Suche senden
Hochladen
Michael De Leo Global IPv6 Summit México 2009
•
2 gefällt mir
•
747 views
Jaime Olmos
Folgen
IPv6 Security Threats and Mitigations Michael De Leo Office of the CTO mdeleo@cisco.com
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 34
Empfohlen
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of View
IPv6 Conference
CCNA Security - Chapter 7
CCNA Security - Chapter 7
Irsandi Hasan
Ethernet and TCP optimizations
Ethernet and TCP optimizations
Jeff Squyres
CVamrishBel
CVamrishBel
Amrish Paul
Michael De Leo Global IPv6 Summit México 2009
Michael De Leo Global IPv6 Summit México 2009
Jaime Olmos
ITpro EXPO 2014: 【特別講演】シスコのもたらすITインフラ イノベーション
ITpro EXPO 2014: 【特別講演】シスコのもたらすITインフラ イノベーション
シスコシステムズ合同会社
ngtest_presentation_0418
ngtest_presentation_0418
techweb08
Развитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях Cisco
Cisco Russia
Empfohlen
Eric Vyncke - IPv6 Security Vendor Point of View
Eric Vyncke - IPv6 Security Vendor Point of View
IPv6 Conference
CCNA Security - Chapter 7
CCNA Security - Chapter 7
Irsandi Hasan
Ethernet and TCP optimizations
Ethernet and TCP optimizations
Jeff Squyres
CVamrishBel
CVamrishBel
Amrish Paul
Michael De Leo Global IPv6 Summit México 2009
Michael De Leo Global IPv6 Summit México 2009
Jaime Olmos
ITpro EXPO 2014: 【特別講演】シスコのもたらすITインフラ イノベーション
ITpro EXPO 2014: 【特別講演】シスコのもたらすITインフラ イノベーション
シスコシステムズ合同会社
ngtest_presentation_0418
ngtest_presentation_0418
techweb08
Развитие решений для маршрутизации в корпоративных сетях Cisco
Развитие решений для маршрутизации в корпоративных сетях Cisco
Cisco Russia
OpSource Enterprise-Class Security
OpSource Enterprise-Class Security
OpSource
CISCO
CISCO
srilasitha
Cisco.press.cisco.ospf.command.and.configuration.handbook.(ccie.professional....
Cisco.press.cisco.ospf.command.and.configuration.handbook.(ccie.professional....
1 2d
Ole Ipv4onlifesupport
Ole Ipv4onlifesupport
IPv6no
Geir Making the leap to ipv6 final
Geir Making the leap to ipv6 final
IPv6no
Ключевые тенденции отрасли в последнее время
Ключевые тенденции отрасли в последнее время
SkillFactory
Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.
Amanda Meng
IPv6 Security Potpourri
IPv6 Security Potpourri
_xhr_
Astricon 2007
Astricon 2007
Stefano Carlini
Cisco entel summit2010
Cisco entel summit2010
Entel
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
mestery
Skyjacking A Cisco WLAN - What it means and how to protect against it?
Skyjacking A Cisco WLAN - What it means and how to protect against it?
Samir Palnitkar
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devices
c3i
Новая эра корпоративных сетей с Cisco Catalyst 9000 и другие инновации для ма...
Новая эра корпоративных сетей с Cisco Catalyst 9000 и другие инновации для ма...
Cisco Russia
Jatinder Singh
Jatinder Singh
Jatinder Virk
Punjab revenue patwari
Punjab revenue patwari
Govind Sen
Sagestuido 사용자 매뉴얼_20150904
Sagestuido 사용자 매뉴얼_20150904
Soohyun Kim
Fuel Notes from September 22nd
Fuel Notes from September 22nd
GG Lake Houston
El tepochcalli
El tepochcalli
Yari Cetina
Ley orgánica de la educación pública
Ley orgánica de la educación pública
Yari Cetina
Gbi enviar .-
Gbi enviar .-
natu3
Bus snowden presentation
Bus snowden presentation
CJW78755
Weitere ähnliche Inhalte
Was ist angesagt?
OpSource Enterprise-Class Security
OpSource Enterprise-Class Security
OpSource
CISCO
CISCO
srilasitha
Cisco.press.cisco.ospf.command.and.configuration.handbook.(ccie.professional....
Cisco.press.cisco.ospf.command.and.configuration.handbook.(ccie.professional....
1 2d
Ole Ipv4onlifesupport
Ole Ipv4onlifesupport
IPv6no
Geir Making the leap to ipv6 final
Geir Making the leap to ipv6 final
IPv6no
Ключевые тенденции отрасли в последнее время
Ключевые тенденции отрасли в последнее время
SkillFactory
Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.
Amanda Meng
IPv6 Security Potpourri
IPv6 Security Potpourri
_xhr_
Astricon 2007
Astricon 2007
Stefano Carlini
Cisco entel summit2010
Cisco entel summit2010
Entel
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
mestery
Skyjacking A Cisco WLAN - What it means and how to protect against it?
Skyjacking A Cisco WLAN - What it means and how to protect against it?
Samir Palnitkar
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devices
c3i
Новая эра корпоративных сетей с Cisco Catalyst 9000 и другие инновации для ма...
Новая эра корпоративных сетей с Cisco Catalyst 9000 и другие инновации для ма...
Cisco Russia
Jatinder Singh
Jatinder Singh
Jatinder Virk
Was ist angesagt?
(15)
OpSource Enterprise-Class Security
OpSource Enterprise-Class Security
CISCO
CISCO
Cisco.press.cisco.ospf.command.and.configuration.handbook.(ccie.professional....
Cisco.press.cisco.ospf.command.and.configuration.handbook.(ccie.professional....
Ole Ipv4onlifesupport
Ole Ipv4onlifesupport
Geir Making the leap to ipv6 final
Geir Making the leap to ipv6 final
Ключевые тенденции отрасли в последнее время
Ключевые тенденции отрасли в последнее время
Cisco asr 1000 series embedded services processors data sheet.
Cisco asr 1000 series embedded services processors data sheet.
IPv6 Security Potpourri
IPv6 Security Potpourri
Astricon 2007
Astricon 2007
Cisco entel summit2010
Cisco entel summit2010
vBrownBag OpenStack Networking Talk
vBrownBag OpenStack Networking Talk
Skyjacking A Cisco WLAN - What it means and how to protect against it?
Skyjacking A Cisco WLAN - What it means and how to protect against it?
ITSAC 2011 SCAP for Inter-networking Devices
ITSAC 2011 SCAP for Inter-networking Devices
Новая эра корпоративных сетей с Cisco Catalyst 9000 и другие инновации для ма...
Новая эра корпоративных сетей с Cisco Catalyst 9000 и другие инновации для ма...
Jatinder Singh
Jatinder Singh
Andere mochten auch
Punjab revenue patwari
Punjab revenue patwari
Govind Sen
Sagestuido 사용자 매뉴얼_20150904
Sagestuido 사용자 매뉴얼_20150904
Soohyun Kim
Fuel Notes from September 22nd
Fuel Notes from September 22nd
GG Lake Houston
El tepochcalli
El tepochcalli
Yari Cetina
Ley orgánica de la educación pública
Ley orgánica de la educación pública
Yari Cetina
Gbi enviar .-
Gbi enviar .-
natu3
Bus snowden presentation
Bus snowden presentation
CJW78755
Графика
Графика
Оксана Гусева
Teorías de la educación
Teorías de la educación
Yari Cetina
WLK 350 Project
WLK 350 Project
CJW78755
In layout acad
In layout acad
Tran Sang
Helen Lorigan HashChing Media Release 30.8.16
Helen Lorigan HashChing Media Release 30.8.16
Helen Lorigan
COTI Overview
COTI Overview
Critical Outcome Technologies Inc.
Cine Leblon - Centro Empresarial Luiz Severiano Ribeiro
Cine Leblon - Centro Empresarial Luiz Severiano Ribeiro
Imóveis Mais Rio
WHY M&A?
WHY M&A?
Hyungil CHO
Merche. hispania romana
Merche. hispania romana
mercheguillen
Historia de polonia xi
Historia de polonia xi
siltomc
Revolucion francesa
Revolucion francesa
mijaresferortega
Unidad 2 la revolución francesa y el imperio napoleónico 6
Unidad 2 la revolución francesa y el imperio napoleónico 6
lesamissansculottes
LA CRISIS DEL ANTIGUO REGIMEN
LA CRISIS DEL ANTIGUO REGIMEN
JUAN DIEGO
Andere mochten auch
(20)
Punjab revenue patwari
Punjab revenue patwari
Sagestuido 사용자 매뉴얼_20150904
Sagestuido 사용자 매뉴얼_20150904
Fuel Notes from September 22nd
Fuel Notes from September 22nd
El tepochcalli
El tepochcalli
Ley orgánica de la educación pública
Ley orgánica de la educación pública
Gbi enviar .-
Gbi enviar .-
Bus snowden presentation
Bus snowden presentation
Графика
Графика
Teorías de la educación
Teorías de la educación
WLK 350 Project
WLK 350 Project
In layout acad
In layout acad
Helen Lorigan HashChing Media Release 30.8.16
Helen Lorigan HashChing Media Release 30.8.16
COTI Overview
COTI Overview
Cine Leblon - Centro Empresarial Luiz Severiano Ribeiro
Cine Leblon - Centro Empresarial Luiz Severiano Ribeiro
WHY M&A?
WHY M&A?
Merche. hispania romana
Merche. hispania romana
Historia de polonia xi
Historia de polonia xi
Revolucion francesa
Revolucion francesa
Unidad 2 la revolución francesa y el imperio napoleónico 6
Unidad 2 la revolución francesa y el imperio napoleónico 6
LA CRISIS DEL ANTIGUO REGIMEN
LA CRISIS DEL ANTIGUO REGIMEN
Ähnlich wie Michael De Leo Global IPv6 Summit México 2009
IPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
Swiss IPv6 Council
IPv6 Test Methodology
IPv6 Test Methodology
Ixia
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
IKT-Norge
Ole - Ipv4onlifesupport
Ole - Ipv4onlifesupport
IPv6no
IPv6IntegrationBestPracticesfinal.pdf
IPv6IntegrationBestPracticesfinal.pdf
CPUHogg
Ccna prep ip subnetting from networkers[1]
Ccna prep ip subnetting from networkers[1]
Ivana Veljkovic
Mastering Ip Subnetting Forever
Mastering Ip Subnetting Forever
Wazir Ansari
Network Configuration Example: Configuring IS-IS Dual Stacking of IPv4 and IP...
Network Configuration Example: Configuring IS-IS Dual Stacking of IPv4 and IP...
Juniper Networks
Survey on IPv6 security issues
Survey on IPv6 security issues
bathinin1
10 fn s05
10 fn s05
Scott Foster
10 fn s05
10 fn s05
Scott Foster
Network Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XR
Cisco Canada
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...
gogo6
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
DataWorks Summit
PLNOG16: IOS XR – 12 lat innowacji, Krzysztof Mazepa
PLNOG16: IOS XR – 12 lat innowacji, Krzysztof Mazepa
PROIDEA
02 ipv6-cpe-panel security
02 ipv6-cpe-panel security
Haris Padinharethil
Ccna PrepCenter - IP Subnetting from Networkers
Ccna PrepCenter - IP Subnetting from Networkers
🎯Renatho Sinuma MBA™®🎓
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
gogo6
2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition
Johnson Liu
Apend. networking generic a
Apend. networking generic a
Acácio Oliveira
Ähnlich wie Michael De Leo Global IPv6 Summit México 2009
(20)
IPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
IPv6 Test Methodology
IPv6 Test Methodology
Eric Vyncke - IPv6 security in general
Eric Vyncke - IPv6 security in general
Ole - Ipv4onlifesupport
Ole - Ipv4onlifesupport
IPv6IntegrationBestPracticesfinal.pdf
IPv6IntegrationBestPracticesfinal.pdf
Ccna prep ip subnetting from networkers[1]
Ccna prep ip subnetting from networkers[1]
Mastering Ip Subnetting Forever
Mastering Ip Subnetting Forever
Network Configuration Example: Configuring IS-IS Dual Stacking of IPv4 and IP...
Network Configuration Example: Configuring IS-IS Dual Stacking of IPv4 and IP...
Survey on IPv6 security issues
Survey on IPv6 security issues
10 fn s05
10 fn s05
10 fn s05
10 fn s05
Network Function Virtualization (NFV) using IOS-XR
Network Function Virtualization (NFV) using IOS-XR
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...
A10 Networks: IPv6 Solutions for Enterprise by Paul Nicholson at gogoNET LIVE...
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-time
PLNOG16: IOS XR – 12 lat innowacji, Krzysztof Mazepa
PLNOG16: IOS XR – 12 lat innowacji, Krzysztof Mazepa
02 ipv6-cpe-panel security
02 ipv6-cpe-panel security
Ccna PrepCenter - IP Subnetting from Networkers
Ccna PrepCenter - IP Subnetting from Networkers
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
Deploying IPv6 in Cisco's Labs by Robert Beckett at gogoNET LIVE! 3 IPv6 Conf...
2011 TWNIC SP IPv6 Transition
2011 TWNIC SP IPv6 Transition
Apend. networking generic a
Apend. networking generic a
Mehr von Jaime Olmos
Taller monitoreo CUDI 2010
Taller monitoreo CUDI 2010
Jaime Olmos
Luciano Romero Convergencia Fijo Móvil
Luciano Romero Convergencia Fijo Móvil
Jaime Olmos
Medios UdeG
Medios UdeG
Jaime Olmos
Medios UdeG
Medios UdeG
Jaime Olmos
Universidad de Guadalajara
Universidad de Guadalajara
Jaime Olmos
Renata
Renata
Jaime Olmos
Welcome To Multimedia & Ipv6 Collaboration Network
Welcome To Multimedia & Ipv6 Collaboration Network
Jaime Olmos
Twitter Lphinojosa
Twitter Lphinojosa
Jaime Olmos
Sg Software Guru Inicio
Sg Software Guru Inicio
Jaime Olmos
Observatorio IPv6
Observatorio IPv6
Jaime Olmos
Eventos Cudi
Eventos Cudi
Jaime Olmos
Segundo Congreso Internacional Global I Pv6 Summit MéXico 2009 El Futuro De I...
Segundo Congreso Internacional Global I Pv6 Summit MéXico 2009 El Futuro De I...
Jaime Olmos
Erik Huesca Global IPv6 Summit México 2009
Erik Huesca Global IPv6 Summit México 2009
Jaime Olmos
Enrique Melrose Global IPv6 Summit México 2009
Enrique Melrose Global IPv6 Summit México 2009
Jaime Olmos
Carlos Silva Ponce de León Global IPv6 Summit México 2009
Carlos Silva Ponce de León Global IPv6 Summit México 2009
Jaime Olmos
José Alberto Incera Diéguez Global IPv6 Summit México 2009
José Alberto Incera Diéguez Global IPv6 Summit México 2009
Jaime Olmos
Isidro Cerda Global IPv6 Summit México 2009
Isidro Cerda Global IPv6 Summit México 2009
Jaime Olmos
Raul Echeverría Global IPv6 Summit México 2009
Raul Echeverría Global IPv6 Summit México 2009
Jaime Olmos
Mehr von Jaime Olmos
(18)
Taller monitoreo CUDI 2010
Taller monitoreo CUDI 2010
Luciano Romero Convergencia Fijo Móvil
Luciano Romero Convergencia Fijo Móvil
Medios UdeG
Medios UdeG
Medios UdeG
Medios UdeG
Universidad de Guadalajara
Universidad de Guadalajara
Renata
Renata
Welcome To Multimedia & Ipv6 Collaboration Network
Welcome To Multimedia & Ipv6 Collaboration Network
Twitter Lphinojosa
Twitter Lphinojosa
Sg Software Guru Inicio
Sg Software Guru Inicio
Observatorio IPv6
Observatorio IPv6
Eventos Cudi
Eventos Cudi
Segundo Congreso Internacional Global I Pv6 Summit MéXico 2009 El Futuro De I...
