Upload
digicomp-academy-ag
View
817
Download
1
Tags:
Embed Size (px)
Citation preview
Fortinet IPv6 Security
IPv4 Highway
Fortinet Confidential
June 8th, 2011
Rainer Baeder
Drivers for IPv6
• Basic Demand Drivers• More network appliances but lack of IPv4 addresses to support
• Control OpEx for network and IT
• Elimination of complex NAT networks
• Strong intrinsic security
• Better support for mobility applications
• Greater flexibility and simplicity• Greater flexibility and simplicity
• New Opportunities to Improve Business Performance Business process improvements• New business opportunities
• More addresses for objects – enhanced automation and productivity
• Machine-to-Machine (M2M) telematics / *Internet of Things*
• IPv6 connection to anything
2
IPv6 – its time for preparing the step
... and basically – we run out of IPv4 addresses
to stay competitive, we must
Snapshot June 3rd 2011
to stay competitive, we must open the door for IPv6and use its foremost
Migration ComplexitiesDeployment Considerations
• Compatibility issues between IPv4 and IPv6
• Vendor interoperability issues with IPv6
• Potential security issues
• Network management considerations
• Existing hardware may not handle IPv6 traffic efficiently• Existing hardware may not handle IPv6 traffic efficiently
• Router memory and CPU limitations may preclude IPv6 deployment
• Technology refresh cycles can be exploited to deploy IPv6 capabilities
• Global public routing practices continue to evolve
4
• Larger IP address space• IP Adresses are 128 bits (instead of 32 bits)
• Advanced header structure• Improved processing capability thru Subsegmenting of essential
and optional headerfields (in ExtensionHeaders)
• Different IPv6 Addresses• Public IPv4 addresses correspond with Global Unicast Addresses
• Private IPv4 addresses correspond with Site Local Unicast
The most important targets of IPv6
• Private IPv4 addresses correspond with Site Local Unicast Addresses
• Special Address types for usage of IPv4 and IPv6 in parallel
• Support of autoconfiguration• Should follow Plug-and-Play principle
• Improved security• 2 additional ExtensionHeaders are foreseen (Encapsulation
Security Payload Header und Authentication Header)
• Both can be used in IPv4 as well
Principle Design Consideration
• “Dual stack when you can – Tunnel when you must –Translate when no other option works”
• Create a virtual team of IT representatives from every area of IT to ensure coverage for OS, Apps, Network and Operations/Management
• Now is your time to build a network your way – don’t L7
Application
L8Political
L9Religious
carry the IPv4 mindset forward with IPv6 unless it makes sense
• Design Consistency with IPv4
• Design should work across all WAN clouds, LAN, Enterprises, Data Center, Campus, etc
• Deploy it – at least in a lab – IPv6 won’t bite
• Consider the human factor, keep it simple!
6
L1Physical
L2Data Link
L3Network
L4Transport
L5Session
L6Presentation
IPv6 Transition Methodologies
MPLS-BasedSolutions
6PE 6VPE
IP-TunnelApproaches
ConfiguredTunnels
ConfiguredTunnels
NAT-Based Solutions
IPv4 to IPv4(Mitigation)
IPv4 to IPv6(Interworking)
7
GRE 6to4
6RD
IP
L2TP
GFP ISATAP
Teredo
DS-Lite
NAT44 NAT464
NAT64NAT444
DS-Lite NAT-TCP
NAT-UDP
NAT-ICMP
Dual Stack
IPv6 Protocol Vulnerability
• IPv6 Header• Header Manipulation
• Protocol Fuzzing
• ICMPv6• ICMPv6 Filtering
• ICMPv6 Attacks
• Extension Header• EHeader Filtering
• EHeader Fuzzing
• Router Header Attacks
• Fragmentation Header
• Unknown Header• ICMPv6 Attacks
• Node Survey• Scanning
• Improved/Smart Scanning
• Multicast techiques
• Sniffing
• Unknown Header
• Protocol Layer Header
• Higher Layer Spoofing• Generic Malware
• Router Protocol Security• Flooding / (d)DoS and Packet• Multicast
8
• Interface-local scope• FF01::1 all-nodes
• FF01::2 all-routers
• Site-local scope• FF05::1:3 all-routers
• FF05::1:3 all DHCP servers
• Link-local scope• FF02::1 all-nodes
• FF02::2 all-routers
• FF02::5 OSPFIGP
• FF02::9 RIP-routers
• FF02::B Mobile Agents
IPv6 Address Types – well-known Multicast
• FF02::6A all snoopers
• FF02::1:2 all DHCP agents
9
• FF01::101 / all-NTP Server on the same node as sender• FF02::101 / all-NTP Server on the same link as sender• FF05::101 / all-NTP Server on the same site as sender• FF0E::101 / all-NTP Server in the internet
Global Unicast Addresses correspond with Public IPv 4 addresses Site Local Unicast Addresses correspond with Privat e IPv4 addresses
IPv6 Firewalling
• IPv6 Addressing• Unallocated Addresses
• IPv6 Headers allowance
• L2 FW
• IPv6 and NAT
• Neigbor Discovery allowance
• DHCPv6 Threats
• Endpoint Security
• IPv6, IPSec and Firewalls
• Management
• Routing Security• RIPng, OSPFv3• Neigbor Discovery allowance
(NDP)• Duplicate Address Detection Issue
• Redirect Issue
• SEcure Neigbor Discovery (SEND)
• RIPng, OSPFv3
• QoS Threats
• Tunneled Traffic Inspection
• Unwanted Tunnels
• Mobile IPv6 (MIPv6)
10
Fortinet IPv6 Strategy
• Feature Parity on all function with IPv4 and IPv6 on higher layers
• Application unaware weather it runs on IPv4 or IPv6
• IPv6 Firewalling 3+ years integratedintegrated
• Stepwise extension to a complete functionality on IPv6
• Almost completed now
Today implemented for IPv4 & IPv6
• Stateful Firewalling and Routing• Serviceobjects (eg ICMPv6), IPv6 Addressobjects
• Dynamic Routing, OSPF / RIP / BGP
• AntiVirus Scanning• http(s), ftp, smtp(s), imap(s), pop3(s), Instant-Messaging, nntp
• Intrusion Prevention• Intrusion Prevention• Signature based IPS/IDS and DoS-Protection
• URL Filtering
• Data Leak Prevention
• Management of the device via IPv6• eg SSH or https via IPv6 for devicemanagement
12
Today implemented for IPv4 & IPv6
• Bandwidth Management• Shaping, QoS
• IPSec (IKEv1 & IKEv2)
• DNS (AAAA Record)
• IPv4 over IPv6 Tunneling
• IPv6 over IPv4 Tunneling (eg Tunnelbroker like SixXS)• IPv6 over IPv4 Tunneling (eg Tunnelbroker like SixXS)
• SIP ALG (Application Gateway)• Carrier-grade SIP-ALG. SIP-Fuzzing Protection, Pinholing, Rate-Control
etc.
• Application Control
• Logging and Reporting of Datatraffic, Reporting on FortiAnalyzer
13
Protection on all Layers - UTM
• Combined Methods on different layers
• Allow, but don’t trust all application
• Content of the application
• Support for IPv4 und IPv6
14
Forehand Planning is the key
• Vision for the business or the adoption driver• IPv6 Training• IP architecture that supports the vision -> IPv6 addressing
scheme + design• Evaluate infrastructure readiness to support the IPv6
implementation of the architectureimplementation of the architecture• Drive requirements and define purchasing strategy• Align with other initiatives to accelerate readiness• Define timeline
15
Overnight Adoption is Limiting and Expensive
Thank You.