May 17, 2009 McAfee Security and IPv6 David LePage Enterprise Solutions Architect – Network Security Business Unit, McAfee

May 17, 2009

McAfee Security and IPv6David LePageEnterprise Solutions Architect – Network Security Business Unit, McAfee

Confidential McAfee Internal Use OnlyApril 21, 2023McAfee Firewall Enterprise Sales Presentation2

Agenda

• Very brief overview of McAfee + Secure Computing• IPv6 Overview• McAfee Firewall Enterprise (Sidewinder)• McAfee Web (SmartFilter)• McAfee TrustedSource/URL Database• McAfee Web Merge Tool• Questions / Comments


Agenda

• Very brief overview of McAfee + Secure Computing• IPv6 Overview• McAfee Firewall Enterprise (Sidewinder)• McAfee Web (SmartFilter)• McAfee TrustedSource• McAfee Web Merge Tool• Questions / Comments

Confidential McAfee Internal Use OnlyApril 21, 2023Title of presentation4

Did You Know?

• >$500M+ Revenue and growing at 20+%

• Over 600 dedicated development staff

• 250 threat researchers in 23 countries

• Over 22,000 customers

• Over 400,000 Appliances in service

• Over 2500 Network Security partners

McAfee Network Security Stats:

Recognized Product Line Leadership

Core to McAfee’s Total Security Strategy

Complete Protection, Fastest Time to Confidence


Agenda


Confidential McAfee Internal Use Only

IPv6 Overview

A Primary reason for the existence of IPv6 is address depletion in IPv4:

IPv4 = 32 bit addresses

111.1.1.200 = 110111100000001000000011101111

4,294,967,296 (4.29 x 109) Possible Addresses

IPv6 = 128 bit addresses

fd4c:4547:4f53:111::200 = 11111101010011000100010101000111010011110101001100000001000100010000000000000000000000000000000000000000000000000000001000000000

340,282,366,920,938,463,463,374,607,431,768,211,456 (3.4×1038) Possible Addresses


IPv6 Conventions – The Interfaces• IPv6 Address types:

– Loopback(::1)– Unicast (2000::/3– Link-Local (FE80::/10)– Multicast (FF00::/8)– Anycast

• IPv6 Host Interface Requirements:– Loopback address– Link-local address– Unicast Address– All-nodes multicast address– Solicited-node multicast address

• Router requirements– All IPv6 Host Interface Requirements– Subnet-router anycast address– All-routers multicast address


IPv6 Conventions – The Initial Allocations

• From: http://www.iana.org/assignments/ipv6-address-space:– 2000::/3 (Global Unicast)

– FC00::/7 (Unique Local Unicast)

– FE80::/10 (Link Local Unicast)

– FF00::/8 (Multicast)

• Current Allocation of Global Unicast addresses:2001:0000::/23 IANA2001:0200::/23 APNIC2001:0400::/23 ARIN2001:0600::/23 RIPE2001:0800::/23 RIPE2001:0A00::/23 RIPE2001:0C00::/23 APNIC2001:0E00::/23 APNIC2001:1200::/23 LACNIC2001:1400::/23 RIPE2001:1600::/23 RIPE2001:1800::/23 ARIN2001:1A00::/23 RIPE2001:1C00::/22 RIPE2001:2000::/20 RIPE2001:3000::/21 RIPE 2001:3800::/22 RIPE 2001:3C00::/22 RESERVED 2001:4000::/23 RIPE

2001:4200::/23 AfriNIC2001:4400::/23 APNIC2001:4600::/23 RIPE2001:4800::/23 ARIN2001:4A00::/23 RIPE2001:4C00::/23 RIPE 2001:5000::/20 RIPE 2001:8000::/19 APNIC 2001:A000::/20 APNIC 2001:B000::/20 APNIC 2002:0000::/16 6to4 2003:0000::/18 RIPE 2400:0000::/12 APNIC 2600:0000::/12 ARIN2610:0000::/23 ARIN 2620:0000::/23 ARIN 2800:0000::/12 LACNIC 2A00:0000::/12 RIPE 2C00:0000::/12 AfriNIC


Changes from IPv4 to IPv6

• NAT goes away

• Network address configuration becomes automatic (-ish)

• Broadcast traffic goes away

• ARP goes away

• IP packet format changes to lower overhead on routers

• Packet fragmentation goes away

• Better address allocation to lower BGP overhead on the Internet’s core routers


Agenda


Confidential McAfee Internal Use OnlySECURE COMPUTING CONFIDENTIAL

11Friday, April 21, 2023

Commonly understood IPv6 Requirements

• Which requirements apply to McAfee Firewall Enterprise– Section 2 (“Baseline Requirements”)

– Section 3.6 (“Security Device Requirements”)

• Our read on the requirements– Security devices do not have to meet the requirements in end-node, router

or host systems

– No transition requirements in the Security Device section

• Status– First support for IPv6 was complete and implemented at a customer site in

March of 2008 using a “dual stack” approach.

– JITC certification has been achieved for McAfee Firewall v7.0.1 platform in Jan 2009:

http://jitc.fhu.disa.mil/apl/ipv6.html

– See next slides for details


General IPv6 functionality

SECURE COMPUTING CONFIDENTIAL 12Friday, April 21, 2023

• Sidewinder currently supports IPv6!

• IPv6 currently supported for stateful inspection rules, DNS, ICMP, DHCP.

