1 / 19

IPv6 Transition : Why a new security mechanisms model is necessary?

IPv6 Transition : Why a new security mechanisms model is necessary?. Abidah Hj Mat Taib abidah@perlis.uitm.edu.my abidah@nav6.org. Universiti Teknologi Mara, Perlis Malaysia. Outline. Transition / coexistence Security Threats Threats due to Transition Mechanisms

mjamar
Download Presentation

IPv6 Transition : Why a new security mechanisms model is necessary?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 Transition : Why a new security mechanisms model is necessary? Abidah Hj Mat Taib abidah@perlis.uitm.edu.my abidah@nav6.org Universiti Teknologi Mara, Perlis Malaysia

  2. Outline • Transition / coexistence • Security Threats • Threats due to Transition Mechanisms • Current Security Mechanisms • Current IPv4 Security Model • New Security Model • Conclusion

  3. Transition .. coexistence? IPv4IPv6 Security Considerations IPv6 Deployment IPv6 Specific Protocol Transition Mechanisms

  4. Threats due to Transition Mechanisms -- Dual stack • Applications on device can be subject to attack on both IPv4 and IPv6. • Need parallel filtering/detection rules for IPv4 and IPv6 packets. Internal network Internet IPv4 IPv6

  5. Security Threats • Similar threats in IPv4 & IPv6 networks. • Reconnaissance - exploit the site scope multicast address – flooding -- DoS • Misuse of routing headers – packets spoofed & redirect attacked packets to initiate DoS • Fragmentation related attacks • Misuse of ICMPv6 and multicast • ICMPv6 Stateless Auto-Configuration • Route Implanting with ICMPv6 Redirects (use fake Echo Request) • Smurf IPv6 – source is target, destination is local multicast address. Generates lots of local traffic that is sent to source) • Autoconfiguration and Neighbor Discovery Vulnerabilities

  6. Threats due to Transition Mechanisms -- Tunneling • Injection packet • Exploiting the tunnel interface • Bypassing ingress filtering checks • Complexity for configuring devices as well as logging and monitoring the traffic • IPv4 firewall has to open for protocol 41 (IPv6) and protocol 58 (ICMPv6) at the remote end of the tunnel.

  7. TunnelingMechanisms Security Issues

  8. Current Security Mechanisms

  9. Current IPv4 Security Model : network-based INTERNET IDS Edge Router Internal Network Stateful Firewall

  10. Current IPv4 Network-based Security Scheme • Peer – firewall – Internet – firewall – peer • Security policy enforced by firewalls • Blocking attackers from outside BUT no firewall blocking attack coming from the same LAN segment • Lack of secure end-to-end • IDS – to find potential security problems and to detect unauthorized intrusion and misuse of network resources.

  11. Current IPv4 Network-based Security Scheme .. cont… • Perimeter defense • IP firewalls, HTTP/HTTPS firewalls, content analysis: antivirus, anti spam, etc • Defense in depth and network segmentation • DMZ, layered architecture • TLS/SSL based business application and VPNs for remote access

  12. Revised Model - Host-based Security INTERNET Perimeter Firewall LAN-1 IDS Internal Network Edge Router LAN-2 LAN-3 Host-based firewalls / IDS

  13. New Security Model -Distributed mechanisms Centralized Security Policy Repositories INTERNET Perimeter Firewall LAN-1 IDS Internal Network Edge Router LAN-2 LAN-3 Host-based firewalls / IDS

  14. New Security Model • End-to-End IPsec • Distributed security with the communicating hosts providing the policy enforcement for their own communication. • Creating specific policies for securing comm. based on currently running appl. Rather than having a central enforcement point try and provide a single group-based policy. • Possible to create more dynamic security policies which can vary over time based on changing trust relationships.

  15. Distributed security endpoints • Consists of host-resident firewalls, intrusion detection, security patching, and security status monitoring – can be accomplished by kernel-mode processes within an OS. • A managed distributed host-based firewall system utilizing end-to-end IPsec can implement separate multi-level security policies with fine granularity. • Using end-to-end model, it is possible to divide users and servers into various trust groups and interest communities to implement separate security rules.

  16. Conclusion To design a new security mechanisms model • In depth understanding of IPsec • Define optimum security policies associated to network requirements • Build a comprehensive distributed firewalls to counter security issues in IPv4 as well as IPv6 • As well as IDS and IPS, logging/auditing • Security test using available attacking tools

  17. Bibliographies • Kaeo, et. al., 2006, IPv6 Network Security Architecture 1.0, NAv6tf, www.nav6tf.org. • Van Hauser, The Hackers Choice, 2006, http://www.thc.org . • J. Mohacsi, IPv6 Security:Threats and Solutions, http://www.6net.org/events/workshop-2005/mohacsi.pdf • P. Nikander, J. Kempf, and E. Nordmark, “IPv6 Neighbor Discovery (ND) Trust Models and Threats”, RFC3756, May 2004. • E. Davies, S. Krishnan and P. Savola, “IPv6 Transition/Co-existence Security Considerations”, draft-ietf-v6ops-security-overview-06.txt (work in progress), Oct 2006. • Alvaro Vives and Jordi Palet, IPv6 Distributed Security: Problem Statement, Proceedings of the 2005 Symposium on Applications and the Internet Workshops (SAINT-W’05), IEEE, 2005.

  18. THANK YOU Q & A

More Related