IPv6 Security by Joe Klein at gogoNET LIVE! 3 IPv6 Conference

Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC

Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum

Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x,

“Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” [email protected] Voice: 703-594-1419

Blog: http://scientifichooligan.me/

IPv4 vs. IPv6 The Shifting Security Paradigm

Scope of the CyberSecurity problem  What is the cost of Cybercrime ?  Number of records compromised ?  Number of Systems/Networks/Applications

Compromised ?

Millions? Billions? Trillions? Estimates?

Classes of Attack - Targeted   Inbound Directed

  Flaws in technology   Flaws in governance   Flaws in people   Flaws in adequate funding & staffing

  Insiders  Disgruntled  Opportunistic  Untrained

  Vendors   Supply Chain

Verizon - 2012 DATA BREACH INVESTIGATIONS REPORT

Reference: http://securityblog.verizonbusiness.com/

What We Know About Today Security measures?

“The best companies aren’t the ones who stop attacks, – that’s important – it’s the companies that can spot intrusions

quickly and respond to them in ways that limit the damage.”

“This idea that you can stop intrusions… just isn’t going to hold up against certain kinds of threats.”

- Richard Bejtlich – TaoSecurity Blog,

Our Current Security Model

Source: http://www.photographersdirect.com/buyers/stockphoto.asp?imageid=2249700

Two Models of Survivability

“What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012

The Human Body Uses Both

“What If We Got A “Do-Over?” an Overview of CRASH and MRC “, Howard Shrobe Program Manager, DARPA I2O, 2012

Trust Network Model (RFC 1918)| IPv4 All nodes and routers trust each other that:

  All devices behave correctly   Layer 2 (MAC) and Layer 3 (IP)

  Hosts always provide true information   Routers always provide true information

Behind the NAT: “Blind Trust behind the NAT”   All devices behave correctly

  Layer 2 (MAC) and Layer 3 (IP)

  Hosts always provide true information   Internal communications   Outbound Initiated communications trusted   Inbound Initiated communications trusted

  Routers always provide true information

Everyone

No one

X

NETWORK CENTERIC – Fortress Model

Trust Node Model (RFC 3756) | IPv6   Corporate Internet: “Blind Trust”

  All authenticated nodes and routers trust each other to:   Behave correctly at the IP layer   Not to send any network discovery message that contains false information   Not to send router discovery message that contains false information

  Public wireless: “Trust transit, trust but verify nodes”   Router is trusted by the other nodes in the network to:

  Be a legitimate router   Faithfully route packets between the local network   Faithfully route packets to any connected external networks

  The router is trusted to:   Behave correctly at the IP layer   Not to send any network discovery messages that contain false information   Not to send router discovery messages that contain false information.

  Ad hoc network: - “Trust but Verify hosts and transit”   Nodes do not directly trust each other at the IP layer nor trust routers

Everyone

No one

X

X

X

HOST CENTERIC – Organism Model

Survivability model | Resilience/Agility   Preparing for, preventing, or otherwise resisting an adverse

event;   Absorbing, withstanding, or maintaining essential functions

in the face of the event;   Recovering from the event; and   Adapting to (changing processes, systems, or training based

on) the event, its consequences, and its implications for the future.

This must be done as close to real-time as possible!

Reference: www.cyber.st.dhs.gov/wp-content/.../Dr_Steven_King-_ASD_RE.pdf

Techniques for Resilience/Agility Adaptive Integrity Pro-active

Containment Isolation Randomness and unpredictability

Cyber Modeling Least Privilege Reconstitution

Deception Monitoring Redundancy

Detection Cyber Maneuver Topology Hiding

Distributedness Precedence Attribution

Diversity Prioritization

Harriet Goldman, MITRE at the Secure and Resilient Cyber Architectures Workshop Oct 29, 2010

IPv6 Features mapped to Resilience

Why is your Internet Edge Scanned? ISR Why?   Money   Pre-Attack Preparation   Research How:   Inbound – Packets against your infrastructure   Outbound – Outbound Queries & Cookies Steps:   Intelligence – Footprinting

  Data retrieved ‘Third Party Sources’   Surveillance – Scanning

  Directly or In-directly (services)   Layer 3-7, 8-10

  Reconnaissance – Enumeration   Directly or In-directly (services)   Layer 3-7, 8-10

Our Focus is layer 3-7

Attackers Assumption   One address per physical Interface   Inbound addresses = Outbound addresses   Device addresses say the same over time

  Inside the same network  With the same local address

  If a system is not responding,  Do a port scan to find if it was crashed or now blocked  Check back later to see if it was rebooted

IPv4 thinking in an IPv6 Resilient World

Problems in IPv4   Even a Script Kiddie can do it!

