Zlata TrhuljAgilent Technologieszlata_trhulj@agilent.comNorth American IPv6 Summit – Reston, VA08 Dec 2004

Next Generation IPv6 Network Security – a Practical Approach

Is Your Firewall Ready for Voice over IPv6?

- and many other vital questions to ask your firewall vendor

Page 3

The Facts

• IPv6 is deployment is emerging, with added complexity of supporting dual-stack IPv4/IPv6 networks. “Internet is no longer simple”.

• With data, Voice over IP (VoIP) is here, driven by a strong consumer demand for converged network services.

• Denial of Service (DoS) attacks are rising, disruptive, costly.

• 56% of corporations reported unauthorized network access (FBI report)

• 84% of firewalls required critical patches in the last year!

• Emerging IP networking facing complexities of IPv4, IPv6, IPv4 and v6, data and voice, network attacks (DoS), legacy issues such as IPv4 network address translation (NAT) - all in the one equation.

• What can you do TODAY?

CERT Coordination Center reported incidents

0

50,000

100,000

150,000

1997 1998 1999 2000 2001 2002 2003

http://www.cert.org/stats/cert_stats.html

Page 4

Why focus on Security?

• With interoperability and reliability, security is identified as the key prerequisite for adoption of IPv6.

• Functional validation of security devices proves they can forward IPv6 packets, no indication how devices/networks will act under stress in dual-stack (IPv4 and IPv6) environments.

• No adopted standards for functionality and performance of security devices.

• Interdependency of IPv4 and IPv6 operation – does turning IPv6 on impact IPv4 network security?

• Responsibility of the User to verify aspects of security in a specific context.

Page 5

Enterprise Network HTTPFTP

Internet

Negative Traffic – prohibitedNegative Traffic – prohibited

Positive TrafficPositive Traffic

Attack Traffic – DoSattacks

Attack traffic – Trojan attacks from inside

Example device: What do firewalls do?

• Protect ‘private’ network from public network

• Block incoming connection attempts, except to offered services

• Protect from Denial of Service network attacks

• Allow outgoing connections

• Prevent attacks from within (Trojans and file/print sharing exploits)

• Block prohibited web sites and applications

Page 6

Validating IPv6 network security device performance

• Combine HTTP, FTP, SMTP, POP3 etc. transactions with Voice over IP calls

• Simulate positive traffic & measure performance

• Add DoS attack traffic. Does “good” traffic performance suffer?

• Scalability: How many sessions, clients, or servers can be supported with reasonable performance?

• How does device/network performance vary with combinations of IPv4and IPv6?

• Performance over access protocols used for tunneling and security: DHCP PPPoE 802 1x and IPsec (especially IPsec encryption & authentication)

EmulatedServers

HTTPFTPEmulatedclients

Negative Traffic – undesirable HTTP

Negative Traffic – unwanted FTP

Positive Traffic – HTTP, FTP

Positive Traffic – HTTP, FTP

Attack Traffic – DoSattacks

Attack traffic – DoS attacks from inside

Page 7

Voice over IP traffic:

• Concurrent Call Capacity

• Call Connection Latency

• Call Setup, Teardown and Completed Call Rates

Firewall performance: What do I measure?

SYNSYN ACK

ACKHTTP GET

HTTP response…

FINFIN ACK

ACK

Connection set up

time

Disconnection time

Application transfer time

time• Basic TCP processing rate, IPv4 only, IPv6

only, Mixed and tunneled v4/v6 combinations

• Concurrent TCP connections

• Application transfer rate and throughput (Mb/s)

• DoS attack vulnerability - ability to block or limit the impact of attacks, and performance while under attack with existing IPv4 attacks and any new IPv6 DoSattacks

• Performance impact of URL/content filters

Max concurrent sessions

time

TCP sessions

Session rate

time

TCP sessions/sec

Connection set up rate

Application transfer ratetransfers/sec: HTTP, FTP

Page 8

Performance Challenges for IPv6 Security Devices• Longer IPv6 addresses: Firewall rule sets and Access Control Lists

must work with IPv6 addresses. How will this degrade performance?

• IPv6 variable-length headers: Parsing more complex: Encryption and authentication header sections must be parsed and filtered; may also need to perform encryption/decryption or calculation of message authentication codes to be able to filter on application-layer headers and content.

• IPv6 and IPv4 concurrent processing

• Maintain state tables for both IPv4 and IPv6 TCP connections andUDP sessions; Does IPSec run over both stacks? Application security over v4/v6?

