IPv6环境下的安全威胁(上)

1©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDIPv6环境下的安全威胁SESSIONSEC-20032©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDPrerequisites:SessionAbstract•ThissessionpresentsIPv6securityascontrastedwithIPv4fromathreatsperspective•Inaddition,thesessioncoversadvancedIPv6securitytopicsliketransitionoptionsanddeployingIPv6securitymechanismsinadualstackIPv6/IPv4environment•ThissessionrequiresaworkingknowledgeoftheIPv6andIPsecprotocolsaswellasIPv4securitybestpractices3©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDIntroduction•DiscussionsaroundIPv6securityhavecenteredonIPsecThoughIPsecismandatoryinIPv6,thesameissueswithIPsecdeploymentremainfromIPv4ManyIPv6stacksdonottodaysupportIPsecTherefore,IPv6willbedeployedlargelywithoutcryptographicprotectionsofanykind•SecurityinIPv6isamuchbroadertopicthanjustIPsecEvenwithIPsec,therearemanythreatswhichstillremainissuesinIPnetworking4©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDAgenda•TypesofThreats•IPv6andIPv4ThreatComparisons•IPv6SecurityBestCommonPractice•EnforcingaSecurityPolicyinIPv6•SpecificIssuesforIPv65©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDTYPESOFTHREATS5556©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDTypesofThreats•Reconnaissance—Providetheadversarywithinformationenablingotherattacks•Unauthorizedaccess—ExploittheopentransportpolicyinherentintheIPv4protocol•Headermanipulationandfragmentation—Evadeoroverwhelmnetworkdeviceswithcarefullycraftedpackets•Layer3–layer4spoofing—ModifytheIPaddressandportinformationtomasktheintentororiginofthetraffic•ARPandDHCPattacks—Subvertthehostinitializationprocessoradevicethehostaccessesfortransit•Broadcastamplificationattacks(smurf)—AmplifytheeffectofanICMPfloodbybouncingtrafficoffofanetworkwhichinappropriatelyprocessesdirectedICMPechotraffic•Routingattacks—Disruptorredirecttrafficflowsinanetwork7©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDTypesofThreats(Cont.)•Virusesandworms—Attackswhichinfecthostsandoptionallyautomatepropagationofthemaliciouspayloadtoothersystems•Sniffing—Capturingdataintransitoveranetwork•Applicationlayerattacks—Broadcategoryofattacksexecutedatlayer7•Roguedevices—Unauthorizeddevicesconnectedtoanetwork•Man-in-the-middleattacks—Attackswhichinvolveinterposinganadversarybetweentwocommunicatingparties•Flooding—Sendingbogustraffictoahostornetworkdesignedtoconsumeenoughresourcestodelayprocessingofvalidtraffic8©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDTHREATCOMPARISON8889©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDReconnaissanceinIPv4InIPv4,ReconnaissanceIsRelativelyEasy1.DNS/IANAcrawling(whois)todetermineranges2.Pingsweepsandportscans3.Applicationvulnerabilityscans[tick:/var]scott#nmap-sP10.1.1.0/24StartingnmapV.3.00()Host(10.1.1.0)seemstobeasubnetbroadcast…Host(10.1.1.1)appearstobeup.Host(10.1.1.12)appearstobeup.Host(10.1.1.22)appearstobeup.Host(10.1.1.23)appearstobeup.Host(10.1.1.101)appearstobeup.Host(10.1.1.255)seemstobeasubnetbroadcast…Nmapruncompleted--256IPaddresses(7hostsup)scannedin4seconds10©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDReconnaissanceinIPv6SubnetSizeDifference•DefaultsubnetsinIPv6have2^64addresses(approx.18quintillion);scanningeveryaddressonasubnetisnolongerreasonable(centuriesvs.seconds)•NMAPdoesn’tevensupportforpingsweepsonIPv6networks(you’llhaveretiredbythetimeitfinishes,evenatonemillionpacketspersecond)11©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDReconnaissanceinIPv6IP6ScanningMethodsAreLikelytoChange•PublicserverswillstillneedtobeDNSreachablegivingadversariessomehoststoattack•DynamicDNSadoptioncausingDNSserverstoberichsourcesofaddressestoscan•Administratorsmayadopteasytorememberaddresses(::10,::20,::F00D,orsimplyIPv4lastoctet)•Bycompromisingroutersatkeytransitpointsinanetwork,anattackercanlearnnewaddressestoscan12©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDReconnaissanceinIPv6•Newmulticastaddresses—IPv6supportsnewmulticastaddressesthatcanenableanadversarytoidentifykeyresourcesonanetworkandattackthemForexample,allrouters(FF05::2)andallDHCPservers(FF05::1:3)2001:0410::502001:0410::602001:0410::70AttackerFF05::2SourceDestinationPayloadDoS13©2005CiscoSystems,Inc.Allrightsreserved.CiscoConfidentialSessionNumberPresentation_IDReconnaissanceinIPv6Pv6TopologyDiscoverybyLocalLinkMulticast:StillWorks[root@lisaroot]#ping6-Ieth0ff02::1PINGff02::1(ff02::1)fromfe80::20d:61ff:fe57:8d4eth0:56databytes64bytesfrom::1:icmp_seq=0ttl=64time=0.055ms64bytesfromfe80::205:5dff:fe4b:8ecd:icmp_seq=0ttl=64time=0.183ms(DUP!)64bytesfromfe80::20f:f7ff:feba:5961:icmp_seq=0ttl=64time=0.919ms(DUP!)14©2005CiscoSystems,Inc.Allrigh