 Destination – Your Network   Densely Populated, ‘Fast’ brute-force tools, Single Interface Address

  Source of scan   Needle in a haystack, Fast vs. Slow, limited context due to address

fragmentation   NAT and Tunnels hide true sources   Attribution is hard

Detecting | Impact of Host Density - 2006 IPv4 Brute Force Attack -Internet Survival Time

  Attacker   Find & compromise an

un-patched computer with a Windows operating system.

  Less than 6 minutes   5+ min to find   >1min to compromise

  Identifying attacker   Noise hides indications of

an attack

Reference: SANS Institute’s Internet Storm Center

IPv6 Brute Force Attack - Internet Survival Time

Internet 298.26162 Days 24 0.02560 Minutes 27 0.00320 Minutes 28 0.00160 Minutes

Internet 89,088,482,281,112,800,000,000,000 Millennium 32 20,742,528,671,657,900 Millennium 56 1,236,351,053 Millennium 64 4,829,496 Millennium

IPv6 Internet:

IPv4 Internet:

Assumption: 10,000 Scans per minutes, to identify endpoints, non-optimized, non-distributed scanners

Brute Force Target scan is now indicator of an attack Detectable at Firewall and DNS Server

1 Day

Smart Targeting IPv6

Identify end devices based on IPv6 Address Identifier

Smart Target Scanning is indicator of “Interest” Detectable at Firewall and DNS Server?

Linear search find one device, scan up 1, 2, 3 or a, b, c

Bracketed Search Find 1 device, scan around it Find 5, Scan 1-4 & 5-9

Pronounceable Search DEAD, BEEF, DEED, ABED,…

Pattern Search Based on an identified pattern 1, 10, 100, 1000, …

Ports Search 53, 80, 25, etc

Based on function Routers .1, .2

Identify end devices based on IPv4 address (Dual-Stack) • Scan IPv4 Range, obtain host names.domains • Query AAAA based on names.domains

Static Addresses | Use of Deception   In A Record

  Insert host names which do not exist with AAAA records

  Impact:  Additional scanning of the address shows intention   Poisons attackers current and future targeting list

  Insert HoneyPot   Linked to all AAAA addresses listed in AAAA deception record  Detect attempts at compromise

  Management  Addresses assigned and AAAA records - IPAM

Survivability model | IPv6 Abundance   Summary:

  Little noise based on scanning – easier to ID attackers   IPv6 devices with obscure names and random addresses are

undiscoverable for inbound connections   Separating inbound and outbound connections breaks attacker

preconceptions  Use of dual stack improves the target list for attackers  Techniques exist to provide pre-attack

Evolving IPv6 Defensive Tool Kit – Can’t be done on IPv4!

  Large Local Segments   Large Network

  Non Routable Addresses (aka RFC 1918) via ULA   Secure Neighbor Discovery (SEND) - Crypto-Generated Address (CGA)

  IPSEC (AH & ESP) H-G | G-G | H-H | Tunnel & Transport   With Extension Headers | H-G-G-H

  Server Enclave Domain Isolation (SEDI)

  Common Architecture Label IPv6 Security Option (CALIPSO)   DHCPv6 – Multi-Interface setup & signed

  Multicast NTPv4 with Autokey public key authentication   Leverage DNSSec to storage or public Keys of registered devices   Leverage DNSSec with ‘split-brain’ to limit disclosure

  Multicast Signature and Security Information – “Parallel Push”   Fast Address Maneuvering

  Attribution

  Infrastructure Hiding

Take away   Security methods have failed   Resilience and Agility provides a solution   IPv6 is not about the numbers, but about bringing resilience

and agility tools to the defender   Many resilience techniques have yet to be implemented by

vendors, ask for them repeatedly or call me   Enjoy the remainder of the conference!

Joe Klein CISSP CE|H CISM CISA NSA-IAM/IEM IA-CMM 6Sigma… Scientific Hooligan, Longboat LLC

Cyber Security SME, North American IPv6 Task Force Cyber Security SME, IPv6 Forum

Cyber Security SME, IPv6 Cyber Security Task Force Contributor to: NIST SP-119, NIST SP-123, DoD MO2, MO3.x,

“Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government 2012” [email protected] Voice: 703-594-1419

Blog: http://scientifichooligan.me/

IPv4 vs. IPv6 The Shifting Security Paradigm

Where do attackers find vulnerabilities?   All systems have vulnerabilities

1.  Design and Architecture Phase (RFC, IEEE, WC3, ITU, etc) 2.  Development Phase (Coding) 3.  Architecting, Implementation and Deployment (Staff,

Procedures, Governance, etc) 4.  Management (Patching, Configuration Management, etc) 5.  End of Life, Refresh & Replacement