Next Generation IPv6 Network Security – a Practical Approach · transfer time time • Basic TCP...
Transcript of Next Generation IPv6 Network Security – a Practical Approach · transfer time time • Basic TCP...
Zlata TrhuljAgilent [email protected] American IPv6 Summit – Reston, VA08 Dec 2004
Next Generation IPv6 Network Security – a Practical Approach
Is Your Firewall Ready for Voice over IPv6?
- and many other vital questions to ask your firewall vendor
Page 3
The Facts
• IPv6 is deployment is emerging, with added complexity of supporting dual-stack IPv4/IPv6 networks. “Internet is no longer simple”.
• With data, Voice over IP (VoIP) is here, driven by a strong consumer demand for converged network services.
• Denial of Service (DoS) attacks are rising, disruptive, costly.
• 56% of corporations reported unauthorized network access (FBI report)
• 84% of firewalls required critical patches in the last year!
• Emerging IP networking facing complexities of IPv4, IPv6, IPv4 and v6, data and voice, network attacks (DoS), legacy issues such as IPv4 network address translation (NAT) - all in the one equation.
• What can you do TODAY?
CERT Coordination Center reported incidents
0
50,000
100,000
150,000
1997 1998 1999 2000 2001 2002 2003
http://www.cert.org/stats/cert_stats.html
Page 4
Why focus on Security?
• With interoperability and reliability, security is identified as the key prerequisite for adoption of IPv6.
• Functional validation of security devices proves they can forward IPv6 packets, no indication how devices/networks will act under stress in dual-stack (IPv4 and IPv6) environments.
• No adopted standards for functionality and performance of security devices.
• Interdependency of IPv4 and IPv6 operation – does turning IPv6 on impact IPv4 network security?
• Responsibility of the User to verify aspects of security in a specific context.
Page 5
Enterprise Network HTTPFTP
Internet
Negative Traffic – prohibitedNegative Traffic – prohibited
Positive TrafficPositive Traffic
Attack Traffic – DoSattacks
Attack traffic – Trojan attacks from inside
Example device: What do firewalls do?
• Protect ‘private’ network from public network
• Block incoming connection attempts, except to offered services
• Protect from Denial of Service network attacks
• Allow outgoing connections
• Prevent attacks from within (Trojans and file/print sharing exploits)
• Block prohibited web sites and applications
Page 6
Validating IPv6 network security device performance
• Combine HTTP, FTP, SMTP, POP3 etc. transactions with Voice over IP calls
• Simulate positive traffic & measure performance
• Add DoS attack traffic. Does “good” traffic performance suffer?
• Scalability: How many sessions, clients, or servers can be supported with reasonable performance?
• How does device/network performance vary with combinations of IPv4and IPv6?
• Performance over access protocols used for tunneling and security: DHCP PPPoE 802 1x and IPsec (especially IPsec encryption & authentication)
EmulatedServers
HTTPFTPEmulatedclients
Negative Traffic – undesirable HTTP
Negative Traffic – unwanted FTP
Positive Traffic – HTTP, FTP
Positive Traffic – HTTP, FTP
Attack Traffic – DoSattacks
Attack traffic – DoS attacks from inside
Page 7
Voice over IP traffic:
• Concurrent Call Capacity
• Call Connection Latency
• Call Setup, Teardown and Completed Call Rates
Firewall performance: What do I measure?
SYNSYN ACK
ACKHTTP GET
HTTP response…
FINFIN ACK
ACK
Connection set up
time
Disconnection time
Application transfer time
time• Basic TCP processing rate, IPv4 only, IPv6
only, Mixed and tunneled v4/v6 combinations
• Concurrent TCP connections
• Application transfer rate and throughput (Mb/s)
• DoS attack vulnerability - ability to block or limit the impact of attacks, and performance while under attack with existing IPv4 attacks and any new IPv6 DoSattacks
• Performance impact of URL/content filters
Max concurrent sessions
time
TCP sessions
Session rate
time
TCP sessions/sec
Connection set up rate
Application transfer ratetransfers/sec: HTTP, FTP
Page 8
Performance Challenges for IPv6 Security Devices• Longer IPv6 addresses: Firewall rule sets and Access Control Lists
must work with IPv6 addresses. How will this degrade performance?
• IPv6 variable-length headers: Parsing more complex: Encryption and authentication header sections must be parsed and filtered; may also need to perform encryption/decryption or calculation of message authentication codes to be able to filter on application-layer headers and content.
• IPv6 and IPv4 concurrent processing
• Maintain state tables for both IPv4 and IPv6 TCP connections andUDP sessions; Does IPSec run over both stacks? Application security over v4/v6?
