Category: Security

Mar 04

ISC’s “IPv6 Security Focus Month” Begins

ISC Diary Logo

As we mentioned previously, the handlers at the SANS Institute’s “Internet Storm Center (ISC)” have indicated that March will be their “IPv6 Focus Month”. To that end, they’ve started off the month with a list of IPv6 resources they have previously published at the ISC and their list does include some great content (some of which we’ll probably add links to as “resources” here on the site):

It’s great to see this information coming out of SANS – and we look forward to seeing what other IPv6 security stories and tools they write about during this month.

Feb 22

SANS Seeking IPv6 Security Stories/Tools For “IPv6 Focus Month” In March

ISC Diary LogoGot an IPv6 security problem you’d like to share? A solution to an IPv6 security problem that you want to tell others about? If so, the team behind the Internet Storm Center (ISC) would love to share your stories as part of their IPv6 Focus Month they are planning for March 2013.  Johannes Ullrich of the SANS Technology Institute (the organization behind the ISC) wrote that they are seeking articles about:

  • a security problem you ran into with IPv6
  • a solution to a security problem (even better)
  • a tool that works really well (or not at all) with IPv6
  • a way to solve an IPv4 security problem by switching to IPv6

Articles – or just ideas – can be submitted via the ISC contact form or to handlers@sans.edu.

We applaud this initiative from SANS and we look forward to seeing what IPv6 security stories they highlight in March – and we may do what we can to further help spread the news about tools and services they promote.

If you’ve got an idea, please do send it in to the ISC team – it’s great to get more info about IPv6 security out there!

Feb 04

Oracle Buys Acme Packet For $2 Billion To Gain SIP Session Border Controllers (SBCs) And More

AcmepacketFascinating news today out of Oracle that they have purchased Acme Packet in a transaction estimated to be around $2 billion US. For those of you not really tracking the VoIP security space, Acme Packet is probably the world's largest vendor of "session border controllers (SBCs)", devices that are used to securely and reliable interconnect VoIP networks. SBCs also provide a very important role in helping with interoperability of Session Initiation Protocol (SIP) signaling between the SIP products and networks of different vendors.

As Andy Abramson writes, the fascinating aspect of this acquisition is this:

This is an interesting grab by one of the tech world's true giants because it sqaurly puts Oracle into a game where they begin to compete with the giants of telecom, many of whom run Oracle software to drive things including SBC's, media gateways and firewall technology that's sold.

This acquisition does put Oracle VERY firmly into the telecom sector at a carrier / large enterprise level, as Acme Packet's products are widely used within that tier of companies. As the news release notes:

"The company's solutions are deployed by more than 1,900 service providers and enterprises globally, including 89 of world's top 100 communications companies."

Acme Packet has also long been recognized as a leader by analyst firms such as Gartner. People from Acme Packet, in particular Hadriel Kaplan, have also been extremely involved with industry efforts such as the SIP Forum and standards activity in the IETF.

As far as integration, Oracle already has a wide array of "communications" products, including several unified communications (UC) products that could potentially interact with Acme Packet products extremely well. Beyond all of that, though, this acquisition will have Oracle being a strong player in providing telecom infrastructure as we continue to collectively move to basing all our communications on top of IP.

Congratulations to my friends at Acme Packet and Oracle... and I wish them the best as they proceed down the path to completing this acquisition.

More information here:

If you found this post interesting or useful, please consider either:

Jan 25

New Internet-Draft: Balanced IPv6 Security for Residential CPE

What should the appropriate IPv6 security policy be for residential customers?  How can they get the benefits of IPv6 while still ensuring that their home networks are secure?  These are the questions pursued in a new Internet-Draft available today:

http://tools.ietf.org/html/draft-v6ops-vyncke-balanced-ipv6-security

The abstract and introduction explain quite well how this applies to “customer premise equipment (CPE)”:

Internet access in residential IPv4 deployments generally consist of a single IPv4 address provided by the service provider for each home. Residential CPE then translates the single address into multiple private IPv4 addresses allowing more than one device in the home, but at the cost of losing end-to-end reachability.  IPv6 allows all devices to have a unique, global, IP address, restoring end-to-end reachability directly between any device.  Such reachability is very powerful for ubiquitous global connectivity, and is often heralded as one of the significant advantages to IPv6 over IPv4.  Despite this, concern about exposure to inbound packets from the IPv6 Internet (which would otherwise be dropped by the address translation function if they had been sent from the IPv4 Internet) remain.  This document describes firewall functionality for an IPv6 CPE which departs from the “simple security” model described in [RFC6092] .  The intention is to provide an example of a security model which allows most traffic, including incoming unsolicited packets and connections, to traverse the CPE unless the CPE identifies the traffic as potentially harmful based on a set of rules.  This model has been deployed successfully in Switzerland by Swisscom without any known security incident.

