You will need to adapt the guidelines for your own specific network topology and elements, verify the support of required features, learn how to deploy solutions from your vendors of choice, and further study the relevant topics for your specific case, but you will already be going in the right direction. The best security tool is knowledge IPv6 security is a moving target IPv6 is happening Scalability is a big cybersecurity challenge.
It might also be helpful to compare your IPv6 security strategy and knowledge with IPv4, and to classify IPv6 security topics based on the following three categories: No changes with IPv6 Changes with IPv6 New IPv6 issues.
You can explore the IPv6 security features and considerations per type of device in the table below. Hover your mouse over the buttons or press your finger down on a touch screen device. IPsec (if needed) RH0 (RFC5095) Overlapping frags (RFC5722) Atomic Fragments (RFC6946) NDP Fragmentation (RFC6980) Header chain in 1st fragment (RFC7112) Stable IIDs (RFC8064)(RFC7217) (RFC7136) Temp Address (RFC8981) Disable if not used LLMNR, mDNS, DNS-SD, transition mechanisms Switch.
You can explore the IPv6 security features and considerations per type of device in the table below. Hover your mouse over the buttons or press your finger down on a touch screen device. Host+ (you can consider a ____ a host for traffic directed to it and its management interface Ingress Filtering and RPF DHCPv6 Relay (RFC8213) OSPFv3, IPsec (RFC4552), or/and Auth Trailer (RFC7166) IS-IS HMAC-SHA (RFC5310), or less preferred HMAC-MD5 (RFC5304) MBGP TCP-AO (RFC5925) MD5 signature Option (RFC2385) Obsolete, MBGP Bogon prefix filtering Security equipment CPE (Customer Premise Equipment).
Drag and drop each security feature to the corresponding device. Router Hosts Encapsulation traffic inspection ICMPv6 fine grained filtering RA-Guard MLD Snooping DHCPv6 Guard.
There are two important points that you need to consider, that will be covered in more detail in this module: Up-to-date information IPv6 Security Tools.
How can you check that RA-guard is working?
Select the two correct answers. Create tailor made RAs Capture packets in the link to analyse the IPv6 traffic Use a specific tool, from a toolkit, to send rogue RAs Using a scanner to find all devices on the link and their addresses.
Packet Generators allow the creation of random or tailor-made packets from different protocols. They can have different levels of granularity, allowing more or less details to be customised. The interface can be a CLI (Command Line Interface), a programming library or a scripting framework. They are useful for: Assessing IPv6 security of your network Testing implementations Learning about how protocols work Proof of concept of attacks or protocols.
What can you do to find out what is causing the problems?
Select the two correct answers. Creating tailor made packets with a packet generator Use a packet sniffer and analyser to look for suspicious traffic Use an IDS/IPS that finds out suspicious traffic Using a scanner to find all devices on the link.
Packet Sniffers/Analysers capture packets and show them in different ways, from text to graphical representation. They can also decode the different protocols used in the packet, relate packets between them, and show stats about the protocols used. They are useful for: Understanding attacks and security measures Learning about protocols and implementations Troubleshooting.
Your IDS has sent a warning about one device sending traffic considered as dangerous for your network. The host is identified by its IPv6 address. You know which link the device is on by the prefix but the IID (Interface ID) is randomly generated, so you don’t know which specific device it is.
How can you find the possibly dangerous device?
Select the two correct answers. Using tailor made packets to scan a link Checking the network configuration for each one of the devices Disconnecting devices and checking if the suspicious traffic disappears Using a scanner to find all devices on the link.
Specialised Toolkits provide multiple features related to IPv6 security. They can come in different formats like a set of executable binaries, one for each attack, or having a user interface where attacks can be chosen.
These toolkits are similar to packet generators on their use, but allowing fewer options: not all parameters/values can be changed, neither attacks not included in the toolkit can be run. They are useful for: Assessing IPv6 security Learning about how protocols work Proof of concept Learn about new attacks.
What can you do to automate both processes: detecting vulnerabilities and detecting possible attacks within your network?
Select the two correct answers. Install a scanner to find vulnerabilities Install an IDS/IPS to detect possible attacks Schedule manual search of vulnerabilities every 2 days Schedule periodic packet sniffing sessions with engineers to analyse it.
Scanners allow the automatic discovery of devices connected to a network, information of those devices, and can also find known vulnerabilities in the discovered devices. They are useful for: Finding devices and information of your network Proactively protect against vulnerabilities.
IDS/IPS can detect or prevent attacks to your network. They are based on capturing all the packets in the link(s) and analysing them in order to find known patterns indicating something is going wrong. They are useful for: Understanding attacks and security measures Learning about protocols and implementations Assessing IPv6 security Learn about or discover new attacks.
Where can you start looking for useful information? Standardisation Bodies Vulnerability Databases Security Tools Cybersecurity Organisations.
Where can you start looking for useful information? Vendors Public Forums.
Security Tools type and uses Assessing IPv6 security Testing implementations Learning about protocols Proof of concept of attacks/protocols Understanding attacks and security measures Learning about protocols and implementations Troubleshooting.
Security Tools type and uses 2 Assessing IPv6 security* Learning about protocols and implementations* Proof of concept of attacks/protocols Learn about new attacks Finding devices and information Proactively protect against vulnerabilities Understanding attacks and security measures.
Security tools Type and examples Scapy nmap Ostinato TRex tcpdump Wireshark termshark.
Security tools Type and examples 2 THC-IPV6 The IPv6 Toolkit Ettercap nmap OpenVAS Snort Suricata Zeek.
|
