Thursday, May 22, 2008

May NoVA Sec Meeting on IPv6 Security

quick post on tonight's NoVA Sec meeting. It was on IPv6 security. I went thinking it would be the standard blah blah IPv6 talk I have seen 10 other times, but it wasn't. Joe Klien of command information gave a really really good talk on IPv6 security issues. He gave just a taste of the fun network hacking things to come and I'm pretty excited about it.

He covered alot, but big stuff was IPv6 addressing schemes basically how the addresses are being (& going to be) assigned, how well current FW/router/OS vendors are doing with IPv6 integration and support, how well security scanners are doing with IPv6, and some talk about all the broken stuff in IPv6.

Things I took away from the talk:
-that snort 2.8.whatever and snort 3 (which natively supports IPv6) have a whopping 6 alerts for IPv6. So looks like if you can identify some IPv6 boxes you can scan them all day and probably not generate an alert.
-most FW admins aren't blocking things on IPv6 addresses, so your IPv4 address space/ports might be locked up tight but IPv6 is open to the world.
-applications can bind to one, several or all IPv6 addresses, so we'll probably start seeing malware binding to some random globally addressable IPv6 address and pretty much be hidden.
-also a bit on discovery of IPv6 devices on the network, at this point you mostly need to do passive scanning to see if anyone is talking in IPv6 protocols on the network and go from there or query DNS.

There was tons more but thats about all I can think of right now. Oh and they offer training on IPv6 Security, so maybe something worth looking in to.

No comments: