IPv6 Security:
Gespeichert in:
| Hauptverfasser: | , |
|---|---|
| Format: | Buch |
| Sprache: | English |
| Veröffentlicht: |
Indianapolis, IN
Cisco Press
2009
|
| Schlagworte: | |
| Online-Zugang: | Inhaltsverzeichnis |
| Beschreibung: | XXI, 540 S. graph. Darst. |
| ISBN: | 9781587055942 1587055945 |
Internformat
MARC
| LEADER | 00000nam a2200000 c 4500 | ||
|---|---|---|---|
| 001 | BV035874822 | ||
| 003 | DE-604 | ||
| 005 | 00000000000000.0 | ||
| 007 | t | ||
| 008 | 091209s2009 d||| |||| 00||| eng d | ||
| 020 | |a 9781587055942 |9 978-1-58705-594-2 | ||
| 020 | |a 1587055945 |9 1-58705-594-5 | ||
| 035 | |a (OCoLC)234444830 | ||
| 035 | |a (DE-599)BVBBV035874822 | ||
| 040 | |a DE-604 |b ger |e rakwb | ||
| 041 | 0 | |a eng | |
| 049 | |a DE-M347 |a DE-Aug4 |a DE-739 | ||
| 050 | 0 | |a TK5105.59 | |
| 082 | 0 | |a 005.8 |2 22 | |
| 084 | |a ST 206 |0 (DE-625)143614: |2 rvk | ||
| 100 | 1 | |a Hogg, Scott |e Verfasser |4 aut | |
| 245 | 1 | 0 | |a IPv6 Security |c Scott Hogg ; Eric Vyncke |
| 264 | 1 | |a Indianapolis, IN |b Cisco Press |c 2009 | |
| 300 | |a XXI, 540 S. |b graph. Darst. | ||
| 336 | |b txt |2 rdacontent | ||
| 337 | |b n |2 rdamedia | ||
| 338 | |b nc |2 rdacarrier | ||
| 650 | 7 | |a Coupe-feu (sécurité informatique) |2 ram | |
| 650 | 7 | |a Ordinateurs - Accès - Contrôle |2 ram | |
| 650 | 7 | |a Protection de l'information (informatique) |2 ram | |
| 650 | 7 | |a Réseaux d'ordinateurs - Mesures de sûreté |2 ram | |
| 650 | 7 | |a Systèmes informatiques - Mesures de sûreté |2 ram | |
| 650 | 7 | |a Échange électronique d'information - Mesures de sûreté |2 ram | |
| 650 | 4 | |a Computer networks |x Security measures | |
| 650 | 4 | |a TCP/IP (Computer network protocol) | |
| 700 | 1 | |a Vyncke, Eric |e Verfasser |4 aut | |
| 856 | 4 | 2 | |m Digitalisierung UB Passau |q application/pdf |u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=018732531&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |3 Inhaltsverzeichnis |
| 999 | |a oai:aleph.bib-bvb.de:BVB01-018732531 | ||
Datensatz im Suchindex
| _version_ | 1804140851096453120 |
|---|---|
| adam_text | Contents
Introduction
xix
Chapter
1
Introduction to
IPv6
Security
3
Reintroduction
to
IPv6 3
IPv6
Update
6
IPv6
Vulnerabilities
7
Hacker Experience
8
IPv6
Security Mitigation Techniques
9
Summary
12
Recommended Readings and Resources
13
Chapter
2 IPv6
Protocol Security Vulnerabilities
15
The
IPv6
Protocol Header
16
ICMPv6
17
ICMPv6 Functions and Message Types
18
ICMPv6 Attacks and Mitigation Techniques
20
Multicast Security
22
Extension Header Threats
24
Extension Header Overview
24
Extension Header Vulnerabilities
28
Hop-by-Hop Options Header and Destination Options Header
29
IPv6
Extension Header Fuzzing
33
Router Alert Attack
33
Routing Headers
36
RHO
Attack
36
Preventing
RHO
Attacks
40
Additional Router Header Attack Mitigation Techniques
42
Fragmentation Header
43
Overview of Packet Fragmentation Issues
43
Fragmentation Attacks
45
Preventing Fragmentation Attacks
47
Virtual Fragment Reassembly
49
Unknown Option Headers
52
Upper-Layer Headers
55
Reconnaissance on
IPv6
Networks
55
Scanning and Assessing the Target
56
Registry Checking
56
Automated Reconnaissance
56
Speeding Up the Scanning Process
58
Leveraging Multicast for Reconnaissance
59
Automated Reconnaissance Tools
61
Sniffing to Find Nodes
61
Neighbor Cache
62
Node Information Queries
62
Protecting Against Reconnaissance Attacks
63
Layer
3
and Layer
4
Spoofing
65
Summary
69
References
70
Chapter
3 IPv6
Internet Security
73
Large-Scale Internet Threats
74
