© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.07-1 Security Issues in IPv6 Configuring IPv6 ACLs.

Презентация:

Advertisements

Похожие презентации

© 2006 Cisco Systems, Inc. All rights reserved. ICND v Managing IP Traffic with ACLs Introducing ACLs.

Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Operations Describing IPv6 ICMP Types.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Security Issues in IPv6 Discussing Security Issues in an IPv6 Transition Environment.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Services Understanding QoS Support in an IPv6 Environment.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring a Cisco IOS Firewall Configuring a Cisco IOS Firewall with the Cisco SDM Wizard.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Site-to-Site IPsec VPN Operation.

© 2006 Cisco Systems, Inc. All rights reserved. IP6FD v IPv6-Enabled Routing Protocols Examining OSPFv3.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Configuring Cisco IOS Firewall Authentication Proxy.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Advanced IPv6 Topics Understanding DHCPv6 Prefix Delegation.

© 2006 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Cisco IOS Firewall.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Operations Examining Cisco IOS Software Commands.

© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Securing Network Switches.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v Route Selection Using Policy Controls Using Outbound Route Filtering.

© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 8 Object Grouping.

© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Connecting Networks Exploring the IP Packet Delivery Process.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6-Enabled Routing Protocols Routing with RIPng.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Describing NAT-PT.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6-Enabled Routing Protocols Examining EIGRP for IPv6.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Implementing Dual Stack.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Layer 2 Security Examining Layer 2 Attacks.

Транксрипт:

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Security Issues in IPv6 Configuring IPv6 ACLs

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 standard ACL examines only source and destination addresses. Standard ACL VersionTraffic ClassFlow Label Payload LengthNext HeaderHop Limit Source Address (128) Destination Address (128) Next Header Extension Header Length(8)=? Source Port (16) Hop-by-Hop Header Options Destination Port (16) TCP Header and Data 5x21 Bits of Other Parameters

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v (config) ipv6 access-list my-stnd-list permit host 2001:db8:3:: :db8:4::/64 permit host 2001:db8:3::200 host 2001:db8:4::500 (config) int f0/1 ipv6 traffic-filter my-stnd-list out Example Standard ACL linkA 2001:db8:3::/64 linkB 2001:db8:5::/64 f0/0f0/1 f0/2 WW1.300 PC1.100 PC2.200 WW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Standard ACL (Cont.) (config) ipv6 access-list my-stnd-list permit host 2001:db8:3:: :db8:4::/64 permit host 2001:db8:3::200 host 2001:db8:4::500 (config) int f0/1 ipv6 traffic-filter my-stnd-list out Example linkA 2001:db8:3::/64 linkB 2001:db8:5::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Standard ACL (Cont.) linkB 2001:db8:5::/64 (config) ipv6 access-list my-stnd-list permit host 2001:db8:3:: :db8:4::/64 permit host 2001:db8:3::200 host 2001:db8:4::500 (config) int f0/1 ipv6 traffic-filter my-stnd-list out linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Standard ACL (Cont.) (config) ipv6 access-list my-stnd-list permit host 2001:db8:3:: :db8:4::/64 permit host 2001:db8:3::200 host 2001:db8:4::500 (config) int f0/1 ipv6 traffic-filter my-stnd-list out linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example Extended ACL (config) ipv6 access-list my-extnd-list permit tcp 2001:db8:3::/64 host 2001:db8:4::400 eq 80 (config) int f0/0 ipv6 traffic-filter my-extnd-list in linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Extended ACL (Cont.) Example (config) ipv6 access-list my-extnd-list permit tcp 2001:db8:3::/64 host 2001:db8:4::400 eq 80 (config) int f0/0 ipv6 traffic-filter my-extnd-list in linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Extended ACL (Cont.) Example (config) ipv6 access-list my-extnd-list permit tcp 2001:db8:3::/64 host 2001:db8:4::400 eq 80 (config) int f0/0 ipv6 traffic-filter my-extnd-list in linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Reflexive and Time-Based ACL Reflexive ACL provides the means to control traffic flow based on session initiator: –Router tracks state –Permitted outbound session automatically creates temporary converse rule for return packet flow Time-based ACL permits or denies traffic based on a configurable time range.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Reflexive and Time-Based ACL (Cont.) Example (Reflexive ACL) Source Port: tcp32154 Dest Port: tcp80 (config) ip reflexive-list timeout 120 (config) ipv6 access-list my-refl-OUT-list permit tcp 2001:db8:3::/64 any eq 80 reflect ref-tcp permit udp 2001:db8:3::/64 any reflect ref-udp (config) ipv6 access-list my-refl-IN-list evaluate ref-tcp evaluate ref-udp (config) int f0/1 ipv6 traffic-filter my-refl-OUT-list out ipv6 traffic-filter my-refl-IN-list in

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Reflexive and Time-Based ACL (Cont.) Example (Reflexive ACL) Dest Port: tcp32154 Source Port: tcp80 (config) ip reflexive-list timeout 120 (config) ipv6 access-list my-refl-OUT-list permit tcp 2001:db8:3::/64 any eq 80 reflect ref-tcp permit udp 2001:db8:3::/64 any reflect ref-udp (config) ipv6 access-list my-refl-IN-list evaluate ref-tcp evaluate ref-udp (config) int f0/1 ipv6 traffic-filter my-refl-OUT-list out ipv6 traffic-filter my-refl-IN-list in

