IPv6 Network Assessor 111 © 2005 Cisco Systems, Inc. All rights reserved. Susan Shareshian Solutions Manager, Cisco Systems, Inc.

2 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Session Agenda Impetus Behind the Development Efforts Overview of the Network Assessor Tool Plans for the Future

3 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Why are we moving to IPv6? 333 © 2005 Cisco Systems, Inc. All rights reserved. RST _04_2005_c2

4 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. The Office of Management and Budget (OMB) is requiring all Federal agencies to transition their network backbones to IPv6 by June 2008 IPv6 Enables New Services and Applications Many other countries are already well on their way to implementing IPv6 Business and Technical Reasons

5 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. How Do We Get There from Here? IT Departments must include IPv6 as a core element of their IT strategy Applications must become IP version agnostic Education and careful planning are crucial Baseline and test any anticipated changes/installations IPv4 & IPv6 will coexist for the foreseeable future No D-Day / Flag Day Approximately 1/3 of the deployed desktop systems are ‘IPv6 capable’ Service providers are deploying IPv6 now!

6 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. What’s the cost? Hardware Costs Short Term, replace devices that don’t understand IPv6 or perhaps just a software upgrade Long Term, normal lifecycle replacement as IPv6 becomes prevalent *Offering Dual-Stack uses more memory and processing power Software Costs Most “modern” hardware, routers, servers, clients, can be upgraded to support IPv6 COTS applications are moving that way now Custom applications that make socket calls need to be made protocol agnostic Human Capital Costs associated with Training Cost to train an organization’s personnel to install, operate, maintain, and service IPv6 hardware and software Operational Costs of multiple IP environments

7 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. IPv6 Network Assessor 777 © 2005 Cisco Systems, Inc. All rights reserved. RST _04_2005_c2

8 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco IPv6 Network Assessor Description Identifies and polls selected devices and collects appropriate data which then indicates the capability to support IPv6 Provides observations and recommendations that may be used by the customer as guidelines for future design issues Assessment examines Cisco IOS® based routers and Catalyst® Operating System (CatOS) and IOS® based switches, and provides for a general overview of the devices If more in-depth device evaluation is required, additional audits that provide device specific information such as the GSR audit, as well as audits that provide a baseline over time, are available as part of Cisco® Advanced Services IPv6 Network Assessor is a stand alone portable tool that can inventory classified and nonclassified networks

9 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Cisco IPv6 Network Assessor Capability Reports Results may be organized as follows: The device is currently capable of supporting IPv6 features; hardware and software upgrades are not required The device needs: IOS upgrade Flash memory upgrade Processor memory upgrade Both flash and processor memory upgrades Memory and IOS upgrades The device is not capable of supporting IPv6 services The analysis was unable to determine the device’s capability to support IPv6; further analysis is required Cisco IPv6 capability assessments are designed to build a meaningful report on the network device capability to support IPv6

10 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Components Native Windows Application Runs under: Windows XP Professional Windows 2000 Server Windows Server 2003 Microsoft SQL Server Data Repository MSDE or SQL Server 2000 SP3a Local or Remote Installation Key Features Discovery SNMP or Fingerprint Credentialed Inventory Telnet/SSH Exception Tracking and Reporting Extensive Operator Controllable Multi-Threading for Concurrent Processing IPv6 Capability Reports Query and Data Export Facility Cisco IPv6 Network Assessor

11 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Discovery SNMP Discovery Discovery One or more IP address ranges specified by the operator Inventory snmpget retrieves MIB-I data Security Requirements Read-only (public) SNMP community string. Notes Devices will respond if and only if (IFF): Device exists SNMP Agent running Valid read-only community string Not IP address restricted Device will not respond Unless ALL conditions above are satisfied Fingerprinting Discovery One or more IP address ranges specified by the operator. Icmp echo to determine if device exists Inventory IP port scans (a.k.a. port probes) Library of known device responses One or more “guesses” Reverse DNS lookup Security Requirements None. Notes Will be detected and isolated by any customer intrusion detection software.

12 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Credentialed Inventory Configure Settings Seed File Requirements Host List, Username & Password, Group Names…. Importing Seed File into Settings with Import Wizard Building the Database Running multiple scans to collect every available target Using Exception Reporting to keep track of multiple scans Exporting Scan Status Reports How many scans are required to build a database Inventory Queries each Switch and/or Router by invoking a series of “show” commands Communication with target hosts via Telnet or SSH Security Requirements Username and Password with sufficient privileges to execute the “show” commands on the target

13 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. Plans for the Future 13 © 2005 Cisco Systems, Inc. All rights reserved. RST _04_2005_c2

14 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. IPv6 Audit Local Audit capabilities – Multi Vendor –5 day or 7 day –Trending, utilization, capacity –IPv6 capability and recommendations Capture and Report IPv6 Capability of every device on the network –Servers –IP Phones –Applications

15 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved. IPv6 Services Practice IPv6 Migration and Assessment Services –Certified Engineers –Best Practices –Tools –Secure Facilities –Documentation Repository –Dedicated Engineering and Testing Facilities Next Phase of tool……. –Security Assessments

16 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID © 2006 Cisco Systems, Inc. All rights reserved.