandlingCoding issuesImproper LoggingEmbedded AddressesImproper ImplementationImproper ImplementationOperationsL2/L3 Mismatch, MTU, etc

Security ToolStages of IPv6 Compatibility“Caveat emptor” – “Buyer Beware”ProductMarketing TermsLayers of TestingCertifiedIPv6 Ready Logo ProgramIPv6 CapableIPv6 CompliantIPv6 CompatibleIPv6 ReadyIPv6-ReadyIPv6 AvailableIPv6 EnabledIPv6 TestedIPv6 DoD/DISA ReadyDoD/DISA TestedJITC IPv6 CertifiedConformanceInteroperabilityAll OthersThird PartyAll OthersThird PartyUS GovernmentThird PartyPerformanceSecurityDoDThird PartyPhase 1Host, Router, Special Device for minimumIPv6 Core Protocolshttp://www.ipv6ready.org/logo_db/approved_list.phpPhase 2Host, Router, Special Device for minimumIPv6 Core Protocols plus IPsec, IKEv2,MIPv6, NEMO, DHCPv6, SIP, MLD,Transition, Management(SNMP-MIBs)http://www.ipv6ready.org/logo_db/approved_list_p2.phpNIST Certified 1.0Host, Router, Network Protection Devices forRouting, Quality of Service, Transition, Link Technology,Addressing, IPsec, Application Environment, NetworkManagement, Multicasting, Mobilityhttp://www.antd.nist.gov/DoD IPv6 Capable Certified 3.0Host, Network appliances, Router layer 3 switch, Securitydevice, Advanced server, Applicationhttp://jitc.fhu.disa.mil/apl/ipv6.htmlThird PartyCommon Criteriahttp://www.commoncriteriaportal.org/

Call To Action Early Security Team Involvement Risk Management, IH/Forensics, Defenders Leverage Procurement Obtain IPv6 Certified Security Products Education At All Levels Security Tools, Processes and Infrastructure Upgrade! Development IPv6 Secure Coding Practices Testing & Validation Use auditors/pen testers that know IPv6

Don’t be this guy!

Common Architecture VulnerabilityIPv4IPv6C:\Users\dbg1.000>ping68.247.18.13Pinging68.247.18.13with32bytesofdata: Pingsta*s*csfor68.247.18.13:Packets:Sent=4,Received=0,Lost=4(100%loss),C:\Users\dbg1.000>tracert2002:44f7:120d::44f7:120dTracingrouteto2002:44f7:120d::44f7:120doveramaximumof30hops14ms2ms2ms2610:f8:c38::16622ms389ms444ms2002:44f7:120d::44f7:120dNmap Scan showed the following ports were open:80, 113, 135, 137, 5980 (ephemeral), WAP Push, blackjack, SQL…IPv4 68 247 18 13IPv6 44 F7 12 0dDEFAULT 6to4 Tunnel!

Joe Klein, CISSPIPv6 Security Researcherjsklein@gmail.com

More magazines by this user
Similar magazines