This document is applicable to off-the-shelves CPE as well to managed
Service Provider CPE.

The authors welcome comments to the draft and their email addresses can be found at the end of the document. It’s definitely a worthwhile contribution to the IPv6 security discussion and could provide useful guidance to operators seeking to understand how they should configure customer equipment to allow IPv6 yet still remain secure.

Jan 25

Last Day To Submit Speaking Proposals for SIPNOC2013

Sipnoc 2013Got a great idea for a talk to give to an excellent gathering of SIP/VoIP network operators? Have a new way of handling security? Have a case study you'd like to present for how you solved an operational issue?

The SIP Network Operators Conference (SIPNOC) is an outstanding event happening in Herndon, Virginia, USA, from April 22-25. It brings together network operators working with SIP / VoIP networks for several days of talks, networking (of the human kind) and education. I've gone the past two years, speaking about IPv6, and they are truly excellent conferences. Not too big, not too small... and with an extremely high quality of people both attending and speaking.

If you think you'd like to present, TODAY, January 25, 2013, is the end of the call for presentations for SIPNOC 2013. They are seeking presentations on topics such as (see the CFP for more detail):

  • Peering
  • SIP Trunking
  • Congestion Control
  • Applications/content Development
  • Interoperability
  • Call Routing
  • Security
  • Monitoring/Troubleshoooting and Operational Issues
  • Testing Considerations and Tools
  • Availability/Disaster-Recovery
  • WebRTC and SIP
  • SIP-Network Operations Center Best Practices
  • Standardization Issues and Progress
  • FoIP/T.38 Deployment
  • User-Agent Configuration
  • IPv6 Deployment Challenges
  • Emergency Services
  • Scaling and Capacity Issues
  • HD-Voice Deployment Challenges
  • Video Interop Issues

They are seeking individual talks, panel sessions, research sessions and BOFs.

Even if you just have an idea for a session, I'd encourage you to submit a proposal so that the SIPNOC 2013 Program Committee will know of your interest and can reach out to you for more details. More info about the process can be found on the CFP page.

If you aren't interested in speaking, but are now intrigued by SIPNOC and would like to be learning from all the excellent sessions, you can go to the SIPNOC 2013 main page and find out information about how to register and attend.

If you work at or for a telecom/network operator who is involved with SIP and VoIP, I highly recommend SIPNOC as a conference you should attend - you'll learn a huge amount and make great connections.

P.S. I have no affiliation with SIPNOC other than being a speaker there in the past. SIPNOC is a production of the SIP Forum, a great group of people focused on advancing the deployment and interoperability of communications products and services based on SIP.

If you found this post interesting or useful, please consider either:

Jan 21

10 Updated Internet-Drafts Related to IPv6 Security

Fernando Gont of SI6 Networks has been a VERY busy man lately!  He and his colleagues and co-authors have recently updated a whole host of Internet-Drafts related to IPv6 security.  In a post to the full-disclosure mailing list, Fernando provided his list that includes:

Network Reconnaissance in IPv6 Networks

Security Implications of IPv6 on IPv4 Networks

Virtual Private Network (VPN) traffic leakages in dual-stack
hosts/ networks

Security Assessment of Neighbor Discovery (ND) for IPv6

DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers

Security Implications of IPv6 Fragmentation with IPv6
Neighbor Discovery

Security Implications of IPv6 options of Type 10xxxxxx

Security Implications of Predictable Fragment

Processing of IPv6 “atomic” fragments

Recommendations on filtering of IPv4 packets containing IPv4 options

Some of these are broader documents while some dive deep into specific issues or solutions.  Altogether they do represent a great amount of work on IPv6 security issues, which is excellent and definitely needed as we continue to move to using more and more IPv6 in our networks.