Segundo Congreso Internacional Global I Pv6 Summit MéXico 2009 El Futuro De I...
Erik Huesca Global IPv6 Summit México 2009
Erik Huesca Global IPv6 Summit México 2009
Enrique Melrose Global IPv6 Summit México 2009
Enrique Melrose Global IPv6 Summit México 2009
Carlos Silva Ponce de León Global IPv6 Summit México 2009
Carlos Silva Ponce de León Global IPv6 Summit México 2009
José Alberto Incera Diéguez Global IPv6 Summit México 2009
José Alberto Incera Diéguez Global IPv6 Summit México 2009
Isidro Cerda Global IPv6 Summit México 2009
Isidro Cerda Global IPv6 Summit México 2009
Raul Echeverría Global IPv6 Summit México 2009
Raul Echeverría Global IPv6 Summit México 2009
Kürzlich hochgeladen
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Rustici Software
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
Zilliz
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Zilliz
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Kürzlich hochgeladen
(20)
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Architecting Cloud Native Applications
Architecting Cloud Native Applications
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Michael De Leo Global IPv6 Summit México 2009
1.
IPv6 Security
Threats and Mitigations Michael De Leo Office of the CTO mdeleo@cisco.com Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Session Objectives IPv6 vs. to IPv4 from a threat and mitigation perspective Advanced IPv6 security topics like transition options and dual stack environments Requirements: basic knowledge of the IPv6 and IPSec protocols as well as IPv4 security best practices Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2 © 2006, Cisco Systems, Inc. All rights reserved. 1 Presentation_ID.scr
2.
For Your
For Reference Slides Reference There are more slides in the hand-outs than presented during the class Those slides are mainly for reference and are indicated by the book icon on the top right corner (as on this slide) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3 Agenda Shared Issues by IPv4 and IPv6 Specific Issues for IPv6 IPsec everywhere, dual-stack, tunnels and 6VPE IPv6 Security Best Common Practice Enforcing a Security Policy in IPv6 ACL, Firewalls and Host IPS Enterprise Secure Deployment Secure IPv6 transport over public network Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4 © 2006, Cisco Systems, Inc. All rights reserved. 2 Presentation_ID.scr
3.
IPv4 Vul.
IPv6 Vul. Shared Issues Security Issues Shared by IPv4 and IPv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Reconnaissance in IPv6 Scanning Methods Are Likely to Change Default subnets in IPv6 have 264 addresses 10 Mpps = more than 50 000 years Public servers will still need to be DNS reachable ⇒ More information collected by Google... Increased deployment/reliance on dynamic DNS => More information will be in DNS Administrators may adopt easy-to-remember addresses (:: 10,::20,::F00D, ::C5C0 or simply IPv4 last octet for dual stack) By compromising hosts in a network, an attacker can learn new addresses to scan Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6 © 2006, Cisco Systems, Inc. All rights reserved. 3 Presentation_ID.scr
4.
Scanning Made Bad
for CPU Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Built-in rate limiter but no option to tune it Using a /64 on point-to-point links => a lot of addresses to scan! Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers Easy with IPv6 because new addressing scheme can be done Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Viruses and Worms in IPv6 Viruses and email, IM worms: IPv6 brings no change Other worms: IPv4: reliance on network scanning IPv6: not so easy (see reconnaissance) => will use alternative techniques Worm developers will adapt to IPv6 IPv4 best practices around worm detection and mitigation remain valid Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 8 © 2006, Cisco Systems, Inc. All rights reserved. 4 Presentation_ID.scr
5.
IPv6 Privacy Extensions
(RFC 3041) /23 /32 /48 /64 2001 Interface ID Temporary addresses for IPv6 host client application, e.g. web browser Inhibit device/user tracking Random 64 bit interface ID, then run Duplicate Address Detection before using it Rate of change based on local policy Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 9 L3 Spoofing in IPv6 uRPF Remains the Primary Tool for Protecting Against L3 Spoofing uRPF Loose Mode Inter-Networking Device with uRPF Enabled Access Layer X IPv6 Intranet/ Internet Spoofed IPv6 No Route to Src Addr prefix Source Address => Drop uRPF Strict Mode Inter-Networking Device with uRPF Enabled Access Layer X IPv6 Intranet/ Internet Spoofed IPv6 No Route to Src Addr prefix out the Source Address packet inbound interface => Drop IP Source Guard does not exist yet (see further slides) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 10 © 2006, Cisco Systems, Inc. All rights reserved. 5 Presentation_ID.scr
6.
