During the RISC project, a collaborative project with ERNW.de, we had the change to test several IPv6-capable Security and Netwowrking Devices. Specifically, we had the chance to test the following devices:
– Cisco ASA 5505 running firmware 9.1(4)
– Checkpoint Gaia Release 77.10 running on commodity hardware
– Juniper SRX 100H2 running JunOS 12.1X46-DH.2
– Fortinet Fortigate 200B running v5.0,build0252 (GA Patch 5)
– Tipping Point, TOS Package 126.96.36.19936 and digital vaccine 188.8.131.5230.
● Layer-2 switch
– Cisco Catalyst 4948E running Cisco IOS Release 15.2(1)E1.
We performed several tests and the results quite interesting security-wise. Both the IPS and the Cisco Switch could be evaded (although the last case was already known). Especially as far as the IPS is concerned, we could make it completely "blind" and to fly under it's radars no matter what kind of attack we launched. The other devices appeared to have some minor issues too.
We also checked the aforementioned devices regarding their RFC-compliance, as well as how IPv6-Ready really other. Are they going to face any operational issues when deployed?
The full presentation with all the results, as presented during the IPv6 Security Summit @ Troopers 14, can be downloaded from here.