• Data applications and Voice over IPv6 concurrent processing
• http, ftp, smtp, combined with SIP, H.323 – how does firewall traversal affect Voice quality?
• IPv6 DoS attacks
• IPv6/v4 and IPv4/v6 tunneling can hide application-layer attacks
Page 9
Firewall Test Examples
Application Transfers/sec
0
1000
2000
3000
4000
5000
6000
7000
Telnet RTSP DNS FTPactv
FTPpasv
HTTP1.0
SMTP POP3 HTTP1.1
Page 10
Agilent L2-7 Testing at Moonv6 phase I, II, IIIwww.moonv6.com
Internet2
RouterTester900
RouterTester900
RouterTester900
RouterTester900
RouterTester900
Area 0.0.0.0
Area 0.0.0.1
Area 0.0.0.2
NetworkTester NetworkTester
NetworkTester
Procket
Foundry
NEC
Cisco
Extreme Hitachi
Cisco
Hitachi
Fujitsu
Procket
Cisco
CheckPoint Netscreen
Extreme
Foundry
NEC
6Wind
Cisco
Nokia
RouterTester900
I-BGP and OSPFOSPF•OSPFv3 and BGP4+ functional and convergence testing [Agilent N2X]
•Simultaneous IPv4/IPv6 traffic generation, routing and analysis to verify dual-stack routers [Agilent N2X]•Real-time, per stream throughput, latency and packet loss statistics to measure router performance [Agilent N2X]•Firewall Testing – security policy and packet filtering, stateful packet inspection, application traffic performance, VoIPv6 [Agilent NetworkTester]
Page 11
Firewall test plan design and tools (1)
• Client and server emulation of a broad range of protocols
• Application-aware firewalls must be tested with stateful application traffic
• Ability to mix protocols on a single port
• Measure the firewall’s ability to cope with realistic, mixed traffic representative of network traffic – a vendor’s specifications won’t reveal this
• Integrated access protocols (DHCP, IPsec, 802.1x, PPPoE) and VLANsupport
• Realistic testing requires emulation of both network access and stateful traffic
• Flexibility to create any test scenario rapidly, without scripting
• Firewall test scenarios can be complex.
Page 12
Firewall test plan design and tools (2)
• Layer 4-7 stateful application traffic. Full TCP emulation. Not a packet blaster.
• Firewalls implement real TCP and perform packet inspection…requiring real traffic
• High performance and rapid configuration – single application (versus “wall of PCs”)
• Scalability – The ability to scale the test up easily to reach the limits of the firewall
• Realism – the ability to vary the test
• Randomize and cycle through parameters such as URLs and address ranges
• Change parameters while the test is running
Page 13
Conclusion• IPv6 adds significant new complexity to L4-7 security devices
• IPv4 and IPv6 packets must be reassembled up to L7 so that the contents of packets can be examined;
• Whilst the industry debate on new security architectures is out, make sure you cover your basics and validate the performance of your security devices the best you can!
• Firewalls are not all created equal:
• Performance highly dependent on the traffic profiles and configuration
• If you enable all of the firewall capabilities, set up dozens of filter rules, your traffic uses many TCP and UDP sessions, and you are prone to DoSand Trojan attacks, then you can expect your firewall’s performance to be substantially less than advertised
• Consider network design questions based on performance limits of the new IPv6-capable firewalls? – Do you need more devices to support the same level of traffic?
It is criticalto understand and test the security of your IPv4/IPv6
networks and the performance of your firewalls
Page 14
Additional Information
For more information about Agilent Network Tester: http://www.agilent.com/comms/NetworkTester
First pilot IPv6 network: “Moonv6” Firewall Test Plans:
http://www.moonv6.com
http://moonv6.sr.unh.edu/
Page 15
Agilent NetworkTesterFirewall performance test capabilities
• Broad range of data and Voice protocols over IPv4 and IPv6
• Web, email, news, file transfer/sharing, instant messaging, streaming
• Voice over IP, both signaling and media transfer emulation
• Mix multiple protocols on a single port to create realistic and complex tests
• Client and Server emulation - one system, one user interface
• Powerful "Test Plan" design and management environment
• Set-up tests in minutes; no need for scripting!
• Scalability – Simulate millions of real users and services to identify firewall limits
• Stateful traffic over integrated IPsec, PPPoE, DHCP and 802.1x
• Integrated access protocols for faster and easier test set-up
• Integrated VLAN support – Rapidly test VLAN-capable devices and virtual firewalls
• Transaction Variability and Real-Time Control
• Randomize and cycle parameters such as address lists, and attach real files