Packet Flooding
74
Internet Worms
77
Worm Propagation
78
Speeding Worm Propagation in
IPv6 78
Current
IPv6
Worms
79
Preventing
IPv6
Worms
80
Distributed Denial of Service and Botnets
80
DDoS on
IPv6
Networks
81
Attack Filtering
81
Attacker Traceback
82
Black Holes and Dark Nets
84
Ingress/Egress Filtering
85
Filtering
IPv6
Traffic
85
Filtering on Allocated Addresses
85
Bogon
Filtering
87
Bogon
Filtering Challenges and Automation
90
Securing BGP Sessions
90
Explicitly Configured BGP Peers
92
Using BGP Session Shared Secrets
92
Leveraging an
IPsec
Tunnel
93
Using Loopback Addresses on BGP Peers
93
Controlling the Time-to-Live
(TTL)
on BGP Packets
94
Filtering on the Peering Interface
97
Using Link-Local Peering
97
Link-Local Addresses and the BGP Next-Hop Address
99
Drawbacks of Using Link-Local Addresses
101
Preventing Long AS Paths
102
Limiting the Number of Prefixes Received
103
Preventing BGP Updates Containing Private AS Numbers
103
xi
Maximizing BGP Peer Availability
103
Disabling Route-Flap Dampening
104
Disabling Fast External Fallover
104
Enabling Graceful Restart and Route Refresh or Soft Reconfiguration
104
BGP Connection Resets
105
Logging BGP Neighbor Activity
106
Securing IGP
106
Extreme Measures for Securing Communications Between BGP Peers
106
IPv6
over MPLS Security
107
Using Static
IPv6
over
IPv4
Tunnels Between PE Routers
108
Using 6PE
109
Using 6VPE to Create
IPvô-Aware
VRFs
109
Customer Premises Equipment
110
Prefix Delegation Threats
113
SLAAC
114
DHCPv6
114
Multihoming Issues
119
Summary
122
References
122
Chapter
4 IPv6
Perimeter Security
127
IPv6
Firewalls
128
Filtering
IPv6
Unallocated Addresses
128
Additional Filtering Considerations
133
Firewalls and
IPv6
Headers
133
Inspecting Tunneled Traffic
134
Layer
2
Firewalls
135
Firewalls Generate ICMP Unreachables
136
Logging and Performance
136
Firewalls and NAT
136
Cisco
IOS
Router ACLs
138
Implicit
IPv6
ACL Rules
142
Internet ACL Example
143
IPv6
Reflexive ACLs
147
Cisco
IOS
Firewall
149
Configuring
IOS
Firewall
150
IOS
Firewall Example
153
IOS
Firewall Port-to-Application Mapping for
IPv6 157
Cisco PIX/ASA/FWSM Firewalls
158
Configuring
Firewall
Interfaces
159
Management Access
161
Configuring
Routes
162
Security Policy Configuration
164
Object Group
Policy Configuration
168
Fragmentation Protection
172
Checking Traffic Statistics
173
Neighbor Discovery Protocol Protections
174
Summary
177
References
177
Chapter
5
Local Network Security
181
Why Layer
2
Is Important
181
ICMPv6 Layer
2
Vulnerabilities for
IPv6 182
Stateless Address
Autoconfiguration
Issues
183
Neighbor Discovery Issues
187
Duplicate Address Detection Issues
190
Redirect Issues
193
ICMPv6 Protocol Protection
195
Secure Neighbor Discovery
196
Implementing
CGA
Addresses in Cisco
IOS
198
Understanding the Challenges with SEND
199
Network Detection of ICMPv6 Attacks
199
Detecting Rogue RA Messages
199
Detecting NDP Attacks
201
Network Mitigation Against ICMPv6 Attacks
201
Rafixd
202
Reducing the Target Scope
203
IETF Work
203
Extending
IPv4
Switch Security to
IPv6 204
Privacy Extension Addresses for the Better and the Worse
205
DHCPv6 Threats and Mitigation
208
Threats Against DHCPv6
210
Mitigating DHCPv6 Attacks
211
Mitigating the Starvation Attack
211
Mitigating the DoS Attack
211
Mitigating the Scanning
213
Mitigating the Rogue DHCPv6 Server
213
Point-to-Point Link
213
Endpoint
Security
215
Summary
215
References
216
Chapter
6
Hardening
IPv6
Network Devices
219
Threats Against Network Devices
220
Cisco
IOS
Versions
220
Disabling Unnecessary Network Services
222
Interface Hardening
