IPv6 security

Page 1

IPv6 Security by Eric Vyncke

The Ipv6 Security Book The World Needs

IPv6 Security

Protection measures for the next Internet Protocol

As the world’s networks migrate to the IPv6 protocol, networking professionals need a clearer understanding of the security risks, threats, and challenges this transition presents. In IPv6 Security, two of the world’s leading Internet security practitioners review each potential security issue introduced by IPv6 networking and present today’s best solutions.


IPv6 Security offers guidance for avoiding security problems prior to widespread IPv6 deployment. The book covers every component of today’s networks, identifying specific security deficiencies that occur within IPv6 environments and demonstrating how to combat them.

The authors describe best practices for identifying and resolving weaknesses as you maintain a dual stack network. Then they describe the security mechanisms you need to implement as you migrate to an IPv6only network. The authors survey the techniques hackers might use to try to breach your network, such as IPv6 network reconnaissance, address spoofing, traffic interception, denial of service, and tunnel injection.

The authors also turn to Cisco® products and protection mechanisms. You learn how to use Cisco IOS® and ASA firewalls and ACLs to selectively filter IPv6 traffic. You also learn about securing hosts wi th Cisco Security Agent 6.0 and about securing a network with IOS routers and switches. Multiple examples are explained for Windows, Linux, FreeBSD, and Solaris hosts. The authors offer detailed examples that are consistent with today’s best practices and easy to adapt to virtually any IPv6 environment.

Scott Hogg, CCIE® No. 5133, is Director of Advanced Technology Services at Global Technology Resources, Inc. (GTRI). He is responsible for setting the company’s technical direction and helping it cr eate service offerings for emerging technologies such as IPv6. He is the Chair of the Rocky Mountain IPv6 Task Force.

Eric Vyncke, Cisco Distinguished System Engineer, consults on security issues throughout Europe. He has 20 years’ experience in security and teaches security seminars as a guest professor at universities throughout Belgium. He also participates in the Internet Engineering Task Force (IETF) and has helped several organizations deploy IPv6 securely.

Understand why IPv6 is already a latent threat in your IPv4-only network Plan ahead to avoid IPv6 security problems before widespread deployment Identify known areas of weakness in IPv6 security and the current state of attack tools and hacker skills Understand each high-level approach to securing IPv6 and learn when to use each Protect service provider networks, perimeters, LANs, and host/server connections Harden IPv6


network devices against attack Utilize IPsec in IPv6 environments Secure mobile IPv6 networks Secure transition mechanisms in use during the migration from IPv4 to IPv6 Monitor IPv6 security Understand the security implications of the IPv6 protocol, including issues related to ICMPv6 and the IPv6 header structure Protect your network against largescale threats by using perimeter filtering techniques and service provider – focused security practices Understand the vulnerabilities that exist on IPv6 access networks and learn solutions for mitigating each

This security book is part of the Cisco PressÂŽ Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.

Category: Networking: Security Covers: IPv6 Security

Personal Review: IPv6 Security by Eric Vyncke I've read and reviewed three other books on IPv6 in the last four years: "IPv6 Essentials, 2nd Ed" (IE2E) in September 2006, "Running IPv6" (RI) in January 2006, and "IPv6 Network Administration" (INA) in August 2005. All three were five-star books, but they lacked the sort of attention to security that I hoped would be covered one day. IPv6 Security by Scott Hogg and Eric Vyncke is the book for which we have been waiting. Although some of the early "philosophical" security discussions (what's a threat, where are they) are lacking, the overwhelming amount of thorough and actionable content makes this book a winner. IPv6 Security reminded me of Cisco Router Firewall Security (CRFS) by Richard Deal, which I also liked a lot. CRFS was Cisco-specific and helped readers squeeze all the network-level security features they could from their routers. IPv6 Security is similar, but even better because readers receive guidance for Windows, FreeBSD, Fedora, and even Solaris, in addition to Cisco gear. One note on FreeBSD, however: p 42 says "FreeBSD systems are susceptible to RH0 attacks," although FreeBSD issued a fix in April 2007 with Security Advisory FreeBSD-SA07:03.ipv6.


In addition to offering configuration guidance for a variety of products, IPv6 Security used Scapy6 to demonstrate various IPv6 traffic types. I liked this approach, although a brief appendix explaining Scapy usage would have been appreciated. The book also covered material I had not seen elsewhere, like shim6 for multihoming. I would have liked some examples of IPv6 NetFlow output, as hinted at in Ch 11. Using SCTP with IPv6, also mentioned in the book, would have been helpful and innovative too. My main issue with IPv6 Security (and it is minor, given this is a five star review) is the inappropriate use of the word "threat" early in the book, and the unnecessary focus on "insider abuse." On p xix the authors say IPv6 is a "threat," and they say threats "exist" in IPv6. IPv6 implementations may introduce vulnerabilities and exposures, but not "threats." On p 8 the authors cite the 2007 CSI/FBI study by saying "59% of all survey respondents suffered from insider abuse of network access." They use that "statistic" to justify saying "the percentage of internal attack sources is likely to be even higher today... The key issue is that most organizations do not spend 50 percent of their security budget on mitigating inside threats." This has nothing to do with IPv6. If it is related to IPv6, reading page 2 of the 2007 CSI/FBI shows that 59% figure means "Insider abuse of network access or e-mail (such as trafficking in pornography or pirated software)". That's hardly the "attack source" the reader should associate with security for IPv4 or IPv6 networks. Overall, I strongly recommend reading IPv6 Security. There's no other book on the market with the depth of actionable defensive information available.

For More 5 Star Customer Reviews and Lowest Price: IPv6 Security by Eric Vyncke 5 Star Customer Reviews and Lowest Price!


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.