Friday, May 13, 2011 Alaa Al-Din Al-Radhi 1 IPv6 Promised Role in Mitigating Cyber Attacks: Really it’s Time! Alaa AL-Din Al-Radhi IPv6 & Cyber Security: Consultant Engineer, Practitioner, Networker & Trainer IPv6 Forum Jordan Chapter President [email protected], [email protected]Friday 13 th May 2011 11:30 - 12:15
101
Embed
IPv6 Promised Friday 13 May 2011 11:30 - 12:15 Really it’s ... · Access control Digital signatures Data Confidentiality Protects unauthorized data access Ensures data content can
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 1
IPv6 Promised Role in Mitigating Cyber Attacks: Really it’s Time!
IPv6 Security Basic IssuesFriday, May 13, 2011 2Alaa Al-Din Al-Radhi
IPv6 Security
Road-Map& How-To Wrap-UP
Friday, May 13, 2011 3Alaa Al-Din Al-Radhi
IPv4 Addresses
Finished:
Sorry, We are
closed !!
NAT Layers for IP Shortages
Mobility Convergence
Congestion
& Delay
Current ISP (Internet Service Provider) Challanges
Too Many
Security
Attacks
IPv6 Security
Basic Issues
Friday, May 13, 2011 5Alaa Al-Din Al-Radhi
6Alaa Al-Din Al-RadhiFriday, May 13, 2011
The ONLY real security
A person can have in
this world
=
A reserve of
knowledge,
Intent, experience,
ability & action
There is NO Fixed Answer; ONLY Possible Solutions !
7Alaa Al-Din Al-RadhiFriday, May 13, 2011
IPv6 Will
restore the
CIA Model
Security Characteristics & Process
Packet
FilteringAnti
Spoofing
Learning
& Stats.
Analysis
HTTP
Analysis
& Authen.
Ou
tpu
t
Filters: IP's,
ports, flags, etc.
TCPOthers
Statistical Analysis ,
Layers 3-7
High-level
Protocols:
Anomaly
Behavior,
etc8Alaa Al-Din Al-RadhiFriday, May 13, 2011
Objective: Sieving Malicious Traffic
Secure Resources:
Firewall, Encryption,
Authentication, Audit
Monitor & Respond
Intrusion Detection,
work the incidence
Test, Practice, Drill
Vulnerability Scanning
Manage & Improve:
Post Mortem,
Analyze the
Incident, modify the
plan / procedures
9Alaa Al-Din Al-RadhiFriday, May 13, 2011
Security Policy
Security incidence are a normal part of an ISP‘s operations
NOC
ISP’s
BackboneRemote Staff Office Staff
Pen
etr
ati
on
AAA
10Alaa Al-Din Al-RadhiFriday, May 13, 2011
Identify & Evaluate RISK Assessments:
Security Breaches Likelihood
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 11
Complete Security Life Cycle
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 12
What Goal How
Access Control
Ensures access by authorized
personnel & devices only
Protects against unauthorized use
Simple log-in / Password
ACL
IDS
Authentication
Confirms communications identity of
(e.g., end-users, Net Elements, etc)
Provide assurance of an entity
Digital certificates
Digital Signatures
SSL
Non -
Repudiation
Prevents ―Actions Denial‖ of entity
Ensures availability of an evidence
that can be as has taken place
Logs
Access control
Digital signatures
Data
Confidentiality
Protects unauthorized data access
Ensures data content can NOT be
Manipulated by unauthenticated entity
Encryption (3DES, AES)
Access control lists
File permissions
Communication
Security
Ensures authorized information flow
Ensures Info. NON-Interception
VPNs (IPSec, L2TP)
MPLS tunnels
Data
Integrity
Ensures Info. accuracy
Provides event occurrence
IPSec
Anti-Virus Software
Availability Network Availability
Disaster recovery solutions
FW, IDS / IPS
Backup & Business continuity
Privacy Information Protection Encryption of IP headers (IPSec)
8 Security Dimensions for Network Vulnerabilities:
Backbone / Core Device integrity +
Route Authentication
Aggregation
& Distribution
Device integrity + Route
authentication + Stateful / stateless
firewall + Crypto + L3 filtering + L3
DDoS mitigation + L3 spoof mitigation
CPE Access /
Perimeter
Endpoints
L3 filtering, L3 DDoS mitigation
L2 security (Firewall, AAA, device
integrity) + URL filtering + IDS
(Host/Network based)
Device integrity + Device and user
AAA + Hosts: firewall (i.e. Black Ice)
+ OS patches + AV + hardening +
File system encryption +
Vulnerability scanning
ISP Security Breakdowns Checklists
What is Needed: IPv6 End-to-End Secure Communications
End-to-End secure communications
Easy to set up new connection
IPv6Internet
IPv4Internet
IPsecNode
IPsecNodeR R
Global address segments
Private address segments
Private address segments
IPv4
IPv6
Global address segments
RR
NAT NAT
Low interoperability between deferent vendors
Site-to-Site secure
communications
End-to-End secure
communications
R
Secure Transmission
Low security in the LAN segments
Branch A
Branch A
Branch B
Branch B
Partner company
Secure Transmission
Secure Transmission
14Alaa Al-Din Al-RadhiFriday, May 13, 2011
1. The Internet community has developed some application-specific security mechanisms:– Kerberos for Client / Server authentication– PGP, PEM or S/MIME for e-mail security– SSL for secure web access
2. So, we need to provide security at IP layer: IPSec, with the following benefits:
– Implemented at IP layer, all traffic can be secured, NO matter what application.