ICMPv4 vs. ICMPv6
Significant changes More relied upon ICMP Message Type ICMPv4 ICMPv6 Connectivity Checks X X Informational/Error Messaging X X Fragmentation Needed Notification X X Address Assignment X Address Resolution X Router Discovery X Multicast Group Management X Mobile IPv6 Support X => ICMP policy on firewalls needs to change Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 11 For Your Equivalent ICMPv6 Reference Border Firewall Transit Policy* Internal Server A Internet ICMPv6 ICMPv6 Action Src Dst Name Type Code Permit Any A 128 0 Echo Reply Permit Any A 129 0 Echo Request Permit Any A 1 0 No Route to Dst. Permit Any A 2 0 Packet Too Big Time Exceeded— Permit Any A 3 0 TTL Exceeded Permit Any A 4 0 Parameter Problem *RFC 4890 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 12 © 2006, Cisco Systems, Inc. All rights reserved. 6 Presentation_ID.scr
7.
For Your
Potential Additional ICMPv6 Reference Border Firewall Receive Policy* Internal Server A Firewall B Internet ICMPv6 ICMPv6 Action Src Dst Name Type Code Permit Any B 2 0 Packet too Big Permit Any B 130–132 0 Multicast Listener Neighbor Solicitation Permit Any B 133/134 0 and Advertisement Permit Any B 4 0 Parameter Problem *RFC 4890 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 13 IPv6 Routing Header An extension header Processed by the listed intermediate routers Two types Type 0: similar to IPv4 source routing (multiple intermediate routers) Type 2: used for mobile IPv6 Next Header = 43 IPv6 Basic Header Routing Header Routing Header Routing Header Next Header Ext Hdr Length RH Type Routing Type Segments Left Routing Header Data Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 14 © 2006, Cisco Systems, Inc. All rights reserved. 7 Presentation_ID.scr
8.
Type 0 Routing
Header Issue #2: Amplification Attack What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A .... Packet will loop multiple time on the link R1-R2 An amplification attack! A B Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 15 Preventing Routing Header Attacks Apply same policy for IPv6 as for Ipv4: Block Routing Header type 0 Prevent processing at the intermediate nodes no ipv6 source-route Windows, Linux, MacOS: default setting At the edge With an ACL blocking routing header RFC 5095 (Dec 2007) RH0 is deprecated Default IOS will change in 12.5T Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 16 © 2006, Cisco Systems, Inc. All rights reserved. 8 Presentation_ID.scr
9.
ARP Spoofing is
now NDP Spoofing: Threats ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones Stateless Address Autoconfiguration rogue RA (malicious or not) All nodes badly configured DoS Traffic interception (Man In the Middle Attack) Attack tools exist (from THC – The Hacker Choice) Parasit6 Fakerouter6 ... Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 17 ARP Spoofing is now NDP Spoofing: Mitigation Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 18 © 2006, Cisco Systems, Inc. All rights reserved. 9 Presentation_ID.scr
10.
Quick Reminder
IPv4 Broadcast Amplification: Smurf 160.154.5.0 ICMP REPLY D=172.18.1.2 S=160.154.5.14 Attempt to Overwhelm WAN ICMP REPLY D=172.18.1.2 S=160.154.5.15 Link to Destination ICMP REPLY D=172.18.1.2 S=160.154.5.16 ICMP REPLY D=172.18.1.2 S=160.154.5.17 172.18.1.2 ICMP REPLY D=172.18.1.2 S=160.154.5.18 ICMP REPLY D=172.18.1.2 S=160.154.5.19 Belgian ICMP REQ D=160.154.5.255 S= 172.18.1.2 Schtroumpf Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 19 IPv6 and Broadcasts There are no broadcast addresses in IPv6 Broadcast address functionality is replaced with appropriate link local multicast addresses Link Local All Nodes Multicast—FF02::1 Link Local All Routers Multicast—FF02::2 Link Local All mDNS Multicast—FF02::FB Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot masquerade as his victim http://iana.org/assignments/ipv6-multicast-addresses/ Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 20 © 2006, Cisco Systems, Inc. All rights reserved. 10 Presentation_ID.scr
11.
IPv6 and Other
Amplification Vectors IOS implements correctly RFC 4443 ICMPv6 No ping-pong on a physical point-to-point link Section 3.1 No ICMP error message should be generated in response to a packet with a multicast destination address Section 2.4 (e.3) Exceptions for Section 2.4 (e.3) – packet too big message – the parameter problem message • Rate Limit egress ICMP Packets • Rate limit ICMP messages generation • Secure the multicast network (source specific multicast) • Note: Implement Ingress Filtering of Packets with IPv6 Multicast Source Addresses Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 21 Preventing IPv6 Routing Attacks Protocol Authentication BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is supposed to rely on transport mode IPSec RIPng, PIM also rely on IPSec IPv6 routing attack best practices Use traditional authentication mechanisms on BGP and IS-IS Use IPSec to secure protocols such as OSPFv3 and RIPng Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 22 © 2006, Cisco Systems, Inc. All rights reserved. 11 Presentation_ID.scr
12.