Thanks to Fernando and the others involved in the work for getting these updated drafts out.  If you have any comments on these drafts, I know that Fernando is always looking for feedback – his email address and contact info in Argentina can be found at the end of any of the drafts.

Dec 21

Introducing a New Deploy360 Topic: Routing Resiliency / Routing Security

© istock photo / Andrey Prokhorov

How reliable and secure is the Internet’s underlying routing infrastructure? How well does it hold up in the face of a major event such as the recent Hurricane Sandy that hit the US? How well can it withstand attacks and misconfiguration errors?  As we continue to move more and more of our communication into the “cloud” of the Internet, how secure and reliable is the underlying routing fabric that holds it all together?

Over the past year here at Deploy360, we have been talking a great deal about how we need to get IPv6 deployed to enable more connections to the Internet… more networks, more devices, more “Internet of Things” and more people as there are still 5 billion people yet to get online.  We’ve also been talking about how we need to get DNSSEC more widely deployed to create a more secure Internet and to enable a whole new realm of innovations such as the DANE protocol that can create a stronger security layer.

But it’s become increasingly clear to us that as we get more people connected to the Internet and even as we add security layers like DNSSEC, there is another area where we need to greatly increase the conversation.

The truth is… the Internet today IS highly reliable, even in the cases of events like Hurricane Sandy. The Internet, as we like to say, “routes around damage.”  Even in the face of malicious attacks to sections of the Internet, the overall network has continued to function.

But…

… as the Internet continues to evolve and the number of network operators expands… as we bring the next billion people online… as we interconnect even more devices and things… we need to ensure that the Internet’s underlying routing infrastructure is both reliable and secure.  There is room today for improvement.

A New Topic: Routing

And so we are launching a new area on our site that we are calling simply “Routing“, where we will focus on providing real-world deployment information to the global operator community related to “routing security” and “routing resiliency.”

The term “resiliency” is an important one, and a common definition for a network is:

the ability of the network to provide and maintain an acceptable level of service in the face of various faults and challenges to normal operation.

Ultimately that is our goal – doing what we can to work with the operator community to ensure the resilience of the Internet’s routing infrastructure.  A part of that is “routing security,” but the topic is really much larger and dives into operational practices, policies and other areas.

As we have with IPv6 and DNSSEC (and will be continuing to do as we build out our roadmaps for those topics), we’ll start with a foundation of information including:

  • Reports and studies on best current operational practices (BCOPs) for routing resiliency and security
  • Case studies of how BCOPs are deployed and effectively used – as well as case studies of recent routing incidents
  • Tools that can be used to help better understand how resilient and secure your routing infrastructure is
  • Sites with statistics and data to help you understand the overall situation

We’ll focus on finding or creating the best tutorials, whitepapers, reports, videos, statistics, sites and tools, just as we’ve done with IPv6 and DNSSEC. As in the other topics, we’ll be looking to promote resources created by many of you who are reading this message.  And where we can’t find resources others have created, we’ll go ahead and create them either ourselves or through partners. We’ll also naturally be adding in routing-related posts to our constant stream of more news-related blog posts.

Note that this “routing resiliency/security” topic will be a bit different than our other areas in that we are not focusing on a specific protocol but rather on a broader topic.

Certainly over the next few months after we’ve built the foundation we will explore some of the protocols that are being discussed now within the IETF such as Secure BGP (BGPSEC) and the Resource Public Key Infrastructure (RPKI) – but they will again be discussed within this broader context of how they are part of the puzzle – “building blocks,” really – of making the Internet more resilient and secure.  We’ll also be integrating and promoting some of the routing security work we’ve been doing for some time now, such as the routing security “operator roundtables” we’ve held.

It’s an ambitious topic … and more than one person has said to us something like “Wow! Making DNSSEC and IPv6 interesting was hard enough… now you are going to dive down into BGP and the guts of routing? Are you crazy?” And yes, we’re aware that the community of people who even know about all this stuff is tiny, let alone those who reallyunderstand it.

But that’s what we want to change!  We want more people to understand how the Internet really works down underneath, so that they, too, can understand what we need to do to ensure it continues to be the vibrant Internet we’ve come to expect.