– IPSec in a firewall can NOT be bypassed if the firewall is the only connection between intranet & extranet.
– Transparent to applications: NO changes on upper-layer software.
– Provide routing security.
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 15
Motivations for “IP Layer” Security
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 16
Simple header with fixed length of 40 bytes
6 Optional extension headers when needed :
1. Hop-by-hop Option Header,
2. Routing Header,
3. Fragment Header,
4. Destination Options Header,
5. Authentication Header (AH),
6. Encapsulating Security Payload (ESP) header.
Each extension header is identified by the Next Header field in the
Block mobility headers if IPv6 mobility is NOT being used by an
organization
Extension headers can also be used as a covert channel to hide
communications between two systems, e.g., in Destination Options
IPSecAuthentication & Encryption
IPv6 Defenses: What‘s New?
SEND
Secure
Neighbor Discovery
CGA
Crypto
Graphic Generator
ULAUnique Local Addresses
Friday, May 13, 2011 21Alaa Al-Din Al-Radhi
RFC 2401
RFC 2402
RFC 2406
RFC 2408
Firewall Model Change
What is Needed: Secure Site to Site IPv6 Traffic over IPv4 & IPv6 Networks with IPSec
22Alaa Al-Din Al-RadhiFriday, May 13, 2011
Provides
Framework for the
Authenticating and
Securing Data
IP protocol 51
AH:
Authentication
Header:
ESP:
Encapsulating
Security Payload:
IKE:
Internet Key Exchange
Friday, May 13, 2011 23Alaa Al-Din Al-Radhi
Components
Provides Framework
for the Negotiation
of Security
Parameters &
Establishment of
Authenticated Keys
Provides
Framework for the
Encrypting,
Authenticating and
Securing DataIP protocol 50
IPSec RFC 2401 , RFC 2402
RFC 2406 , RFC 2408, RFC2409
IPSec = 3 Main Protocols into a Cohesive Security Framework:
Negotiation of SA characteristics
Automatic key generation
Automatic key refresh
Manageable manual configuration
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 24
IPSec Modes = Tunnel + Transport
The ESP or AH header is
inserted behind the IP header;
The IP header can be
authenticated but NOT
encrypted
A new IP header is created
in place of the original; this
allows for encryption of
entire original packet
For End-
To-End
Session
For
Everything
Else
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 25
IPSec
ServiceAH
ESP
(Encryption
ONLY)
ESP
(Encryption +
Authentication)
Access Control √√ √
Connectionless integrity√ √
Data origin authentication√ √
Reject replayed packets√ √ √
Payload confidentiality√ √
Traffic flow confidentialityLimited, due to limited amount of
payload padding
IPSec Services
Agreement between 2 entities on
method to communicate securely
IPSec SA is unidirectional
2-way communication consists of
2 SA‘s
SA (Security Association)
192.168.2.1
7A390BC1
AH, HMAC-MD5
7572CA49F7632946
1 Day or 100MBAdditional SA
Attributes
(e.g., lifetime)
Destination
Address
Security Par.
Index (SPI)
IPSec Transform
Key
Friday, May 13, 2011 26Alaa Al-Din Al-Radhi
Each SA is identified by:
Security Parameters Index (SPI): 32-bit integer chosen by
sender; enables receiving system to select the required SA.