• Sidewinder rules can be written using source or destination addresses based on IPv4, IPv6 or both – allowing for flexible deployment

• 3 different modes for interface configuration (static, stateless autoconfig, stateful autoconfig)


Information Assurance Device Requirements


Requirement Response

RFC 1981: Path MTU Discovery for IPv6 Compliant

RFC 2460: Internet Protocol v6 (IPv6) Specification Compliant

RFC 2461: Neighbor Discovery for IPv6 Compliant

RFC 2464: IPv6 Stateless Address Auto-Configuration or RFC 3315 Dynamic Host Configuration

Compliant

RFC 2462: IPv6 Stateless Address Auto-Configuration (Section 5.5)

Compliant

RFC 4007: IPv6 Scoped Address Architecture Compliant

RFC 4193: Unique Local IPv6 Unicast Addresses Compliant


Information Assurance Device Requirements (cont)



RFC 4291: IP Version 6 Addressing Architecture

Compliant

RFC 4443:Internet Control Message Protocol (ICMPv6)

Compliant

RFC 2710: Multicast Listener Discovery (MLD) for IPv6

Compliant

RFC 2710: Transmission of IPv6 Packets over Ethernet Networks

Compliant

RFC 4213: Basic Transition Mechanisms for IPv6 Hosts and Routers (Dual Stack)

Compliant


IPv6 Security Requirements for VPN


Requirement

:

:


All nodes MUST support IPsec Encapsulating Security Payload (ESP) with 3DESCBC/AES128CBC/SHA1 transforms as defined in the following RFCS:

RFC 4301, Security Architecture for the Internet Protocol

RFC 4303, IP Encapsulating Security Payload (ESP)

RFC 4305, (ESP and AH) Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header

(AH)

Compliant (2H 2009)

RFC 4308: Cryptographic Suites for IPsec Compliant (2H 2009)

RFC 4309: Using Advanced Encryption Standard (AES) CCM Mode with IPsec Encapsulating Security Payload (ESP)

Compliant (2H 2009)


IPv6 Security Requirements for VPN (cont)

16Friday, April 21, 2023


All nodes MUST support manual keying Compliant (2H 2009)

All nodes SHOULD support Authentication Header (AH). All AH implementations MUST support SHA1

as defined in:

RFC 4302, IP Authentication Header (AH)

RFC 4305, (ESP and AH) Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header

(AH)

Compliant (2H 2009)

If a security device must distribute IP Security Policy information to other devices, it SHOULD also

implement:

RFC 3585, IPsec Configuration Policy Information Model

RFC 3586, IP Security Policy Requirements

Compliant (2H 2009)


IPv6 Security Requirements for VPN (cont)


Requirement ResponseAll nodes SHOULD support automatic key management and exchange

as defined in:

RFC 4304, Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security

Association and Key Management Protocol (ISAKMP)

RFC 4306: (ISAKMPSEC) Internet Key Exchange (IKEv2) Protocol

RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)

Compliant (2H 2009)

Nodes needing to maintain interoperability with current/legacy support Internet Key Exchange (IKE) SHOULD support IKE original version

by supporting the following algorithms

RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP

RFC 2408, Internet Security Association and Key Management Protocol

RFC 2409, The Internet Key Exchange (IKE)

RFC 4109, Algorithms for Internet Key Exchange Version 1 (IKEv1)

Compliant


Configuring IPv6 on Sidewinder

• IPv6 has three different methods of configuring an Interface1) Static Address Configuration

• Set an IP address and prefix length by hand on the interface.2) Stateless Automatic Configuration (SLA)

• Routers supply prefix and prefix length on the subnet• Actual IPv6 address is based on prefix and EUI-64 version of MAC

address• Hosts are responsible for executing Duplicate Address Detection

(DAD) protocol before using an IP address• Network services such as DNS and NTP are reached via well known

multicast groups3) Stateful Automatic Configuration

• Routers supply prefix and prefix length on the subnet• DHCPv6 servers are contacted via multicast• IP addresses are assigned by the DHCPv6 server

April 21, 2023McAfee Firewall Enterprise Sales Presentation18


Agenda



McAfee SmartFilter brief overview

April 21, 202320

• SmartFilter is a URL content filter currently supported on multiple platforms, including the Sidewinder Firewall platform

• SmartFilter running on the Sidewinder platform is a native implementation, meaning that all functionality present in the standalone software versions are also available on the Sidewinder platform • SmartFilter leverages a world class URL database which categorizes URL content based on a pre-defined set of categories.


Agenda



TrustedSource / URL Database


• It’s more than just a URL Filtering Database!

• McAfee® TrustedSource™ is a global threat correlation engine and intelligence base of global messaging and communication behavior, including reputation, volume, and trends, including email, web traffic and malware.

• Trusted Source has integrated the URL Filtering categorizations and use other information gathered from different threat vectors to enhance our ability to accurately categorize sites.

• The additional knowledge provided by TrustedSource™ data enables appliances and services to more accurately filter communications and protect electronic communications and transactions between people, companies and countries.

• McAfee® TrustedSource™ researchers work to ensure the safety and security of all Internet communications from the firewall to the PDA, sharpening the intelligence gathering and applications.


Agenda

• Very brief overview of McAfee + Secure Computing• IPv6 Overview• McAfee Firewall Enterprise (Sidewinder)• McAfee Web (SmartFilter)• McAfee TrustedSource• McAfee Web Merge Tool• Questions / Comments

Documents

May 17, 2009 McAfee Security and IPv6 David LePage Enterprise Solutions Architect – Network Security Business Unit, McAfee