Easing the Transition to IPv6 with NetFlow
-
Upload
lancope-inc -
Category
Technology
-
view
218 -
download
5
description
Transcript of Easing the Transition to IPv6 with NetFlow
Easing the Transition to IPv6 with NetFlow
Chris Smithee,
Strategic Solutions Architect
Know Your Network, Run Your Business
Why should we change to IPv6?
Federal mandate if you’re a government agency
– Sept 28, 2010 a mandate was enacted to require federal agencies to have web facing IPv6 by EoY of 2012, and internal IPv6 by 2014
https://cio.gov/wp-content/uploads/downloads/2012/09/Transition-to-IPv6.pdf
Eventually companies will have to be on IPv6 to do business
Dwindling IP space creates problems
– Lack of IP space for new Internet bound companies
– Creation of solutions that have adverse impact on monitoring and mitigation
You may already be using it locally- inadvertently
2 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Perception of the problem
Changing to IPv6 exposes me to unknown problems and threats
– Yes, but so does not changing to IPv6. New threats are discovered and created daily. We always have to have a plan to mitigate the next unknown.
Its expensive to convert
– Most companies have plans for refresh cycles on equipment, they simply need to time upgrades to coincide with the network refresh. Its possible to run mixed mode environments to prevent the need to do simultaneous global rollout of IPv6 as a service
I have to plan the upgrade and I don’t have enough time
– Start planning if you haven’t already. Avoiding the problem won’t make it go away and simply introduces a time crunch later. This isn’t a change you have to make overnight.
I’m not sure I can monitor IPv6 traffic effectively
– Virtually all classes of monitoring tools have caught up so that they have some level of support. Work with your vendor to find out if they do. If not, there ARE alternatives. Let your vendors know that you are aware of that.
3 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
How can NetFlow help me?
Know Your Network, Run Your Business
NetFlow v5* (most common)
* fixed format, cannot be extended to include new fields
IPv4
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
TTL
Protocol Options bitmap
Fragmentation Flags
Version
Fragmentation Offset
Precedence
Identification DSCP
Header Length TOS
Total Length
Interface
Input
Output
Flow
Sampler ID
Direction
Source MAC address
Destination MAC address
Dot1q VLAN
Source VLAN
Layer 2
IPv6
IP (Source or Destination)
Payload Size
Prefix (Source or Destination)
Packet Section (Header)
Mask (Source or Destination)
Packet Section (Payload)
Minimum-Mask (Source or Destination)
DSCP
Protocol Extension Headers
Traffic Class Hop-Limit
Flow Label Length
Option Header Next-header
Header Length Version
Payload Length
Dest VLAN
Dot1q priority
NetFlow Version 9: Key Fields
Track Rate of Adoption
7 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Inventory Reporting
8 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Significant implications to Vulnerability scans
IPv6 has a LOT of addresses
Leading practice for ISPs is to provide a /48 netmask. That’s 80 bits of usable IP
Unfiltered scans can be challenging
Helpful subnetting link:
https://supportforums.cisco.com/docs/DOC-17232
See the unseen
There will always be something that slides through the cracks of your best detection technologies. At a minimum NetFlow is the network accounting that shows you how it happened
9 ©2011 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Flow-based Anomaly Detection
Behavior-based Analysis
NetFlow security use cases
• Identifying BotNet Command & Control Activity. BotNets are implanted in the enterprise to execute commands from their Bot herders to send SPAM, Denial of Service attacks, or other malicious acts.
• Revealing Data Loss. Code can be hidden in the enterprise to export of sensitive information back to the attacker. This Data Leakage may occur rapidly or over time.
• Detecting Sophisticated and Persistent Threats. Malware that makes it past perimeter security can remain in the enterprise waiting to strike as lurking threats. These may be zero day threats that do not yet have an antivirus signature or be hard to detect for other reasons.
• Finding Internally Spread Malware. Network interior malware proliferation can occur across hosts for the purpose gathering security reconnaissance data, data exfiltration or network backdoors.
• Uncovering Network Reconnaissance. Some attacks will probe the network looking for attack vectors to be utilized by custom-crafted cyber threats.