IPv6 Attacks with
Strong IPv4 Similarities Sniffing Without IPSec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4 Application layer attacks Even with IPSec, the majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent Rogue devices Rogue devices will be as easy to insert into an IPv6 network as in IPv4 Man-in-the-Middle Attacks (MITM) Without IPSec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4 Flooding Flooding attacks are identical between IPv4 and IPv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 23 IPv6 Stack Vulnerabilities IPv6 stacks are new and could be buggy Some examples CVE-2008-2476 Oct 2008 FreeBSD Lack of validation of NDP OpenBSD messages NetBSD and others CVE-2008-2136 May 2008 Linux DoS caused by memory leak in IPv6 tunnels CVE-2008-1153 Mar 2008 IOS Cisco IOS dual-stack router IPv6 DoS CVE-2007-4689 Nov 2007 Apple Mac OS X Packet processing double-free memory corruption CVE-2007-3038 Aug 2007 Microsoft Microsoft Windows Vista Teredo interface firewall bypass Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 24 © 2006, Cisco Systems, Inc. All rights reserved. 12 Presentation_ID.scr
13.
By the Way:
It Is Real IPv6 Hacking Tools Let the Games Begin Sniffers/packet capture Scanners Snort IPv6 security scanner TCPdump Halfscan6 Sun Solaris snoop Nmap COLD Strobe Wireshark Netcat Analyzer DoS Tools Windump 6tunneldos WinPcap 4to6ddos Imps6-tools Packet forgers Scapy6 SendIP Packit Spak6 Complete tool http://www.thc.org/thc-ipv6/ Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 25 IPv4 Vul. IPv6 Vul. Specific IPv6 Issues Issues Applicable only to IPv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 26 © 2006, Cisco Systems, Inc. All rights reserved. 13 Presentation_ID.scr
14.
The IPsec Myth:
IPsec End-to-End will Save the World Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets. Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 27 IPv4 to IPv6 Transition Challenges 16+ methods, possibly in combination Dual stack Consider security for both protocols Cross v4/v6 abuse Resiliency (shared resources) Tunnels Bypass firewalls (protocol 41 or UDP) Can cause asymmetric traffic (hence breaking stateful firewalls) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 28 © 2006, Cisco Systems, Inc. All rights reserved. 14 Presentation_ID.scr
15.
Dual Stack Host
Considerations IPv4 IPsecVPN with No Split Tunneling Dual Stack Client IPv6 HDR IPv6 Exploit Does the IPsec Client Stop an Inbound IPv6 Exploit? Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 29 Dual Stack with Enabled IPv6 by Default Your host: IPv4 is protected by your favorite personal firewall... IPv6 is enabled by default (Vista, Linux, Mac OS/X, ...) Your network: Does not run IPv6 Your assumption: I’m safe Reality You are not safe Attacker sends Router Advertisements Your host configures silently to IPv6 You are now under IPv6 attack => Probably time to think about IPv6 in your network Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 30 © 2006, Cisco Systems, Inc. All rights reserved. 15 Presentation_ID.scr
16.
L3-L4 Spoofing in
IPv6 When Using IPv6 over IPv4 Tunnels Most IPv4/IPv6 transition mechanisms have no authentication built in => an IPv4 attacker can inject traffic if spoofing on IPv4 and IPv6 addresses IPv6 ACLs Are Ineffective Since IPv4 & IPv6 Is Spoofed Tunnel Termination Forwards the Inner IPv6 Packet IPv4 IPv6 Public IPv4 Internet IPv6 Network IPv6 Network IPv6 in IPv4 Tunnel Tunnel Tunnel Termination Termination Server A Server B Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 31 6to4/ISATAP Tunnels Bypass ACL IPv6 6to4 relay Internet ACL IPv4 tunnel 6to4 6to4 router router Direct tunneled traffic ignores hub ACL Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6to4 router 32 © 2006, Cisco Systems, Inc. All rights reserved. 16 Presentation_ID.scr
17.
TEREDO?
Teredo navalis A shipworm drilling holes in boat hulls Teredo Microsoftis IPv6 in IPv4 punching holes in NAT devices Source: United States Geological Survey Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 33 Teredo Tunnels (1/3) Without Teredo: Controls Are in Place All outbound traffic inspected: e.g., P2P is blocked All inbound traffic blocked by firewall IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall IPv4 Intranet Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 34 © 2006, Cisco Systems, Inc. All rights reserved. 17 Presentation_ID.scr
18.
Teredo Tunnels (2/3)
No More Outbound Control Teredo threats—IPv6 over UDP (port 3544) Internal users wants to get P2P over IPv6 Configure the Teredo tunnel (already enabled by default!) FW just sees IPv4 UDP traffic (may be on port 53) No more outbound control by FW IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall IPv4 Intranet Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 35 Teredo Tunnels (3/3) No More Outbound Control Once Teredo Configured Inbound connections are allowed IPv4 firewall unable to control IPv6 hackers can penetrate Host security needs IPv6 support now IPv6 Internet IPv4 Internet Teredo Relay IPv4 Firewall IPv4 Intranet Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 36 © 2006, Cisco Systems, Inc. All rights reserved. 18 Presentation_ID.scr
19.
Is it real?
May be uTorrrent 1.8 (released Aug 08) Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 37 Can We Block Rogue Tunnels? Rogue tunnels by naïve users: Sure, block IP protocol 41 and UDP/3544 In Windows: netsh interface 6to4 set state state=disabled undoonstop=disabled netsh interface isatap set state state=disabled netsh interface teredo set state type=disabled Really rogue tunnels (covert channels) No easy way... Teredo will run over a different UDP port of course Network devices can be your friend (more to come) Deploying native IPv6 (including IPv6 firewalls and IPS) is probably a better alternative Or disable IPv6 on Windows through GPO or CSA 6.0 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 38 © 2006, Cisco Systems, Inc. All rights reserved. 19 Presentation_ID.scr
20.