It’s important, too, for the future of the open Internet… and for the billions of people and devices yet to connect.  As a report from ENISA so nicely puts it:

There may well not be an immediate cause for concern about the resilience of the Internet interconnection ecosystem, but there is cause for concern about the lack of good information about how it works and how well it might work if something went very badly wrong.

We aim to help change that!

How You Can Help

Want to join us in this quest to improve routing resiliency and security?  While we’re starting to add resources and pages to the site, there are a couple of ways you can help us out:

1. Read the reports we’ve listed. You may want to start with the excellent report, “Inter-X: Resilience of the Internet Interconnection Ecosystem,” that summarizes the situation and offers suggestions for how to move forward.  The 31-page summary document is enough to get started … although the truly hard-core may enjoy the 239-page “full” report. From there you can move on to the other documents for a deeper understanding.

2. Send us suggestions – if you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – if you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we’ll get you plugged in when we get the volunteer effort going in the next few months.

4. Help us spread the word – As we publish resources and blog posts relating to routing resiliency / security, please help us spread those links through social networks so that more people can learn about the topic.

With your help, we can build out this Routing area of Deploy360 to be an outstanding resource for the Internet community and to help make the Internet more resilient and secure!

 

Aug 06

NIST’s Excellent Guidelines On How To Securely Deploy IPv6

Looking to understand how to securely deploy IPv6? Want a document you can provide to your security team or others concerned about IPv6?

If so, we’ve recently added to our list of resources an excellent “Special Publication” from the U.S. National Institute of Standards and Technology (NIST):

Guidelines for the Secure Deployment of IPv6

Like most of NIST’s special publications, including their excellent guide to DNSSEC, the document begins with a lengthy tutorial and then walks through a number of IPv6 security issues in great depth. It’s a very thorough document and includes detailed sections on the many different IPv4-to-IPv6 transition mechanisms as well as detailed appendices.

While the document naturally includes sections providing guidance for US federal agencies, the majority of the document is very applicable for anyone looking to understand issues of IPv6 security.  Well worth a read… and worth passing along to others who may be asking you questions about IPv6 security.

 

Jul 31

SC Magazine: Security practitioners need to learn the basics of IPv6

SC Magazine LogoWhat are the security issues of IPv6? With World IPv6 Launch now underway, what should security practitioners care about?

The Australian edition of SC Magazine ran a piece last Friday called “IPv6 co-founder talks protocol security” where Robert Hinden lays out some of the main issues security professionals need to be concerned about, including:

  • Unauthorized IPv6 tunnels can provide hidden gateways in and out of a network;
  • Security devices may not have IPv6 turned on and are therefore not monitoring/scanning any IPv6 traffic;
  • Operating systems may have IPv6 enabled by default and without IT’s knowledge; and
  • These IPv6 tunnels may completely bypass firewalls, intrusion prevention systems, etc.

The article recommends – but unfortunately doesn’t link to – the excellent guidelines from NIST about how to securely deploy IPv6.

We definitely agree with the thrust of the article – security professionals definitely do need to understand the basics of IPv6 because the reality is that IPv6 will be on most networks purely through operating system defaults.  Plus, as World IPv6 Launch has shown, more and more networks are starting to move to IPv6.  The time to learn how to securely implement IPv6 is now!

Jul 27

NIST Guidelines for the Secure Deployment of IPv6

The United States National Institute of Standards and Technology (NIST) created an excellent “Special Publication” related to IPv6 security called:

Guidelines for the Secure Deployment of IPv6

Like most of NIST’s special publications, including their excellent guide to DNSSEC, the document begins with a lengthy tutorial about IPv6 and how it compares to IPv4.   The document then walks through a number of IPv6 security issues in great detail.  As the title implies, a large part of the document is focused on how to deploy IPv6 securely, and includes detailed sections on the many different IPv4-to-IPv6 transition mechanisms.

It concludes on the very positive note:

Security risks are inherent during the initial deployment of a new protocol such as IPv6, but mitigation strategies exist and many of the residual risks are no different from those that challenge existing IPv4 networks.

And then goes on to provide lengthy appendices fully of definitions, references and links to learn more.

While written for the audience of US federal agencies, this document is an outstanding reference for anyone seeking to understand how to securely deploy IPv6 within their networks.