ipv6 threats - commtouch.com · far more ip addresses in ipv6 ... • identifying ipv6 threats
TRANSCRIPT
www.commtouch.com
IPv6 Threats
www.commtouch.com
Eyal OrgilMarketing DirectorCommtouch
Welcome to Part 2
IPv6 Informational Series
www.commtouch.com
IPv6 Informational Series
Eyal OrgilMarketing DirectorCommtouch
Part 1: An Introduction to IPv6
www.commtouch.com/introduction-ipv6
www.commtouch.com
IPv6 Informational Series
Eyal OrgilMarketing DirectorCommtouch
Part 1: An Introduction to IPv6
Part 2: IPv6 Security Threats
www.commtouch.com
Asaf GreinerVP ProductsCommtouch
Gabriel M. MizrahiVP TechnologiesCommtouch
Speakers
www.commtouch.com
Send questions to: [email protected] posted: http://blog.commtouch.com
Have a question?
www.commtouch.com
Is the Change to IPv6 aSignificant Security Event?
www.commtouch.com
Is IPv6 a Significant Event
Move to IPv6 a transition, not an event• Taking place for several years
• Will continue for many more years
There will be security implications• During the transition period
• After fully implemented
Many threats same as IPv4• Especially while dual-stacks are in use
www.commtouch.com
Is IPv6 a Significant Event
Many IPv4 threats not applicable to IPv6 Care must be taken when using dual-
networks• Many existing security solutions can protect against
IPv6 threats
• But, must be properly configured
Many threats related to transition to IPv6, not new threats
www.commtouch.com
Is IPv6 a Significant Event
Many IPv6 users today are experts and enthusiasts
IPv6 is not yet in widespread usage• Still see minimal usage of IPv6
Wider adoption of IPv6 depends on readiness of network infrastructures• Currently no big incentive to move to IPv6
www.commtouch.com
Is IPv6 a Significant Event
Hackers will utilize IPv6 when it will bring them value• Not deployed widely enough in order to invest time
• As IPv6 grows it will appear on the Hacker radar
Transition a long process, not a one day event• Advise that you learn and adjust
www.commtouch.com
The Hype About IPv6 – Is it Just Another Y2K Scare?
www.commtouch.com
Is IPv6 Another Y2K?
Don’t be scared of IPv6, but don’t take lightly IPv6 is a technology which offers:
• New opportunities
• New challenges
No date for IPv6• Will take years for IPv6 to become the main protocol
www.commtouch.com
Is IPv6 Another Y2K?
Expect many mission critical infrastructures to remain IPv4• Enough IPv4 addresses for these
Unlikely websites will be moved to be IPv6 in near future
When a large move occurs, we will know:• There is a large user IPv6 base
• End of transition period is near
www.commtouch.com
Top Security Issues with IPv6
www.commtouch.com
IPv6 Security Issues
Top three security related issues IPv6:• Tunneling of IPv6 over IPv4 (6 to 4)
• Rogue devices
• IP Reputation
www.commtouch.com
Threat: IP Tunneling
www.commtouch.com
IPv6 Tunneling Threat
IPv4 Network
IPv4 ConfiguredFirewall
InternalNetwork
Internet
IPv4 IPv4 IPv4
IPv4 Address
www.commtouch.com
IPv6 Tunneling Threat
IPv4 Network
IPv4 ConfiguredFirewall
InternalNetwork
Internet
IPv4 IPv4 IPv4
IPv6 Address
www.commtouch.com
IPv6 Tunneling Threat
IPv4 Network
IPv4 ConfiguredFirewall
InternalNetwork
Internet
GW
IPv4-to-IPv6Gateway
IPv4 IPv4 IPv4
IPv6
IPv6 Address
IPv6IPv6 over IPv4
IPv6 over IPv4 tunnel
www.commtouch.com
IPv6 Tunneling Threat
IPv4 Network
InternalNetwork
Internet
IPv4 IPv4 IPv4
IPv4website
IPv4 ConfiguredFirewall
FW Policy: No Angry Birds
www.commtouch.com
IPv6 Tunneling Threat
IPv4 Network
IPv4 ConfiguredFirewall
IPv6IPv6
InternalNetwork
Internet
GW
IPv4-to-IPv6Gateway
IPv4 IPv4 IPv4
IPv6website
IPv4website
FW Policy: No Angry Birds
IPv6 over IPv4
Bypass firewall policy
www.commtouch.com
IPv6 Tunneling Threat
Need to be aware that security devices are configured for IPv6• For example firewalls
Another example – IDS (Intrusion Detection System) • Can inspect IPv6, but you need to enable it
• If not, you won’t be enforcing the policy on IPv6
www.commtouch.com
Threat: Rogue Devices
www.commtouch.com
Rogue Devices
www.commtouch.com
Rogue Devices
Rogue Device
www.commtouch.com
Rogue Devices
IPv6 Prefix IPv6 Prefix
Rogue Device
www.commtouch.com
Rogue Devices
IPv4 Network
Windows 7 Windows 7Windows 7
www.commtouch.com
Rogue Devices
IPv6 Network
IPv4 Network
Windows 7 Windows 7Windows 7
IPv6 enabledby default
www.commtouch.com
Rogue Devices
IPv6 Network Internet?