Destination Address: Only unicast IP addresses allowed!
Security Protocol Identifier: AH or ESP.This information appears in the IP packet, so receiver knows
how to behave.
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 27
IPSec IPSec Modes in SA
Transport Mode SA Tunnel Mode SA
AH
Authenticate IP payload
& selected parts of IP
header & IPv6 extension
headers.
Authenticate entire inner IP
packet & selected parts
of outer IP header & outer
IPv6 extension headers.
ESP(Encryption ONLY)
Encrypt IP payload + any
IPv6 extension headers
after ESP header.
Encrypt inner IP packet.
ESP( Encryption +
Authentication )
Encrypt IP payload + any
IPv6 extension headers
after ESP header.
Authenticate IP payload.
Encrypt & authenticate
inner IP packet.
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 28
IPSec
ESP: Encapsulating Security Payload
AH: Authentication & Integrity
Data confidentiality (encryption)
Limited traffic flow confidentiality
Data integrity
Optional data origin authentication
Anti-replay protection
Does NOT protect IP header
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 29
IPSec AH: Authentication V4 vs. V6
V4
V6
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 30
IPSec ESP: V4 vs. V6
V4
V6
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 31
Peers Negotiate a Secure,
Authenticated Channel with
Which to Communicate ‗Main
Mode‘ or ‗Aggressive Mode‘
Accomplish a Phase I Exchange
Security Associations Are
Negotiated on Behalf of
IPSec Services; ‗Quick
Mode‘ Accomplishes a
Phase 2 Exchange
IKE (Internet Key Exchange) = Hybrid ProtocolP
ha
se
1
Ph
ase
2
IKE is a 2 Phase Protocol:
IPSec
RFC
2409
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 32
How Does IKE Works ?
Phase1
Phase 2
Authentication Architecture
IKE
IPSec
Peer
IPSec
Peer
IKE Phase 1
Secure communication channel
IKE Phase 2
IPSec Tunnel
Secured traffic exchange
1 2
3
4
Components
33Alaa Al-Din Al-RadhiFriday, May 13, 2011
IPSec
Data Integrity : Secure hashing (HMAC) is used to ensure NO data alteration in transitData Confidentiality: Encr. is used to ensure data can NOT be intercepted by 3rd partyData Origin Authentication: Authentication of the SA peerAnti-replay: Sequence numbers are used to detect & discard duplicate packetsHash Message Authentication Code (HMAC): A hash of the data & secret key used to provide message authenticityDiffie-Hellman Exchange: A shared secret key is established over an insecure path using public and private keys
Terminology
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 34
An IPSec transform
specifies either an AH or
an ESP protocol and its
corresponding algorithms
and mode.
IPSec Transforms
A transform set is a
combination of IPSec
transforms that enact a
security policy for traffic
Up to 3 transforms can be
in a set
Sets are limited to up to 1
AH and up to 2 ESP
transforms
IPSec Transforms Set
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 35
5 Steps of IPSec
1
2
3
4
5
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 36
1Inserting
Traffic
Access lists determine traffic
to encrypt:
Permit: traffic must be
encrypted
Deny: traffic sent
unencrypted
5 Steps of IPSec:
2
IKE Phase
One
Authenticates
IPSec peers
Negotiates to
protect IKE exchange
Exchanges keys
Establishes IKE SA
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 37
3
Negotiates IPSec SA
protected by an existing
IKE SA
Establishes IPSec SA
Periodically renegotiates
IPSec SAs to ensure
security
5 Steps of IPSec:
4IPSec
Encrypted
Tunnel
Information is
exchanged via IPSec
tunnel.
Packets are encrypted
& decrypted.
Uses encryption
specified in IPSec SA.
IKE Phase
Two
Friday, May 13, 2011 Alaa Al-Din Al-Radhi 38
5
Tunnel is terminated by:
TCP session termination:
• SA lifetime timeout
• Packet counter
exceeded
Removes IPSec SA
5 Steps of IPSec:
Tunnel
Termination
Cryptographically Generated Addresses (CGA)
• Each devices has a RSA key pair (NO need for certification)
• Ultra light check for validity
• Prevent spoofing a valid CGA address
39Alaa Al-Din Al-RadhiFriday, May 13, 2011
CGA
• Certification paths: Anchored on trusted parties, expected to certify the authority of the routers on some prefixes