IPv6 防護管理及控管機 制 · Internal Segmentation Firewall (ISFW) Internal Network (100...
Transcript of IPv6 防護管理及控管機 制 · Internal Segmentation Firewall (ISFW) Internal Network (100...
© Copyright Fortinet Inc. All rights reserved.
IPv6 IPv6 防護防護管理及控管機管理及控管機制制
Johnson Lai
Technical Consultant
Johnson Lai
Technical Consultant
2
IPV6 Now!
3
Internet and TCP/IP
1969 – ARPANET begins
1981 – IPv4 definition (RFC 791)
1983 – ARPANET adopts TCP/IP
1990 – First research about IP exhaustion
1993 – Begins the “commercial internet”
2011 – No more /8 IPv4 available in Asia (APINIC)
4
5
安全報告分析趨勢安全報告分析趨勢
95% 的惡意軟體存在少於 一個月,其中 4/5 的種類不到一週的時間就消 失
70–90% 的惡意軟體樣本都具有 獨一性。針對特定企業 或組織所設計開發的
60% 六成的資安事件裡, 攻擊者可以在幾分鐘之內發動攻擊,並快速癱瘓企業或組織
50% 近50%的釣魚電子郵件 收到後,相關的連結 會在第一個小時被點擊
23% 的收件人除了點選釣魚 網站連結外,另外有11% 的人員也會同時開啟附 件檔案
6
Lets Talk SecurityLets Talk Security
7
Security issues related to IPv6
IPv4 security devices cannot inspect IPv6 traffic
Some legacy security devices will never support IPv6 and
will need to be replaced
Many security vendors have limited support for IPv6
today, leading to potential gaps in protection
Address Translation Potential Vulnerabilities
IPv6 support is often at much slower performance
8
IPv6 Security Concerns
ICMPv6 handling
» ICMPv6 has more relevance
» Give you control over ICMPv6 – despite what RFCs suggest
Firewalls to protect Routers and Network
IPv6 specific Features
» Neighbor Discovery
» Router Advertisment
» Multicast handling
9
40 Byte
FIXED
IPv6 Extenstion Header Security
10
IPv6 Extenstion Header Security
IPv6 Extension Header and Options
» Give you full control over IPv6 Extension
» Validation to conformity
» Lengths Control
» RFC6564 (A Uniform Format for IPv6 Extension Headers)
Application Security
» DNS – Domain Name Services
» All other Applications…
Old App-Attacks remain the same
11
• Static / Dynamic routing (RIPng,
OSPFv3 and BGP4+)
• DNS
• Network interface addressing
• Routing access lists and prefix
lists
• IPv6 tunnel over IPv4, IPv4
tunnel over IPv6
• Security policies
• Authentication
• IPv6 over SCTP
• Packet and network sniffing
IPsec VPN
SSL VPNs
• UTM protection
• NAT/Route and Transparent mode
• Logging and reporting
• SNMP
• Virtual IPs and groups
• Ping6
• IPv6 NAT: NAT66, NAT64, DNS64
• IPv6 explicit proxy
• IPv6 MIBs
• IPv6 Per-IP shaper
• IPv6 policy routing
• IPv6 session pickup in HA mode
• NAT64 acceleration (XLR/XLP)
• IPv6 SSL proxy IPS inspection
• DHCP Client / DHCP Relay
• NAT64 High Availability (HA)
IPv6 All Features
12
Transition of IPv6Transition of IPv6
Ebony and IvoryEbony and Ivory
13
Transition and Co-Existence
Tunnelling / Encapsulation
» DSLite
» 6over4 (SIXXS, Hurricane Electric)
Translation
» NAT64
» NAT46
» NAT444 / NAT446
Dual-Stack (Co-existence)
14
Tunneling/Encapsulation
IPv4
IPv6
IPv6 Access and Transport
IPv6[IPv4]
IPv4
De-Capsulation + CGN
IPv4
IPv6
15
Tunneling/Encapsulation
IPv4
IPv6
IPv4
IPv6
IPv6
IPv6[IPv4]
16
Dual-Stack/Co-existence
IPv4
IPv6
IPv6 and IPv4 Access and Transport
IPv4
IPv6
17
Dual-Stack/Co-existence
IPv4
IPv6
IPv4
IPv6
IPv4
IPv6
18
Translation
IPv4
IPv4 Access and Transport
NAT46
IPv6 Server
IPv4 IPv6
IPv6 Access and Transport
NAT64 IPv4 IPv6
IPv4 Server
IPv6
19
Translation
IPv4 IPv6 IPv4 IPv6
IPv4 IPv6 IPv4 IPv6
IPv4
IPv6
20
NAT64 NAT46
DNS64 NAT446
SIXXS
4in6 6in4
NAT46+6in6
CGN
Logging
Options, Options, Options
21
Lets Talk Wire & Lets Talk Wire &
WirelessWireless
22
Access everywhereAccess everywhere––Unified Unified Access LayerAccess Layer
Wireless Access
Wired Access
Remote Access
DIGITAL ASSET
• Content Inspection • Attack Mitigation
