The Internet industry is undergoing a fundamental change as it transitions from IPv4 to IPv6. These slides are from the June 2011 webcast which provided an overview of IPv6 Threats, recommendations on how to stay protected during the transition to IPv6 as well as information on what Commtouch is doing to ensure its solutions are IPv6 compliant. The webcast features Commtouch security experts Asaf Greiner and Gabriel M. Mizrahi. You can view the webcast on the Commtouch Slideshare page.

1. IPv6 Threats Slides from June 2011 webcast

2. 2 View the recorded webcast on SlideShare at… http://www.slideshare.net/Commtouch/commtouch-ipv6-threats on

3. Eyal OrgilMarketing DirectorCommtouch Welcome to Part 2IPv6 Informational Series

4. IPv6 Informational Series Part 1: An Introduction to IPv6 on Eyal OrgilMarketing DirectorCommtouch http://www.slideshare.net/Commtouch or at www.commtouch.com/introduction-ipv6

5. IPv6 Informational Series Part 1: An Introduction to IPv6 Part 2: IPv6 Security Threats Eyal OrgilMarketing DirectorCommtouch

6. Speakers Asaf GreinerVP ProductsCommtouch Gabriel M. MizrahiVP TechnologiesCommtouch

7. Have a question? Send questions to: IPv6@commtouch.com Responses posted: http://blog.commtouch.com

8. Is the Change to IPv6 aSignificant Security Event?

9. Is IPv6 a Significant Event Move to IPv6 a transition, not an event Taking place for several years Will continue for many more years There will be security implications During the transition period After fully implemented Many threats same as IPv4 Especially while dual-stacks are in use

10. Is IPv6 a Significant Event Many IPv4 threats not applicable to IPv6 Care must be taken when using dual-networks Many existing security solutions can protect against IPv6 threats But, must be properly configured Many threats related to transition to IPv6, not new threats

11. Is IPv6 a Significant Event Many IPv6 users today are experts and enthusiasts IPv6 is not yet in widespread usage Still see minimal usage of IPv6 Wider adoption of IPv6 depends on readiness of network infrastructures Currently no big incentive to move to IPv6

12. Is IPv6 a Significant Event Hackers will utilize IPv6 when it will bring them value Not deployed widely enough in order to invest time As IPv6 grows it will appear on the Hacker radar Transition a long process, not a one day event Advise that you learn and adjust

13. The Hype About IPv6 – Is it Just Another Y2K Scare?

14. Is IPv6 Another Y2K? Don’t be scared of IPv6, but don’t take lightly IPv6 is a technology which offers: New opportunities New challenges No date for IPv6 Will take years for IPv6 to become the main protocol

15. Is IPv6 Another Y2K? Expect many mission critical infrastructures to remain IPv4 Enough IPv4 addresses for these Unlikely websites will be moved to be IPv6 in near future When a large move occurs, we will know: There is a large user IPv6 base End of transition period is near

16. Top Security Issues with IPv6

17. IPv6 Security Issues Top three security related issues IPv6: Tunneling of IPv6 over IPv4 (6 to 4) Rogue devices IP Reputation

18. Threat: IP Tunneling

19. IPv6 Tunneling Threat IPv4 ConfiguredFirewall IPv4 Network IPv4 IPv4 IPv4 IPv4 Address Internal Network Internet

20. IPv6 Tunneling Threat IPv4 ConfiguredFirewall IPv4 Network IPv4 IPv4 IPv4 IPv6 Address Internal Network Internet

21. IPv6 Tunneling Threat IPv4 ConfiguredFirewall IPv4 Network GW IPv4-to-IPv6 Gateway IPv4 IPv6 IPv4 IPv4 IPv6 IPv6 over IPv4 IPv6 Address IPv6 over IPv4 tunnel Internal Network Internet

22. IPv6 Tunneling Threat IPv4 ConfiguredFirewall IPv4website FW Policy: No Angry Birds IPv4 Network IPv4 IPv4 IPv4 Internal Network Internet

23. IPv6 Tunneling Threat IPv4 ConfiguredFirewall IPv4website FW Policy: No Angry Birds IPv4 Network GW IPv4-to-IPv6 Gateway IPv6website IPv6 IPv4 IPv6 IPv4 IPv4 IPv6 over IPv4 Bypass firewall policy Internal Network Internet