Windows 7 Windows 7Windows 7
IPv4 Network
Internet? Internet?
IPv6 searchesfor access
to the Internet
www.commtouch.com
Rogue Devices
IPv6 Network
Windows 7 Windows 7Windows 7
IPv4 Network
IPv6 Prefix IPv6 Prefix
Rogue Device
Internet? Internet? Internet?
InternetIPv6
www.commtouch.com
Rogue Devices
The difference is:• IPv4 is used daily
• If a different allocation is provided, there will be noticeable effects
• With IPv6, the insertion of a rogue device may go unnoticed
www.commtouch.com
Rogue Devices
IPv6 Network
Internet
Rogue Device
IPv6
Man in the middle
www.commtouch.com
Rogue Devices
IPv6 Network
Rogue Device
InternetIPv6
Man in the middle
www.commtouch.com
Rogue Devices
IPv6 Network
Rogue Device
InternetIPv6
Man in the middle
www.commtouch.com
Rogue Devices
IPv6 Network
Rogue Device
InternetIPv6
Man in the middle
www.commtouch.com
Rogue Devices
Not only a Windows problem An issue with most operating systems
• IPv6 is defined by default
• IPv6 could run in the background without anyone’s knowledge
Security risk also in IPv4 with DHCP• Make sure unauthorized devices cannot connect to
your network
www.commtouch.com
Threat: IP Reputation
www.commtouch.com
IP Reputation
Far more IP addresses in IPv6• 232 compared to 2128
Challenges• IP allocation will be different from IPv4
• Anyone can get a large IP allocation
• Any person can get a 64 bit allocation (264)
• The entire Internet today is 232
www.commtouch.com
IP Reputation
Last 64 bits define the device ID Complicate issue by using randomizer to
change 64 bit• Every spam message could be sent from different IP
Internet264 DifferentIP Addresses
From IP address: wwww
From IP address: xxxx
From IP address: yyyy
From IP address: zzzz
www.commtouch.com
IP Reputation
IP reputation on 128 bits very difficult Need other methods to build reputation
Such as subnets
Storing IP information in memory Vast amount of memory will be needed
No NAT in IPv6 Some believe a security issue
They believe NAT provides a layer of security
IPv6 provides public IPs for all devices
www.commtouch.com
Commtouch Compliancewith IPv6
www.commtouch.com
Commtouch and IPv6
Commtouch has been working on IPv6 for some time
Making changes to client side and back-end• Client side will be transparent
• Focus has been on the back-end
GlobalView Mail Reputation transparently supports more IPs addresses• Still single query of an IP address but data storage
more efficient
www.commtouch.com
Commtouch and IPv6
Monitoring the Internet • Identifying IPv6 threats
• Classifying threats
Currently seeing minor IPv6 spam activity• Believe spammers experimenting with IPv6
• Too noticeable today to send spam via IPv6 when there is very little email on this network
www.commtouch.com
Recommendations for MinimizingIPv6 threats
www.commtouch.com
Gabriel Mizrahi’s IPv6 Recommendations
1. Make sure you have mapped all devices on your network
2. Implement IPv6 step-by-step3. Have a written procedure of how you will
introduce IPv64. Plan to implement a dual stack as a first
stage
www.commtouch.com
Asaf Greiner’s IPv6 Recommendations
1. Get educated about IPv6• Everyone should go back to networking fundamentals
• Understand what’s implemented on our network today, and why
• Then look at what needs to remain or change
2. Learn from others• What mistakes and successes other have
experienced
www.commtouch.com
Asaf Greiner’s IPv6 Recommendations
3. Lockdown from IPv6 as a start
4. Then implement staged plan to roll out IPv6
5. Take care to avoid configuration errors
www.commtouch.com
Asaf GreinerCommtouch VP Products
Gabriel M. MizrahiCommtouch VP Technologies
Thank you to
www.commtouch.com
Send questions to: [email protected] posted: http://blog.commtouch.com
Have a question?
www.commtouch.com
Please check back for future informational webcasts