An hour technical discussion on becoming BYOD-ready (Bring Your Own Device) first hop with two protocols and a single security policy.
As BYOD becomes more and more prevalent, it is important to keep in mind that most of the devices support both IPv4 and IPv6 - thus, even if you do not provide yet IPv6 connectivity, you still need to maintain the same protection as with IPv4. In this webinar you will briefly refresh available first hop security measures for IPv4, and focus on the new features that provide the matching functionality for IPv6.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Cisco TechAdvantage Webinars Preparing for IPv6 and BYOD with a Single Security Policy This webinar will provide an overview on how BYOD is challenging L2 domain security, and how in this scenario IPv6 requires others capabilities no present in IPv4 to face it. Andrew and Rafael will highlight what is new, what are the threats on the link layer and what solutions are available today at Cisco to mitigate them. Follow us @GetYourBuildOn
• Two of five college students and young employees said they would accept a lower-paying job that had more flexibility with regard to device choice, social media access, and mobility than a higher-paying job with less flexibility.
• Regarding security-related issues in the workplace, three of five employees believe they are not responsible for protecting corporate information and devices.
The Cisco Connected World Technology Report 2011
Top two perceived benefits of BYOD:
• Improved employee productivity (more opportunities to collaborate)
• Greater job satisfaction (flexibility and work-life balance)
Public Sector in 1st 100 sign ups (3006 total) * National Library of Medicine NASA Department of State Department of Education REMS Doingwhatworks USGS U Penn, UNC, U Wisconsin, NCSU, U Utah USDA VA National Park Service US Census Bureau Source : http://www.worldipv6launch.org/participants/?q=1
* Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table
RA Throttler
Facilitates: • Scale
converting multicast traffic to unicast
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
• Deep control packet Inspection • Address Glean (ND , DHCP, data) • Address watch • Binding Guard
Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.
* Previously referred to as ND Inspection/Binding Table Recovery/Address Glean/Device tracking Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table
RA Throttler
Facilitates: • Scale
converting multicast traffic to unicast
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Threats are very much topology dependent: what is specific to IPv6 from topology standpoint?
• More addresses!
• More end-nodes allowed on the link (up to 264 !) • Bigger neighbor cache on end-nodes and on default-router • May lead to some dramatic topology evolution • Creates new opportunities for DoS attacks
Threats are also dependent on the protocols in use: what is different?
• More distributed and more autonomous operations
• Nodes discover automatically their default router • Nodes auto-configure their addresses • Nodes defend themselves (SeND) • Distributed address assignment creates more challenges for address security
ICMP type = 135 (Neighbor Solicitation) Src = A Dst = Solicited-node multicast address of B Data = B Option = link-layer address of A Query = what is B’s link-layer address?
ICMP type = 136 (Neighbor Advertisement) Src = one B’s IF address Dst = A Data = B Option = link-layer address of B
NS
NA
A and B can now exchange packets on this link
B A C
• Resolves IP address into MAC address • Creates neighbor cache entry
• Advantages – No central administration, no central operation – No bottleneck, no single-point of failure – Intrinsic part of the link-operations – No tying up to the L2 infra – Load distribution
• Disadvantages – Heavy provisioning of end-nodes – Only provisioned end-nodes are protected – Tied up to nodes capability – Bootstrapping issue – Complexity spread all over the domain
WHAT SEND PROVIDES • Each node on the link takes care of its own security • Verifies router legitimacy • Verifies address ownership
WHAT SEND DOES NOT PROVIDE • It does not verify other key role legitimacy (DHCP server, NTP, etc.) • It only applies to link operations • It does not provide end-to-end security • It does not guarantee authorization (≠ 802.1X)
A chain of trust is “easy” to establish within the administrative boundaries, but very hard outside
To benefit fully from SeND, nodes must be: Provisioned with CA certificate(s) Time synchronized/have access to the NTP server Have access to a CRL or OCSP server
WHAT IS IT? • Takes care of all nodes security, primarily from a link-operations standpoint • Leverages information gleaned by snooping link-operations • Arbitrates between different address assignment methods, different protocols,
different nodes, different ports, etc.
REQUIREMENTS • Must be “in the centre” or part of the security perimeter • Requires some provisioning • Must be versatile (NDP, SeND, DHCP, MLD, etc.)
• Configuration- based • Learning-based • Challenge-based
Verification succeeded ?
Bridge RA
• Switch selectively accepts or rejects RAs based on various criteria • Can be ACL based, learning based or challenge (SeND) based • Hosts see only allowed RAs, and RAs with allowed content
• Extension headers chain can be so large than it is fragmented!
• Finding the layer 4 information is not trivial in IPv6 Skip all known extension headers Until either known layer 4 header found => SUCCESS Or unknown extension header/layer 4 header found... => FAILURE Or end of extension headers => FAILURE
– Keep track of device state – Probe devices when becoming stale – Remove inactive devices from the binding table – Record binding creation/deletion/changes
Goal: to track active addresses (devices) on the link
• Mitigate prefix-scanning attacks and Protect ND cache • Useful at last-hop router and L3 distribution switch • Drops packets for destinations without a binding entry
Lookup D1
found
B
NO
L3 switch
Src=D1
Internet
Address glean Scanning {P/64}
Src=Dn
Binding table Neighbor cache
Goal: to validate destination address of IPv6 traffic reaching the link
BYOD brings new security and scalability challenges to L2 domain.
Modern devices support and prefer IPv6 connectivity.
Securing the access layer with a single policy mitigate vulnerabilities in L2 Mobility environments.
IPv6 FHS Cisco solution provides solid protections from rogue or mis-configured users in IPv6 or dual-stack networks, and efficiently handle wireless scalability.