In this last real technical blog post we will
discuss the test results with the firewall rules in place on the OS. In Windows
distributions this is just the standard firewall. In Linux I used Ip6tables
and for FreeBSD ipfw. We still want to have good IPv6 connectivity so it's not
the intention to block all "dangerous" traffic and have no auto configuration
or anything anymore. We will try to accomplish this by denying all traffic and
whitelisting all trusted traffic. The rules we added are discussed in the previous
blog post. Keep in mind variations of these results are always possible if some
of the rules used are modified.
UNIX
Scanning
Since ICMPv6 Response & Request messages are
blocked by ipfw, none of these scans went through.
DoS
All floods except for the DAD attack were let
through. This is because while not all traffic is let through. RA's/NA's are
limited to the default router/local traffic but they still have to check these
packages. So when a flood is in effect, they have a lot less load increase but
it is still present (about 20-30%) per DoS.
MITM
None of the MITM attack work anymore. This is
because we limit RA's to only be accepted from our default router, and NA's
only for local traffic.
LINUX
Scanning
Since ICMPv6 Response & Request messages are
blocked by ip6tables, none of these scans went through.
DoS
Because in Linux we can limit the traffic allowed
through for specific packets, we did this for RA's and NA's to be limit to 10
packets per second. This meant no DoS attacks had any real impact.
MITM
All distributions tested blocked all MITM attacks
except for Ubuntu. Ubuntu got spoofed with the NA/NS MITM attacks.
WINDOWS
Scanning
Since ICMPv6 Response & Request messages are
blocked by ipfw, none of these scans went through.
DoS
All DoS attacks still worked on all OS's because in
Microsoft the amount of packets cannot be limited. Because of this Microsoft
OS's are still susceptible by DoS Attacks.
MITM
None of the MITM attacks work anymore. This is
because we limit RA's to only be accepted from our default router, and NA's
only from local traffic.
Conclusion
After implementing some basic firewall rules we can
conclude that most malicious traffic can be stopped. Of course for some
platforms of OS's additional software or an additional firewall still should be
implemented to try and completely block all malicious traffic. In Linux and
Unix enough configurations can be made to limit all incoming traffic. While in
windows you cannot.
There are of course many other ways to implement
IPv6 security, and it is always best to check for BCP that are relevant to the
security measures one wishes to implement. e.g. The following link discusses
BCP's for ICMPv6 messages in firewalls.
Geen opmerkingen:
Een reactie posten