Professional Documents
Culture Documents
IPV6 Security Consideration
IPV6 Security Consideration
5/5/12
IPv6 hosts can use the following methods to obtain an address configuration:
5/5/12
1-Neighbor Discovery (ND) with an exchange of Router Solicitation and Router Advertisement messages.
5/5/12
IPv6 in Windows Server 2008 and Windows Vista does not support SEND.
Recommendations
5/5/12
To prevent unauthorized computers from communicating on intranets, the recommendation is that you use IEEE 802.1X authentication to authenticate all computers that are connecting to your network with wired or wireless connections. With IEEE 802.1Xbased authentication at the link layer, computers cannot send any network traffic until they have authenticated themselves to a switch or wireless access point. Only after a successful IEEE 802.1X authentication can an IPv6 host use address autoconfiguration protocols such as ND or DHCPv6 to obtain an automatically assigned IPv6 address configuration.
To help protect IPv6 packets from tampering (data modification) and interpretation (passive capturing) by intermediate or neighboring nodes, IPv6 packets can be protected with Internet Protocol security (IPsec). IPsec uses cryptographic security services to provide tampering protection, spoofing protection, and optional encryption for IP packets.
Address Scanning :
With IPv6, the scanning of a subnet for valid unicast IPv6 addresses is made much more difficult by the large number of possible addresses.
Port Scanning :
To prevent a port scan, hosts should use a host-based stateful firewall. Host-based stateful firewalls silently discard all incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic).
A host-based stateful firewall will not prevent an attacker from determining open ports on a host if those ports are being used for active communication or the ports correspond to a service being offered by the host.
To prevent unwanted traffic from the Internet, organizations typically deploy edge firewalls, proxies, and intrusion detection systems (IDSs).
These security devices attempt to ensure that an attackers traffic from the Internet .cannot penetrate to the intranet
Recommendations
5/5/12
To prevent unwanted and unauthorized IPv6 traffic from the Internet, you can do the following:
v
Upgrade your edge firewall, proxy, and IDS to include IPv6 and tunneled IPv6
functionality.
If your intranet computers must communicate with hosts on the IPv6 Internet,
upgrade your edge firewall between your intranet and the IPv6 Internet to support stateful IPv6 firewalling.
Recommendations
5/5/12
configure your IPv4-based edge firewall to drop all IPv4 protocol 41 packets on its Internet interface. An exception is when you are using 6to4. The 6to4 router must be able to receive IPv6- over-IPv4 tunneled traffic from the Internet.
For Teredo traffic from intranet hosts to Internet hosts, configure your
IPv4-based edge firewall to silently discard all IPv4 traffic with the source or
Recommendations
5/5/12
Deploy ISATAP correctly on your intranet so that default route traffic is never forwarded
to the IPv4 Internet. Default route traffic from ISATAP hosts on the IPv4 portion of your network should be forwarded to an ISATAP router, which is connected to both the IPv4 and IPv6-capable portions of your intranet. The default route on the ISATAP router should point to the IPv6-capable portion of your intranet.
If your ISATAP router and edge firewall is the same device, ensure that the devices
default route for IPv6 traffic points to the IPv6-capable portion of your network, not to the IPv4 Internet.
Recommendations
5/5/12
If the ISATAP hosts on your intranet must communicate with hosts on the
IPv6 Internet, upgrade your edge firewall between your intranet and the IPv6 Internet to support stateful IPv6 firewalling.
21/5/5
5/5/12