Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced.

Published byMadelyn Kenderdine Modified over 9 years ago

Similar presentations

Presentation on theme: "Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced."— Presentation transcript:

1 Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia IPv6 Security: Firewall Considerations IPv6 Security: Firewall Considerations

2 Why IPv6? 1.Exhaustion of the IANA IPv4 free pool. 2.Awareness activities such as the IPv6 Forum and “World IPv6 Day”. 3.Imminent exhaustion of the free pool of IPv4 addresses at the different RIRs. 4.All OS has IPv6 support  part of your network is already running IPv6! 5.IPv6 is the only way moving forward!  How about NAT???

3 NAT Causes Problems Breaks globally unique address model Breaks address stability Breaks always-on model Breaks peer-to-peer model Breaks some applications Breaks some security protocols Breaks some QoS functions Introduces a false sense of security Introduces hidden costs

4 Drivers for IPv6 An explosion of Internet applications, games, information sources, and financial transactions. The movement of traditional services such as voice and video from legacy circuit-based infrastructures to IP networks. Millions of new IP-enabled mobile devices, with millions more projected in the near future. Expanding economies in populous countries such as China and India, and developing economies throughout the world. Burgeoning consumer electronics industries finding new ways to exploit IP capabilities. Emerging IP-enabled sensor networks for industrial, medical, and military applications.

5 Migration Deployment IPv6

6 6 IPv6 Deployment has begun

7 IPv4 & IPv6 Coexistence 7

8 Is IPv6 more secure than IPv4? less

9 The Big IPv6 Security Question

10 Types of IPv6 Security Issues Issues due to the IPv6 protocol itself Issues due to transition mechanisms Issues due to IPv6 deployment. used in

11 Dual-stacking increase the complexity of the network, and thus the number of potential vulnerabilities. Co-existence traffic usually results in complex traffic (with multiple encapsulations). This increases the difficulty of performing Deep Packet Inspection (DPI) Increase in complexity of firewall filtering policies or detection. Co-existence Security Concerns

12 IPv6 Deployment Security Concerns There is much less experience with IPv6 than with IPv4 IPv6 implementations are less mature than their IPv4 counterparts Security products (firewalls, NIDS, etc.) have less support for IPv6 than for IPv4 The complexity of the resulting network will increase during the transition/co-existance period: –Two internetworking protocols (IPv4 and IPv6) –Increased use of NATs –Increased use of tunnels –Use of other transition/co-existance technologies Lack of well-trained IPv6 Engineers.

13 System Security Security Training & Experience Hackers Application Security Network Security

14 Attacker already have many IPv6 capable tools: THC-IPv6 Attack SuiteUnfortunately, IPv6 security controls and products seems to be a bit behind.

15

16 On Windows, many third party host based firewalls have only limited support for IPv6. – Some have none at all. – Others may even block some mechanisms such as DHCPv6 or SLAAC. – In Windows 7 and above, the built-in firewall has excellent support for IPv6 On *BSD, the pf kernel-based packet filter can easily be deployed as an excellent host based dual stack firewall. You can even build a full gateway firewall using it. The pfsense open source project has built a good GUI around pf, has very limited support for IPv6. On Linux, netfilter/iptables is roughly equivalent to *BSD’s pf, but is not as complete and also does have support for IPv6.

17 In addition to all the typical gateway firewall mechanisms and controls for IPv4 (including port forwarding and NAT), true dual- stack gateway firewalls should include the following new features: – Support for native dual stack service, plus tunnel endpoint support for one or more mechanisms including 6in4, TSP, 6rd, and even 4in6. – Configurable Router Advertisement Daemon – Support for multiple internal subnets with different /64 prefixes into each internal subnet. – Packet filtering controls for IPv6 traffic independent of controls for IPv4. – Independent control over all ICMPv6 messages – Dual stack application layer proxies for the most common protocols (HTTP, SMTP, SIP, etc)