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Reflexive and Time-Based ACL (Cont.) Example (Reflexive ACL) Dest Port: tcp32154 (config) ip reflexive-list timeout 120 (config) ipv6 access-list my-refl-OUT-list permit tcp 2001:db8:3::/64 any eq 80 reflect ref-tcp permit udp 2001:db8:3::/64 any reflect ref-udp (config) ipv6 access-list my-refl-IN-list evaluate ref-tcp evaluate ref-udp (config) int f0/1 ipv6 traffic-filter my-refl-OUT-list out ipv6 traffic-filter my-refl-IN-list in Source Port: tcp12400

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Example (Time-Based ACL) Reflexive and Time-Based ACL (Cont.) (config) time-range NON-CORE periodic weekdays 12:00 to 13:00 periodic saturday 0:00 to sunday 23:59 (config) ipv6 access-list my-timed-list permit tcp 2001:db8:3::/64 any eq 80 time-range NON-CORE deny tcp 2001:db8:3::/64 any eq 80 permit ipv6 any any (config) int f0/1 ipv6 traffic-filter my-timed-list out Wednesday 12:30pm

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Wednesday 1:15am (config) time-range NON-CORE periodic weekdays 12:00 to 13:00 periodic saturday 0:00 to sunday 23:59 (config) ipv6 access-list my-timed-list permit tcp 2001:db8:3::/64 any eq 80 time-range NON-CORE deny tcp 2001:db8:3::/64 any eq 80 permit ipv6 any any (config) int f0/1 ipv6 traffic-filter my-timed-list out Example (Time-Based ACL) Port 80 : HTTP Blocked Reflexive and Time-Based ACL (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS IPv6 Header Filtering Extended ACL also provides means to inspect packet headers for: DSCP: Value Flow Label: Value Fragmentation header: Presence Routing header: Presence Unknown Next Header: Presence

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v DSCP af12 packet Example (Extended ACL Filtering in IPv6 Header Values) Cisco IOS IPv6 Header Filtering (Cont.) (config) ipv6 access-list my-hdrcheck-list deny 2001:db8:3::/64 any fragments dscp af12 routing permit ipv6 any any (config) int f0/0 ipv6 traffic-filter my-hdrcheck-list in linkA 2001:db8:3::/64 f0/0f0/1 f0/2 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) VersionTraffic ClassFlow Label Payload LengthNext HeaderHop Limit Source Address Destination Address Routing Extension Header Next Header = routing Extension Header Next Hdr = fragmentation TCP Header and Data Next Header = TCP

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example (Extended ACL Filtering in IPv6 Header Values) Cisco IOS IPv6 Header Filtering (Cont.) (config) ipv6 access-list my-hdrcheck-list deny 2001:db8:3::/64 any fragments dscp af12 routing permit ipv6 any any (config) int f0/0 ipv6 traffic-filter my-hdrcheck-list in linkA 2001:db8:3::/64 f0/0f0/1 f0/2 PC1.100 PC2.200 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services) Standard packet

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS New ICMPv6 Types New ICMP types for IPv6 (ICMPv6) include: Error messages Information messages Multicast messages RA/neighbor solicitation/neighbor advertisement messages Mobility (MobileIPv6) messages

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example (Extended ACL Filtering on ICPMv6 Types) Cisco IOS New ICMPv6 Types (Cont.) (config) ipv6 access-list my-ICMPv6-list deny icmp any any echo-request deny icmp any any router-solicitation permit ipv6 any any (config) int f0/1 ipv6 traffic-filter my-ICMPv6-list in Sending echo- request packets linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1PC2 WWW2.400 linkC 2001:db8:4::/64 Access1.500 (SSH uses Telnet for other services)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v How to Configure ACLs in an IPv6 Environment ACL configuration procedure: 1. Design the traffic flows. 2. Examine the interfaces. 3. Create the ACL. 4. Build and apply ACLs. 5. Test the ACL.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example How to Configure ACLs in an IPv6 Environment (Cont.) Enterprise DMZ linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 Access1.500 (SSH uses Telnet for other services) Enterprise Core linkC 2001:db8:4::/64 Internet

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Example How to Configure ACLs in an IPv6 Environment (Cont.) Enterprise DMZ linkB 2001:db8:5::/64 linkA 2001:db8:3::/64 f0/0f0/1 f0/2 WWW1.300 PC1.100 PC2.200 WWW2.400 Access1.500 (SSH uses Telnet for other services) Enterprise Core linkC 2001:db8:4::/64 Internet time-range LUNCH periodic weekdays 12:00 to 13:00 ! ip reflexive-list timeout 120 ! ipv6 access-list my-OUTf0/1-list permit host 2001:db8:3::100 host 2001:db8:4::500 reflect REFLany permit tcp host 2001:db8:3::200 host 2001:db8:4::500 eq 22 reflect REFLssh permit tcp host 2001:db8:3::100 host 2001:db8:4::400 eq 80 reflect REFLweb permit any any time-range LUNCH ! ipv6 access-list my-INf0/1-list deny ipv6 any any fragments deny icmp any 2001:db8:3::/64 echo-request evaluate REFLany evaluate REFLssh evaluate REFLweb ! int f0/1 ipv6 traffic-filter my-OUTf0/1-list out ipv6 traffic-filter my-INf0/1-list in

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Summary Standard ACL examines only source and destination addresses; extended ACL allows packet matching on more IPv6 header fields. Reflexive ACL allows traffic flow control based on session initiator; time-based ACL allows it based on time ranges. Extended ACL can examine new IPv6 header fields. Configuring ACLs involves designing traffic flow; examining the interfaces; creating, building, and applying the ACL; and testing the ACL.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v