This week, I had the opportunity to work together with the ERNW guys at their premises. They had built an IPv6 lab that included several commercial IPv6 security devices (firewalls, IDS/IPS and some high-end switches) and they kindly offered their lab to me to play with (thank you guys :) – I always liked …expensive toys). The goal of this co-operation was to try to find out any IPv6-related security or operational issues on these devices (after all, they all claim that they are “IPv6-Ready”, right?).
First, it was really interesting to check the balance between RFC-compliance and security-orientation (because these two things do not go side-by-side, some times). So, we started using their default configuration and checked what IPv6 features support and if these could be abused. Then, we enabled some of the missing IPv6 features (because some of our toys were …cheating – security vs. functionality) and tested them again. We created several scenarios. How well they protect you from IPv6 attackers. What IPv6 configuration capabilities they offer. How you can configure them to increase your chances in surviving in the IPv6 wild world. And of course, can they be abused? Can they be evaded?
The results? I am not going to give you any detail rights now, but I can tell you that, apart from any operational issues, while many of them appear to have a quite stable and “secure” IPv6 behaviour, under very specific circumstances they appeared to have some security issues too. However, interestingly enough, there were also cases that an attacker could make them completely “blind” (aka, circumvent them) and hence, pass through malicious traffic. Remember: As I use to say, when you break layer-3, you can break everything above it.
You want more on this?OK, see you at the IPv6 Security Summit at Troopers 14, in the beautiful city of Heidelberg!