SP Transition Mechanism:
6VPE 6VPE: the MPLS-VPN extension to also transport IPv6 traffic over a MPLS cloud and IPv4 BGP sessions v4 only VPN v4 only VPN 10.1.1.0/24 10.1.2.0/24 PE1 PE3 VRF v4 and v6 VPN IPv4 only MPLS VRF v4 and v6 VPN VRF 2001:db8:1:1:/64 Dual-Stack 2001:db8:1:2:/64 Dual-Stack IPv4-IPv6 10.1.1.0/24 IPv4-IPv6 10.1.2.0/24 PE Routers PE Routers VRF v6 VPN VRF v6 VPN PE4 VRF PE2 2001:db8:1:1:/64 2001:db8:1:2:/64 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 39 6VPE Security Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 40 © 2006, Cisco Systems, Inc. All rights reserved. 20 Presentation_ID.scr
21.
IPv6 Security
Best Common Practice Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 41 For Your Candidate Best Practices Reference Train your network operators and security managers on IPv6 Selectively filter ICMP (RFC 4890) Implement RFC 2827-like filtering Block Type 0 Routing Header at the edge Determine what extension headers will be allowed through the access control device Deny IPv6 fragments destined to an internetworking device when possible Use traditional authentication mechanisms on BGP and IS-IS Use IPsec to secure protocols such as OSPFv3 and RIPng Document procedures for last-hop traceback Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 42 © 2006, Cisco Systems, Inc. All rights reserved. 21 Presentation_ID.scr
22.
For Your
Candidate Best Practices (Cont.) Reference Implement privacy extensions carefully Filter internal-use IPv6 addresses & ULA at the border routers Filter unneeded services at the firewall Maintain host and application security Use cryptographic protections where critical Implement ingress filtering of packets with IPv6 multicast source addresses Use static tunneling rather than dynamic tunneling Implement outbound filtering on firewall devices to allow only authorized tunneling endpoints Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 43 Enforcing a Security Policy Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 44 © 2006, Cisco Systems, Inc. All rights reserved. 22 Presentation_ID.scr
23.
Cisco IOS IPv6
Extended Access Control Lists Very much like in IPv4 Filter traffic based on Source and destination addresses Next header presence Layer 4 information Implicit deny all at the end of ACL Empty ACL means traffic allowed Reflexive and time based ACL Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned until: Layer 4 header found Unknown extension header is found Side note for 7600 & other switches: No VLAN ACL Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (end 2009), Cat 6K (mid 2010) Long extension headers chain force a software switching Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 45 IOS IPv6 Extended ACL Can match on Upper layers: TCP, UDP, SCTP port numbers TCP flags SYN, ACK, FIN, PUSH, URG, RST ICMPv6 code and type Traffic class (only six bits/8) = DSCP Flow label (0-0xFFFFF) IPv6 extension header routing matches any RH, routing-type matches specific RH mobility matches any MH, mobility-type matches specific MH dest-option matches any, dest-option-type matches specific destination options auth matches AH Can skip AH (but not ESP) since IOS 12.4(20)T fragments keyword matches Non-initial fragments (same as IPv4) And the first fragment if the L4 protocol cannot be determined undetermined-transport keyword matches (only for deny) Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 46 © 2006, Cisco Systems, Inc. All rights reserved. 23 Presentation_ID.scr
24.
Cisco IOS IPv6
ACL A Trivial Example Filtering inbound traffic to one specific destination address 2001:db8:2c80:1000::1 others ipv6 access-list MY_ACL remark basic anti-spoofing IPv6 Internet deny 2001:db8:2c80:1000::/64 any permit any 2001:db8:2c80:1000::1/128 interface Serial 0 ipv6 traffic-filter MY_ACL in Serial 0 Prefix: 2001:db8:2c80:1000::/64 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 47 Example: Rogue RA & DHCP Port ACL ipv6 access-list ACCESS_PORT remark Block all traffic DHCP server -> client deny udp any eq 547 any eq 546 remark Block Router Advertisements deny icmp any any router-advertisement permit any any Interface gigabitethernet 1/0/1 switchport ipv6 traffic-filter ACCESS_PORT in Note: PACL replaces RACL for the interface In May 2009, only on Nexus-7000 and Cat 3750 12.2(46)SE Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 48 © 2006, Cisco Systems, Inc. All rights reserved. 24 Presentation_ID.scr
25.
For Your
IPv6 ACL to Protect VTY Reference ipv6 access-list VTY permit ipv6 2001:db8:0:1::/64 any line vty 0 4 ipv6 access-class VTY in Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 49 Cisco IOS Firewall IPv6 Support Stateful protocol inspection (anomaly detection) of IPv6 fragmented packets, TCP, UDP, ICMP and FTP traffic IOS 12.3(7)T (released 2005) Stateful inspection of IPv4/IPv6 packets IPv6 DoS attack mitigation Recognizes IPv6 extension headers IPv6 Router with IPv4 Cisco IOS Firewall IPv6 Router with Site 3 Cisco IOS Firewall IPv6 IPv6 Router with Cisco IOS Firewall Dual Stack Site 1 Router IPv6 Internet IPv6 Site 2 IPv6 (IPv4) IPv6 Router with Cisco IOS Firewall Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 50 © 2006, Cisco Systems, Inc. All rights reserved. 25 Presentation_ID.scr
26.