18 At least a Link-Local Address (FE80::/10) Likely a Unique Global Address (2000::/3) Possibly a Site-Local Address (FC00::/7) You will probably need MULTIPLE Firewall or ACL policies for these extra networks within your organization

19 How to filter ICMPv6? Handling new extension headers Filtering Multicast and Anycast Hosts w/multiple addresses

20 20 More powerful than ICMPv4 ICMPv6 uses IPv6 extension header # 58 (RFC 2463) – TypeDescription – 1Destination Unreachable – 2Packet too Big – 3Time exceeded – 4Parameter problem – 128Echo Request – 129Echo Reply – 130Multicast Listener Query – sent to ff02::1 (all nodes) – 131Multicast Listener Report – 132Multicast Listener Done – sent to ff02::2 (all routers) – 133Router Solicitation (RS) – sent to ff01::2 (all routers) – 134Router Advertisement (RA) – sent to ff01::1 (all nodes) – 135Neighbor Solicitation (NS) – sent to ff02:0:0:0:0:1:ff00::/104 – 136Neighbor Advertisement (NA) – 137Redirect

21 Prof. Dr. Sureswaran Ramadass sures@nav6.usm.my www.nav6.usm.my Prof. Dr. Sureswaran Ramadass sures@nav6.usm.my www.nav6.usm.my THANK YOU

Download ppt "Prof. Dr. Sureswaran Ramadass Director National Advanced IPv6 Centre (NAv6) Universiti Sains Malaysia Prof. Dr. Sureswaran Ramadass Director National Advanced."

Similar presentations

FORUM ON NEXT GENERATION STANDARDIZATION (Colombo, Sri Lanka, 7-10 April 2009) A Pilot Implementation of an NGN Dual Stack IPv4/IPv6 network for MEWC,

FORUM ON NEXT GENERATION STANDARDIZATION (Colombo, Sri Lanka, 7-10 April 2009) A Pilot Implementation of an NGN Dual Stack IPv4/IPv6 network for MEWC,
10: ICMPv6 Neighbor Discovery

10: ICMPv6 Neighbor Discovery
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.

Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.

IPv4 - IPv6 Integration and Coexistence Strategies Warakorn Sae-Tang Network Specialist Professional Service Department A Subsidiary.
IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)

IPv6 Introduction What is IPv6 Purpose of IPv6 (Why we need it)Purpose of IPv6 IPv6 Addressing Architecture IPv6 Header ICMP v6 Neighbor Discovery (ND)
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public IPv6 Intro – Part 1 1 IPv6 Intro Part 1: Overview and Addressing Basics.

© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public IPv6 Intro – Part 1 1 IPv6 Intro Part 1: Overview and Addressing Basics.
©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 Security Topics TAU Security Forum February 2005 Yoni Appel IPv6 Project Manager.

©2005 Check Point Software Technologies Ltd. Proprietary & Confidential IPv6 Security Topics TAU Security Forum February 2005 Yoni Appel IPv6 Project Manager.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
IPv4 to IPv6 Migration strategies. What is IPv4  Second revision in development of internet protocol  First version to be widely implied.  Connection.

IPv4 to IPv6 Migration strategies. What is IPv4  Second revision in development of internet protocol  First version to be widely implied.  Connection.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services IPv6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services IPv6.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.
IPv6 The Big Move: Transition and Coexistent Frenil V. Dand.

IPv6 The Big Move: Transition and Coexistent Frenil V. Dand.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
IPv6 The Next Generation Presented by Anna La Mura Jens Waldecker.

IPv6 The Next Generation Presented by Anna La Mura Jens Waldecker.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—7-1 Address Space Management Transitioning to IPv6.
IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

17/10/031 Summary Peer to peer applications and IPv6 Microsoft Three-Degrees IPv6 transition mechanisms used by Three- Degrees: 6to4 Teredo.

Similar presentations

Ads by Google