• Data applications and Voice over IPv6 concurrent processing

• http, ftp, smtp, combined with SIP, H.323 – how does firewall traversal affect Voice quality?

• IPv6 DoS attacks

• IPv6/v4 and IPv4/v6 tunneling can hide application-layer attacks

Page 9

Firewall Test Examples

Application Transfers/sec

0

1000

2000

3000

4000

5000

6000

7000

Telnet RTSP DNS FTPactv

FTPpasv

HTTP1.0

SMTP POP3 HTTP1.1

Page 10

Agilent L2-7 Testing at Moonv6 phase I, II, IIIwww.moonv6.com

Internet2

RouterTester900

RouterTester900

RouterTester900

RouterTester900

RouterTester900

Area 0.0.0.0

Area 0.0.0.1

Area 0.0.0.2

NetworkTester NetworkTester

NetworkTester

Procket

Foundry

NEC

Cisco

Extreme Hitachi

Cisco

Hitachi

Fujitsu

Procket

Cisco

CheckPoint Netscreen

Extreme

Foundry

NEC

6Wind

Cisco

Nokia

RouterTester900

I-BGP and OSPFOSPF•OSPFv3 and BGP4+ functional and convergence testing [Agilent N2X]

•Simultaneous IPv4/IPv6 traffic generation, routing and analysis to verify dual-stack routers [Agilent N2X]•Real-time, per stream throughput, latency and packet loss statistics to measure router performance [Agilent N2X]•Firewall Testing – security policy and packet filtering, stateful packet inspection, application traffic performance, VoIPv6 [Agilent NetworkTester]

Page 11

Firewall test plan design and tools (1)

• Client and server emulation of a broad range of protocols

• Application-aware firewalls must be tested with stateful application traffic

• Ability to mix protocols on a single port

• Measure the firewall’s ability to cope with realistic, mixed traffic representative of network traffic – a vendor’s specifications won’t reveal this

• Integrated access protocols (DHCP, IPsec, 802.1x, PPPoE) and VLANsupport

• Realistic testing requires emulation of both network access and stateful traffic

• Flexibility to create any test scenario rapidly, without scripting

• Firewall test scenarios can be complex.

Page 12

Firewall test plan design and tools (2)

• Layer 4-7 stateful application traffic. Full TCP emulation. Not a packet blaster.

• Firewalls implement real TCP and perform packet inspection…requiring real traffic

• High performance and rapid configuration – single application (versus “wall of PCs”)

• Scalability – The ability to scale the test up easily to reach the limits of the firewall

• Realism – the ability to vary the test

• Randomize and cycle through parameters such as URLs and address ranges

• Change parameters while the test is running

Page 13

Conclusion• IPv6 adds significant new complexity to L4-7 security devices

• IPv4 and IPv6 packets must be reassembled up to L7 so that the contents of packets can be examined;

• Whilst the industry debate on new security architectures is out, make sure you cover your basics and validate the performance of your security devices the best you can!

• Firewalls are not all created equal:

• Performance highly dependent on the traffic profiles and configuration

• If you enable all of the firewall capabilities, set up dozens of filter rules, your traffic uses many TCP and UDP sessions, and you are prone to DoSand Trojan attacks, then you can expect your firewall’s performance to be substantially less than advertised

• Consider network design questions based on performance limits of the new IPv6-capable firewalls? – Do you need more devices to support the same level of traffic?

It is criticalto understand and test the security of your IPv4/IPv6

networks and the performance of your firewalls

Page 14

Additional Information

For more information about Agilent Network Tester: http://www.agilent.com/comms/NetworkTester

First pilot IPv6 network: “Moonv6” Firewall Test Plans:

http://www.moonv6.com

http://moonv6.sr.unh.edu/

Page 15

Agilent NetworkTesterFirewall performance test capabilities

• Broad range of data and Voice protocols over IPv4 and IPv6

• Web, email, news, file transfer/sharing, instant messaging, streaming

• Voice over IP, both signaling and media transfer emulation

• Mix multiple protocols on a single port to create realistic and complex tests

• Client and Server emulation - one system, one user interface

• Powerful "Test Plan" design and management environment

• Set-up tests in minutes; no need for scripting!

• Scalability – Simulate millions of real users and services to identify firewall limits

• Stateful traffic over integrated IPsec, PPPoE, DHCP and 802.1x

• Integrated access protocols for faster and easier test set-up

• Integrated VLAN support – Rapidly test VLAN-capable devices and virtual firewalls

• Transaction Variability and Real-Time Control

• Randomize and cycle parameters such as address lists, and attach real files