ASA Firewall IPv6
Support Since version 7.0 (April 2005) Dual-stack, IPv6 only, IPv4 only Extended IP ACL with stateful inspection Application awareness HTTP, FTP, telnet, SMTP, TCP, SSH, UDP uRPF and v6 Frag guard IPv6 header security checks Management access via IPv6 Telnet, SSH, HTTPS ASDM support (ASA 8.2) Routed & transparent mode (ASA 8.2) Caveat: no fail-over support Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 51 Cisco Security Agent and IPv6 IPv6 support for Windows in CSA 6.0.1 (June 2008) deny – IPv6 ACL (only on Vista) – Disable IPv6 (XP and Vista) to any IPv6 addresses Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 52 © 2006, Cisco Systems, Inc. All rights reserved. 26 Presentation_ID.scr
27.
Cisco IPS 6.2
New IPv6 Engine Rules to block traffic Drop Malware traffic ASA 8.2 transfert IPv6 traffic To Sensor Engine Drop Internet ASA IPv6 malware traffic Safe Traffic Unselected Traffic Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 53 Enterprise Deployment: Secure IPv6 Connectivity How to Secure IPv6 over the WAN Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 54 © 2006, Cisco Systems, Inc. All rights reserved. 27 Presentation_ID.scr
28.
Secure IPv6 over
IPv4/6 Public Internet No traffic sniffing No traffic injection No service theft Public Network Site 2 Site Remote Access 6in4/GRE Tunnels Protected ISATAP Protected by IPv4 by IPsec RA IPsec DMVPN 12.4(20)T SSL VPN Client AnyConnect IPsec VTI 12.4(6)T N/A IPv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 55 Secure Site to Site IPv6 Traffic over IPv4 Public Network with GRE IPsec IPsec protects IPv4 unicast traffic... The encapsulated IPv6 packets IPv6 Network IPv6 Network IPv6 in IPv4 tunnelIPsec IPv4 GRE tunnel can be used to transport both IPv4 and IPv6 in the same tunnel See reference slides for more details Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 56 © 2006, Cisco Systems, Inc. All rights reserved. 28 Presentation_ID.scr
29.
Secure Site to
Site IPv6 Traffic over IPv4 Public Network with DMVPN Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 57 Secure Site to Site IPv6 Traffic For Your over IPv6 Public Network Reference Since 12.4(6)T, IPsec also works for IPv6 Using the Virtual Interface interface Tunnel0 no ip address ipv6 address 2001:DB8::2811/64 ipv6 enable tunnel source Serial0/0/1 tunnel destination 2001:DB8:7::2 tunnel mode ipsec ipv6 tunnel protection ipsec profile ipv6 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 58 © 2006, Cisco Systems, Inc. All rights reserved. 29 Presentation_ID.scr
30.
IPv6 for Remote
Devices Solutions Enabling IPv6 traffic inside the Cisco VPN Client tunnel NAT and Firewall traversal support Allow remote host to establish a v6-in-v4 tunnel either automatically or manually ISATAP—Intra Site Automatic Tunnel Addressing Protocol Fixed IPv6 address enables server’s side of any application to be configured on an IPv6 host that could roam over the world Use of ASA 8.0 and SSL VPN Client AnyConnect Can transfer IPv6 traffic over public IPv4 Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 59 Secure RA IPv6 Traffic over IPv4 Public Network: ISATAP in IPSec IPsec protects IPv4 unicast traffic... The encapsulated IPv6 packets IPv6 Network IPsec ISATAP IPv6 PC Enterprise ISATAP IPv4 VPN head-end Tunnel server (ASA, IOS, ...) on dual stack router IPsec with NAT-T can traverse NAT ISATAP encapsulates IPv6 into IPv4 See reference slides for more details Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 60 © 2006, Cisco Systems, Inc. All rights reserved. 30 Presentation_ID.scr
31.
Secure RA IPv6
Traffic over IPv4 Public Network: AnyConnect SSL VPN Client IPv6 Network IPv4 and IPv6 Transport in SSL IPv6 PC ASA 8.0 AnyConnect IPv4 SSL VPN Concentrator Dual Stack Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 61 Conclusion Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 62 © 2006, Cisco Systems, Inc. All rights reserved. 31 Presentation_ID.scr
32.
Key Take Away
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 63 Is IPv6 in My Network? Easy to check! Look inside NetFlow records Protocol 41: IPv6 over IPv4 or 6to4 tunnels IPv4 address: 192.88.99.1 (6to4 anycast server) UDP 3544, the public part of Teredo, yet another tunnel Look into DNS server log for resolution of ISATAP Beware of the IPv6 latent threat: your IPv4-only network may be vulnerable to IPv6 attacks NOW Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 64 © 2006, Cisco Systems, Inc. All rights reserved. 32 Presentation_ID.scr
33.
Q and A
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 65 Recommended Reading Source: Cisco Press Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 66 © 2006, Cisco Systems, Inc. All rights reserved. 33 Presentation_ID.scr
34.
Presentation_ID
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 67 © 2006, Cisco Systems, Inc. All rights reserved. 34 Presentation_ID.scr