24. IPv6 Tunneling Threat Need to be aware that security devices are configured for IPv6 For example firewalls Another example – IDS (Intrusion Detection System) Can inspect IPv6, but you need to enable it If not, you won’t be enforcing the policy on IPv6

25. Threat: Rogue Devices

26. Rogue Devices

27. Rogue Devices Rogue Device

28. Rogue Devices IPv6 Prefix IPv6 Prefix Rogue Device

29. Rogue Devices Windows 7 Windows 7 Windows 7 IPv4 Network

30. Rogue Devices Windows 7 Windows 7 Windows 7 IPv6 Network IPv4 Network IPv6 enabledby default

31. Rogue Devices Windows 7 Windows 7 Windows 7 Internet? Internet? Internet? IPv6 Network IPv4 Network IPv6 searchesfor accessto the Internet

32. Rogue Devices Windows 7 Windows 7 Windows 7 Internet? Internet? Internet? IPv6 Network IPv4 Network IPv6 Prefix IPv6 Prefix Internet IPv6 Rogue Device

33. Rogue Devices The difference is: IPv4 is used daily If a different allocation is provided, there will be noticeable effects With IPv6, the insertion of a rogue device may go unnoticed

34. Rogue Devices IPv6 Network Man in the middle Internet IPv6 Rogue Device

35. Rogue Devices IPv6 Network Man in the middle Internet IPv6 Rogue Device

36. Rogue Devices IPv6 Network Man in the middle Internet IPv6 Rogue Device

37. Rogue Devices IPv6 Network Man in the middle Internet IPv6 Rogue Device

38. Rogue Devices Not only a Windows problem An issue with most operating systems IPv6 is defined by default IPv6 could run in the background without anyone’s knowledge Security risk also in IPv4 with DHCP Make sure unauthorized devices cannot connect to your network

39. Threat: IP Reputation

40. IP Reputation Far more IP addresses in IPv6 232 compared to 2128 Challenges IP allocation will be different from IPv4 Anyone can get a large IP allocation Any person can get a 64 bit allocation (264) The entire Internet today is 232

41. IP Reputation Last 64 bits define the device ID Complicate issue by using randomizer to change 64 bit Every spam message could be sent from different IP From IP address: wwww From IP address: xxxx From IP address: yyyy 264 DifferentIP Addresses Internet From IP address: zzzz

43. Need other methods to build reputation

44. Such as subnets

45. Storing IP information in memory

46. Vast amount of memory will be needed

47. No NAT in IPv6

48. Some believe a security issue

49. They believe NAT provides a layer of security

51. Commtouch and IPv6 Commtouch has been working on IPv6 for some time Making changes to client side and back-end Client side will be transparent Focus has been on the back-end GlobalView Mail Reputation transparently supports more IPs addresses Still single query of an IP address but data storage more efficient

52. Commtouch and IPv6 Monitoring the Internet Identifying IPv6 threats Classifying threats Currently seeing minor IPv6 spam activity Believe spammers experimenting with IPv6 Too noticeable today to send spam via IPv6 when there is very little email on this network

53. Recommendations for MinimizingIPv6 threats

54. Gabriel Mizrahi’s IPv6 Recommendations Make sure you have mapped all devices on your network Implement IPv6 step-by-step Have a written procedure of how you will introduce IPv6 Plan to implement a dual stack as a first stage

55. Asaf Greiner’s IPv6 Recommendations Get educated about IPv6 Everyone should go back to networking fundamentals Understand what’s implemented on our network today, and why Then look at what needs to remain or change Learn from others What mistakes and successes other have experienced

56. Asaf Greiner’s IPv6 Recommendations Lockdown from IPv6 as a start Then implement staged plan to roll out IPv6 Take care to avoid configuration errors

57. Thank you to Asaf Greiner Commtouch VP Products Gabriel M. MizrahiCommtouch VP Technologies

58. 51 View the recorded webcast on SlideShare at… http://www.slideshare.net/Commtouch/commtouch-ipv6-threats on

59. Have a question? Send questions to: IPv6@commtouch.com Responses posted: http://blog.commtouch.com

60. Please check back for future informational webcasts