vrijdag 16 mei 2014

End of internship

This will be my last blog post in this particular blog (for now at least) since my internship ends today. It has been a great 13 weeks of working here with a lot of learning experiences, not only about IPv6 security but also about IT security in general. As I never looked from the vantage point of security before, I can now say with confidence, that this internship had a huge impact on me on that regard & I even want to persue a career in IT security now should I get the chance!

First of all I would like to thank my mentors at the internship, Dieter Vandenbroeck & Roel Vansteenberghe, for giving me the opportunity of doing my internship here.

I would also like to thank the 2 other interns for their support, so Yannick Stevens & Jan "Mr. BigShot" Weyens thanks for the support and good luck at working at EY!

Last but certainly not least I would like to thank all the other colleagues for their help, certainly in the first few weeks, and support on the subject.

Regretting the end of the internship I now close this chapter in my life and the blog post!

-- Kevin Wille

vrijdag 9 mei 2014

Test Results: Firewall Rules Set

In this last real technical blog post we will discuss the test results with the firewall rules in place on the OS. In Windows distributions this is just the standard firewall. In Linux I used Ip6tables and for FreeBSD ipfw. We still want to have good IPv6 connectivity so it's not the intention to block all "dangerous" traffic and have no auto configuration or anything anymore. We will try to accomplish this by denying all traffic and whitelisting all trusted traffic. The rules we added are discussed in the previous blog post. Keep in mind variations of these results are always possible if some of the rules used are modified.

UNIX

Scanning
Since ICMPv6 Response & Request messages are blocked by ipfw, none of these scans went through.

DoS
All floods except for the DAD attack were let through. This is because while not all traffic is let through. RA's/NA's are limited to the default router/local traffic but they still have to check these packages. So when a flood is in effect, they have a lot less load increase but it is still present (about 20-30%) per DoS.

MITM

None of the MITM attack work anymore. This is because we limit RA's to only be accepted from our default router, and NA's only for local traffic.

LINUX

Scanning
Since ICMPv6 Response & Request messages are blocked by ip6tables, none of these scans went through.

DoS

Because in Linux we can limit the traffic allowed through for specific packets, we did this for RA's and NA's to be limit to 10 packets per second. This meant no DoS attacks had any real impact.

MITM

All distributions tested blocked all MITM attacks except for Ubuntu. Ubuntu got spoofed with the NA/NS MITM attacks.

WINDOWS

Scanning

Since ICMPv6 Response & Request messages are blocked by ipfw, none of these scans went through.

DoS

All DoS attacks still worked on all OS's because in Microsoft the amount of packets cannot be limited. Because of this Microsoft OS's are still susceptible by DoS Attacks.

MITM

None of the MITM attacks work anymore. This is because we limit RA's to only be accepted from our default router, and NA's only from local traffic.

Conclusion
After implementing some basic firewall rules we can conclude that most malicious traffic can be stopped. Of course for some platforms of OS's additional software or an additional firewall still should be implemented to try and completely block all malicious traffic. In Linux and Unix enough configurations can be made to limit all incoming traffic. While in windows you cannot.

There are of course many other ways to implement IPv6 security, and it is always best to check for BCP that are relevant to the security measures one wishes to implement. e.g. The following link discusses BCP's for ICMPv6 messages in firewalls.