Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x, “Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” [email protected]Voice: 703-594-1419 Blog: http://scientifichooligan.me/ IPv4 vs. IPv6 The Shifting Security Paradigm
24
Embed
IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference
gogo6 IPv6 Video Series. Event, presentation and speaker details below:
EVENT gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com November 12 – 14, 2012 at San Jose State University, California Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp
SPEAKER Joe Klein - Cyber Security Principal Architect, QinetiQ Bio/Profile: http://www.gogo6.com/profile/JoeKlein749
MORE Learn more about IPv6 on the gogoNET social network http://www.gogo6.com Get free IPv6 connectivity with Freenet6 http://www.gogo6.com/Freenet6 Subscribe to the gogo6 IPv6 Channel on YouTube http://www.youtube.com/subscription_center?add_user=gogo6videos Follow gogo6 on Twitter http://twitter.com/gogo6inc Like gogo6 on Facebook http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC
Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum
Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x,
“Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” [email protected] Voice: 703-594-1419
Blog: http://scientifichooligan.me/
IPv4 vs. IPv6 The Shifting Security Paradigm
Scope of the CyberSecurity problem What is the cost of Cybercrime ? Number of records compromised ? Number of Systems/Networks/Applications
Compromised ?
Millions? Billions? Trillions? Estimates?
Classes of Attack - Targeted Inbound Directed
Flaws in technology Flaws in governance Flaws in people Flaws in adequate funding & staffing
All authenticated nodes and routers trust each other to: Behave correctly at the IP layer Not to send any network discovery message that contains false information Not to send router discovery message that contains false information
Public wireless: “Trust transit, trust but verify nodes” Router is trusted by the other nodes in the network to:
Be a legitimate router Faithfully route packets between the local network Faithfully route packets to any connected external networks
The router is trusted to: Behave correctly at the IP layer Not to send any network discovery messages that contain false information Not to send router discovery messages that contain false information.
Ad hoc network: - “Trust but Verify hosts and transit” Nodes do not directly trust each other at the IP layer nor trust routers
Everyone
No one
X
X
X
HOST CENTERIC – Organism Model
Survivability model | Resilience/Agility Preparing for, preventing, or otherwise resisting an adverse
event; Absorbing, withstanding, or maintaining essential functions
in the face of the event; Recovering from the event; and Adapting to (changing processes, systems, or training based
on) the event, its consequences, and its implications for the future.
This must be done as close to real-time as possible!
Techniques for Resilience/Agility Adaptive Integrity Pro-active
Containment Isolation Randomness and unpredictability
Cyber Modeling Least Privilege Reconstitution
Deception Monitoring Redundancy
Detection Cyber Maneuver Topology Hiding
Distributedness Precedence Attribution
Diversity Prioritization
Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures Workshop Oct 29, 2010
IPv6 Features mapped to Resilience
Why is your Internet Edge Scanned? ISR Why? Money Pre-Attack Preparation Research How: Inbound – Packets against your infrastructure Outbound – Outbound Queries & Cookies Steps: Intelligence – Footprinting
Data retrieved ‘Third Party Sources’ Surveillance – Scanning
Directly or In-directly (services) Layer 3-7, 8-10
Reconnaissance – Enumeration Directly or In-directly (services) Layer 3-7, 8-10
Our Focus is layer 3-7
Attackers Assumption One address per physical Interface Inbound addresses = Outbound addresses Device addresses say the same over time
Inside the same network With the same local address
If a system is not responding, Do a port scan to find if it was crashed or now blocked Check back later to see if it was rebooted
IPv4 thinking in an IPv6 Resilient World
Problems in IPv4 Even a Script Kiddie can do it!
Destination – Your Network Densely Populated, ‘Fast’ brute-force tools, Single Interface Address
Source of scan Needle in a haystack, Fast vs. Slow, limited context due to address
fragmentation NAT and Tunnels hide true sources Attribution is hard
Detecting | Impact of Host Density - 2006 IPv4 Brute Force Attack -Internet Survival Time
Attacker Find & compromise an
un-patched computer with a Windows operating system.
Less than 6 minutes 5+ min to find >1min to compromise
Identifying attacker Noise hides indications of
an attack
Reference: SANS Institute’s Internet Storm Center
IPv6 Brute Force Attack - Internet Survival Time
Internet 298.26162 Days 24 0.02560 Minutes 27 0.00320 Minutes 28 0.00160 Minutes
Assumption: 10,000 Scans per minutes, to identify endpoints, non-optimized, non-distributed scanners
Brute Force Target scan is now indicator of an attack Detectable at Firewall and DNS Server
1 Day
Smart Targeting IPv6
Identify end devices based on IPv6 Address Identifier
Smart Target Scanning is indicator of “Interest” Detectable at Firewall and DNS Server?
Linear search find one device, scan up 1, 2, 3 or a, b, c
Bracketed Search Find 1 device, scan around it Find 5, Scan 1-4 & 5-9
Pronounceable Search DEAD, BEEF, DEED, ABED,…
Pattern Search Based on an identified pattern 1, 10, 100, 1000, …
Ports Search 53, 80, 25, etc
Based on function Routers .1, .2
Identify end devices based on IPv4 address (Dual-Stack) • Scan IPv4 Range, obtain host names.domains • Query AAAA based on names.domains
Static Addresses | Use of Deception In A Record
Insert host names which do not exist with AAAA records
Impact: Additional scanning of the address shows intention Poisons attackers current and future targeting list
Insert HoneyPot Linked to all AAAA addresses listed in AAAA deception record Detect attempts at compromise
Management Addresses assigned and AAAA records - IPAM
Survivability model | IPv6 Abundance Summary:
Little noise based on scanning – easier to ID attackers IPv6 devices with obscure names and random addresses are
undiscoverable for inbound connections Separating inbound and outbound connections breaks attacker
preconceptions Use of dual stack improves the target list for attackers Techniques exist to provide pre-attack
Evolving IPv6 Defensive Tool Kit – Can’t be done on IPv4!
Large Local Segments Large Network
Non Routable Addresses (aka RFC 1918) via ULA Secure Neighbor Discovery (SEND) - Crypto-Generated Address (CGA)
IPSEC (AH & ESP) H-G | G-G | H-H | Tunnel & Transport With Extension Headers | H-G-G-H
Server Enclave Domain Isolation (SEDI)
Common Architecture Label IPv6 Security Option (CALIPSO) DHCPv6 – Multi-Interface setup & signed
Multicast NTPv4 with Autokey public key authentication Leverage DNSSec to storage or public Keys of registered devices Leverage DNSSec with ‘split-brain’ to limit disclosure
Multicast Signature and Security Information – “Parallel Push” Fast Address Maneuvering
Attribution
Infrastructure Hiding
Take away Security methods have failed Resilience and Agility provides a solution IPv6 is not about the numbers, but about bringing resilience
and agility tools to the defender Many resilience techniques have yet to be implemented by
vendors, ask for them repeatedly or call me Enjoy the remainder of the conference!
Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC
Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum
Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x,
“Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” [email protected] Voice: 703-594-1419
Blog: http://scientifichooligan.me/
IPv4 vs. IPv6 The Shifting Security Paradigm
Where do attackers find vulnerabilities? All systems have vulnerabilities
1. Design and Architecture Phase (RFC, IEEE, WC3, ITU, etc) 2. Development Phase (Coding) 3. Architecting, Implementation and Deployment (Staff,
Procedures, Governance, etc) 4. Management (Patching, Configuration Management, etc) 5. End of Life, Refresh & Replacement