Tag Archives: IPv6

RSA 2012 Day 4: IPv6 Vulnerability Management and BYOD

Posted on by cbroccoli
No Comments

Two good sessions today, one on the state of vulnerability management in IPv6 and the second on the security issues with BYOD.

The vulnerability management session was interesting in that while Microsoft, all Linux variants, Cisco, HP, Juniper, Check Point and other OS and network device vendors have been implementing IPv6 capabilities into their products, the vulnerability management vendors have been sleeping.  They are just coming to the realization that customers would like to be able to perform vulnerability tests for IPv6 enabled hosts on their networks.  I mentioned in my post yesterday that the primary issue with performing vulnerability scans on IPv6 is the scarcity of the addresses in an IPv6 address space.  It is simply not possible to scan all of the addresses in a single IPv6 subnet to find hosts and to then probe for vulnerabilities in a reasonable amount of time.  The vendors are working on models to do this; however, no final “best practice” solution is available yet.  Some suggestions which were presented are to scan active IPv4 addresses to find the hosts and then check if they are running IPv6, to perform SNMP walks on the routers or switches to determine which hosts are running IPv6, review the CMDB for known hosts or review log files on network and other devices.

In the BYOD session, the primary discussion revolved around identifying the threats to mobile devices in general, but only two possible models for supporting BYOD emerged.   The primary threats to mobile devices as seen by the panel are:

  • Bridging from a mobile device into the enterprise network
  • ActiveSync vulnerabilities
  • Rouge base stations which can eavesdrop on calls
  • Lack of granular controls for many of the mobile OS’
  • Poor password usage since users find it difficult to type in complex strong password

The two models which were discussed for supporting a BYOD model are to either require the user to accept corporate policy controls (e.g. encryption, virus scanner, etc.) on their personal device by installing an enterprise MDM solution or to implement local virtual containers on the devices.  The container solution would solve the problem that if a user leaves the company, only the corporate container can be wiped and the personal container can remain in place.

In both situations, a security policy should define what applications will be made available to users who bring their own devices. This policy should be based on the criticality and security requirements of the applications as well as the usability of the applications.  For example, does it make sense to allow access to spreadsheets from iPhones when they really cannot read or manipulate them in any practical manner?

Categories: IPv6, IT Security | Tags: ,

IPv6 Migration Resources

Posted on by cbroccoli
No Comments

In looking into ways to deploy NAT64/DNS64 on the network, I ran into a couple of interesting products which would make either a home migration to IPv6 or an Enterprise migration to IPv6 easier.

The first product is the D-Link DIR-825 wireless LAN router for home users.  The router is IPv6 Ready and supports 6to4 and 6in4 tunneling.  This router would alow someone at home to run dual stack on their home network and connect either to hosts on the IPv4 Internet or the IPv6 Internet automatically.  Retail price at Digitec is CHF 113.00.

The second product is the F5 BigIP load balancer.  This product has an IPv6 Gateway functionality which supports NAT64/DNS64 to help with client and server migrations within an enterprise.  Since this product is in use as the standard loadbalancer at my current enployer, this could be a viable path to move customers to IPv6.  I found an interesting white paper on their migration scenario:  Controlling your Migration to IPv6.

Finally, I have been reading up on the Vyatta network operating system.  It would seem like a lot of companies are interested in using this OS in their products to provide base tunneling, routing and security capabilities without having to develop them themselves.  Citrix is using this software as the basis for their Netscaler Cloud Bridge solution and Riverbed is using it to add routing and firewalling capabilities to their Steelhead appliances.  Since Vyatta has an open source version wich runs on VMWare Player, I think I will give it a try and see how it works.  It should provide full routing functionality, firewalling and its latest version (6.1) is IPv6 certified and may even support NAT64.  If that is the case, then I can give that a try as well.

Categories: IPv6, Networking | Tags:

More on IPv6 Addressing

Posted on by cbroccoli
No Comments

I have been reading a couple of RFCs on IPv6 and was getting confused with all of the different address types and definitions, so I have decided to make a cheat-sheet to help me next time I need it….

Defined IP addresses:

  • ::ffff:192.0.2.128     IPv4 mapped IPv6 address
  • 2002::/16    6to4 tunnels
  • 2001::/16    teredo tunnels
  • ::1/128   Loopback (link-local scope)
  • fc00::/7    Unique Local unicast Address (ULA) (global-scope) – see blog on IPv6 Addressing
  • fec::/16    Site-local unicast addresses (obsoleted by ULA)
  • fe80::/16   Link-local unicast addresses
  • ff00::/16    Multicast addresses
  • ff02::/16   Link-local multicast addresses
  • ff05::/16  Site-local multicast addresses
  • ff0e::/16  Global multicast addresses
  • ::/0    Default
  • ::/96 ipv4 compatible addresses (obsolete)
  • 3ffe::/16    6bone address range (no longer in use)
  • 2001:db8::/32    Reserved for documentation
  • 64:ff9b::/96    Well known address for NAT64 used to represent global ipv4 addresses in the ipv6 address space after NAT

I have also discovered via wireshark that there are a lot of users of the link local multicast address ff02::/16:

  • ff02::c     Microsoft Simple Service Discovery Protocol (used for universal PnP)
  • ff02::1     All nodes multicast address
  • ff02::2    All routers multicast address
  • ff02::1:ff_ _:_ _ _ _   Solicited node multicast address  where the _ _:_ _ _ _ are the lower order24 bits of the destination nodes address (used for neighbor solicitation)

So this is what I have found so far.  I will keep adding to the list add  addresses pop-up.

Categories: IPv6, Networking | Tags: