Presentation is loading. Please wait.

Presentation is loading. Please wait.

IPv6 Transition : Why a new security mechanisms model is necessary?

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "IPv6 Transition : Why a new security mechanisms model is necessary?"— Presentation transcript:

1 IPv6 Transition : Why a new security mechanisms model is necessary?
Abidah Hj Mat Taib Universiti Teknologi Mara, Perlis Malaysia

2 Outline Transition / coexistence Security Threats
Threats due to Transition Mechanisms Current Security Mechanisms Current IPv4 Security Model New Security Model Conclusion

3 Transition .. coexistence?
IPv IPv6 Security Considerations IPv6 Deployment IPv6 Specific Protocol Transition Mechanisms

4 Threats due to Transition Mechanisms -- Dual stack
Applications on device can be subject to attack on both IPv4 and IPv6. Need parallel filtering/detection rules for IPv4 and IPv6 packets. Internal network Internet IPv4 IPv6

5 Security Threats Similar threats in IPv4 & IPv6 networks.
Reconnaissance - exploit the site scope multicast address – flooding -- DoS Misuse of routing headers – packets spoofed & redirect attacked packets to initiate DoS Fragmentation related attacks Misuse of ICMPv6 and multicast ICMPv6 Stateless Auto-Configuration Route Implanting with ICMPv6 Redirects (use fake Echo Request) Smurf IPv6 – source is target, destination is local multicast address. Generates lots of local traffic that is sent to source) Autoconfiguration and Neighbor Discovery Vulnerabilities

6 Threats due to Transition Mechanisms -- Tunneling
Injection packet Exploiting the tunnel interface Bypassing ingress filtering checks Complexity for configuring devices as well as logging and monitoring the traffic IPv4 firewall has to open for protocol 41 (IPv6) and protocol 58 (ICMPv6) at the remote end of the tunnel.

7 Tunneling Mechanisms Security Issues
Threats Configured Tunnel Potential injecting IPv6 in IPv4 packet to the tunnel decapsulator – must check the source of the tunnel. Tunnel Broker If the administrator is unaware of TB is used by the users, he may not apply any guard against potential security holes. 6to4 Attacks with Neighbor Discovery message. Spoofing traffic to 6to4 nodes. Reflecting traffic from 6to4 nodes. Local IPv4 broadcast attacks. ISATAP Spoofing attack – bogus IP protocol 41 packets are injected: into an ISATAP link from outside, from within an ISATAP link by a node pretending to be a router. Toredo Bypassing security controls, reducing defense in depth, allowing unsolicited traffic, laundering DoS attack from IPv4 to IPv4, IPv4 to IPv6, IPv6 to IPv4.

8 Current Security Mechanisms
Mitigation Techniques Challenges Firewalls Lots of different ext. headers – hard for a firewall to filter correctly and get it right not to buffer overflow or DoS. IPsec Not always a valid security option due to bootstrapping problem. Logging/ Auditing Most are implemented using IPv4 transport – need IPv6 transport to successfully log and audit dual stack network infrastructure Intrusion Detection Lack of signature database

9 Current IPv4 Security Model : network-based
INTERNET IDS Edge Router Internal Network Stateful Firewall

10 Current IPv4 Network-based Security Scheme
Peer – firewall – Internet – firewall – peer Security policy enforced by firewalls Blocking attackers from outside BUT no firewall blocking attack coming from the same LAN segment Lack of secure end-to-end IDS – to find potential security problems and to detect unauthorized intrusion and misuse of network resources.

11 Current IPv4 Network-based Security Scheme .. cont…
Perimeter defense IP firewalls, HTTP/HTTPS firewalls, content analysis: antivirus, anti spam, etc Defense in depth and network segmentation DMZ, layered architecture TLS/SSL based business application and VPNs for remote access

12 Revised Model - Host-based Security
INTERNET Perimeter Firewall LAN-1 IDS Internal Network Edge Router LAN-2 LAN-3 Host-based firewalls / IDS

13 New Security Model -Distributed mechanisms
Centralized Security Policy Repositories INTERNET Perimeter Firewall LAN-1 IDS Internal Network Edge Router LAN-2 LAN-3 Host-based firewalls / IDS

14 New Security Model End-to-End IPsec
Distributed security with the communicating hosts providing the policy enforcement for their own communication. Creating specific policies for securing comm. based on currently running appl. Rather than having a central enforcement point try and provide a single group-based policy. Possible to create more dynamic security policies which can vary over time based on changing trust relationships.

15 Distributed security endpoints
Consists of host-resident firewalls, intrusion detection, security patching, and security status monitoring – can be accomplished by kernel-mode processes within an OS. A managed distributed host-based firewall system utilizing end-to-end IPsec can implement separate multi-level security policies with fine granularity. Using end-to-end model, it is possible to divide users and servers into various trust groups and interest communities to implement separate security rules.

16 Conclusion To design a new security mechanisms model
In depth understanding of IPsec Define optimum security policies associated to network requirements Build a comprehensive distributed firewalls to counter security issues in IPv4 as well as IPv6 As well as IDS and IPS, logging/auditing Security test using available attacking tools

17 Bibliographies Kaeo, et. al., 2006, IPv6 Network Security Architecture 1.0, NAv6tf, Van Hauser, The Hackers Choice, 2006, . J. Mohacsi, IPv6 Security:Threats and Solutions, P. Nikander, J. Kempf, and E. Nordmark, “IPv6 Neighbor Discovery (ND) Trust Models and Threats”, RFC3756, May 2004. E. Davies, S. Krishnan and P. Savola, “IPv6 Transition/Co-existence Security Considerations”, draft-ietf-v6ops-security-overview-06.txt (work in progress), Oct 2006. Alvaro Vives and Jordi Palet, IPv6 Distributed Security: Problem Statement, Proceedings of the 2005 Symposium on Applications and the Internet Workshops (SAINT-W’05), IEEE, 2005.

18 THANK YOU Q & A

19

Download ppt "IPv6 Transition : Why a new security mechanisms model is necessary?"

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Similar presentations

Ads by Google