• User Identification • Access Control
23
Threat Landscape & Evolving IT Infrastructure
WAN
Internet
Cloud
Home
Office
Internal
Segmentation
Firewall
(ISFW)
Internal
Network (100 Gbps+)
Branch
Office
Private
Cloud
Edge
Gateway
Data Center
ISFW
ISFW ISFW
ISFW ISFW
ISFW
External
Interna
l
24
ISFW Requirement NO. 1 - PERFORMANCE
Internet
Border Firewall (NGFW)
Ports Speeds 1G, 10G
No. of Ports 2 to 12
Throughput Mbps to 1Gbps
Internal Segmentation Firewall
(ISFW)
Interfaces 10G, 40G & 100G
No. of Ports 8 to 48 Ge/10Ge
Throughput 10Gps to 1Tbps
26
High Performance Scalable Enterprise Firewall with Optimum Path Processing (OPP) Engine
UTM (Distributed Enterprise)
UTM (SMB)
Virtual Firewall
SDN Firewall
Cloud Firewall
Internal Segmentation Firewall (ISFW)
Next Generation Firewall (NGFW)
Data Center Firewall (DCFW)
…..
…..
…..
Tbps Mbps
CPU CPU CPU
27
ISFW Requirement No. 2 - PROTECTION
Firewall
VPN
Application Control
IPS
Web Filtering
Anti-malware
WAN Acceleration
Data Leakage Protection
WiFi Controller
Advanced Threat Protection
SaaS Gateway
Software
Enabled
Security
Module
Management
28
A Global Threat Security Service that Updates the Platform in Real time - FortiGuard
Intrusion
Prevention Service
Antivirus
Service
Anti-spam
Service
Web Filtering
Service
IP Reputation
Service
Web Security
Service
Database Security
Service
Application
Control Service
Vulnerability
Management
Service
Mobile
Security
Global Fortinet Device Footprint
29
The Core of the Platform FortiOS
Granular
Segmentation
Automated
Orchestration
Scalable Central
Management
Visibility w/ Context
& one-click to action
Appliance
Virtual
Machine Cloud
Firewall NGFW
Time to Resolution
Protection & Intelligence
End to End Platform
ATP UTM
Policy & Control
Op
era
tion
s
Se
curity
P
latf
orm
30
Internal Segmentation Firewall – How is it different?
Deployment
Mode ISFW NGFW DCFW UTM
Purpose Visibility & protection for internal segments
Visibility & protection against external threats and internet activities
High performance, low latency network protection
Visibility & protection against external threats and user activities
Location Access Layer Internet Gateway Core Layer/DC gateway Internet Gateway
Network Operation
Mode Transparent Mode NAT/Route Mode NAT/Route Mode NAT/Route Mode
Hardware
requirements Higher Port Density to protection multiple assets
GbE and 10GbE ports High speed (GbE/10 GbE/40 GbE/100) & high port density, hardware acceleration
High GbE port density, integrated wireless connectivity and POE
Security
Components Firewall, IPS, ATP, Application Control
(User-based) Firewall, VPN, IPS, Application Control,
Firewall, DDoS protection
Comprehensive and extensible, client and device integration
Other
Characteristics Rapid Deployment – near zero configuration
Integration with Advanced Threat Protection (Sandbox)
High Availability Different WAN Connectivity Options such as 3G4G
31
Some Thoughts Though
Translation (NAT)
» Increasing network complexity
» Increasing Costs
Law enforcement / Logging requirements
» Service crippling
» “Service Points” where NAT happen on central Devices
» Fragmentation issues
“Thou shalt not trust your Network
to translate your Applications”
• Tunneling
» Fragmentation
» Unbalanced Networkcore Traffic / centralised TEP
» Multicast handling
32
Lets Talk SolutionLets Talk Solution
33
IPv6 – Fortinet Solution
Stateful
Inspection
Transition
Techniques
Performance
Virtualisation
Unified
Threat
Management
4G/LTE GTP
Diameter
sigtran
Core
Backbone
Management
RFC CATCH UP
34
FortiGate does it all!
FortiGate does it fast!
FortiGate does it secure!