223
Limiting Router Access
224
Physical Access Security
224
Securing Console Access
225
Securing Passwords
225
VTY Port Access Controls
226
AAA for Routers
229
HTTP Access
230
IPv6
Device Management
233
Loopback and Null Interfaces
233
Management Interfaces
234
Securing
SNMP
Communications
235
Threats Against Interior Routing Protocol
239
RIPng Security
241
EIGRPv6 Security
242
IS-IS Security
244
OSPF Version
3
Security
247
First-Hop Redundancy Protocol Security
255
Neighbor Unreachability Detection
255
HSRPv6
257
GLBPv6
260
Controlling Resources
262
Infrastructure ACLs
263
Receive ACLs
265
Control Plane Policing
265
QoS Threats
269
Summary
277
References
277
Chapter
7
Server and Host Security
281
IPv6
Host Security
281
Host Processing of ICMPv6
282
xiv
Services
Listening on Ports
284
Microsoft Windows
284
Linux
284
BSD
285
Sun Solaris
285
Checking the Neighbor Cache
285
Microsoft Windows
286
Linux
286
BSD
287
Sun Solaris
287
Detecting Unwanted Tunnels
287
Microsoft Windows
287
Linux
290
BSD
291
Sun Solaris
292
IPv6
Forwarding
292
Microsoft Windows
293
Linux
293
BSD
294
Sun Solaris
294
Address Selection Issues
295
Microsoft Windows
296
Linux
297
BSD
297
Sun Solaris
297
Host Firewalls
297
Microsoft Windows Firewall
298
Linux Firewalls
301
BSD Firewalls
303
OpenBSD Packet Filter
304
ipfirewall
306
IPFilter
310
Sun Solaris
312
Securing Hosts with Cisco Security Agent
6.0 313
Summary
316
References
317
Chapter
8
IPsec
and SSL Virtual Private Networks
319
IP Security with
IPv6 320
IPsec
Extension Headers
320
IPsec
Modes of Operation
322
Internet
Key
Exchange
(IKE)
322
IKE Version
2 324
IPsec
with Network Address Translation
324
IPv6
and
IPsec
325
Host-to-Host
IPsec
326
Site-to-Site
IPsec
Configuration
328
IPv6
IPsec
over
IPv4
Example
329
Configuring
IPv6
IPsec
over
IPv4 329
Verifying the
IPsec
State
332
Adding Some Extra Security
337
Dynamic Crypto Maps for Multiple Sites
338
IPv6
IPsec
Example
339
Configuring
IPsec
over
IPv6 340
Checking the
IPsec
Status
343
Dynamic Multipoint VPN
349
Configuring DMVPN for
IPv6 351
Verifying the DMVPN at the Hub
353
Verifying the DMVPN at the Spoke
359
Remote Access with
IPsec
361
SSL VPNs
368
Summary
373
References
374
Chapter
9
Security for
IPv6
Mobility
377
Mobile
IPv6
Operation
378
MIPv6 Messages
379
Indirect Mode
381
Home Agent Address Determination
381
Direct Mode
382
Threats Linked to MIPv6
385
Protecting the Mobile Device Software
386
Rogue Home Agent
386
Mobile Media Security
386
Man-in-the-Middle Threats
387
Connection Interception
388
Spoofing MN-to-CN Bindings
389
DoS Attacks
390
Using
IPsec
with MIPv6
390
xvi
Filtering for MIPv6
392
Filters at the CN
395
Filters at the MN/Foreign Link
398
Filters at the HA
402
Other
IPv6
Mobility Protocols
406
Additional IETF Mobile
IPv6
Protocols
407
Network Mobility (NEMO)
409
IEEE
802.16e
411
Mobile Ad-hoc Networks
411
Summary
413
References
413
Chapter
10
Securing the Transition Mechanisms
417
Understanding
HVt-to-IPvó
Transition Techniques
417
Dual-Stack
417
Tunnels
419
Configured Tunnels
420
6to4 Tunnels
423
ISATAP Tunnels
428
Teredo Tunnels
430
6VPE
434
Protocol Translation
437
Implementing Dual-Stack Security
439
Exploiting Dual-Stack Environment
440
Protecting Dual-Stack Hosts
443
Hacking the Tunnels
444
Securing Static Tunnels
447
Securing Dynamic Tunnels
449
6to4
450
ISATAP
453
Teredo
455
Securing 6VPE
459
Attacking NAT-PT
459
IPv6
Latent Threats Against
IPv4
Networks
460
Summary
462
References
463
Chapter
11
Security Monitoring
467
Managing and Monitoring
IPv6
Networks
467
Router Interface Performance
468
xvii
Device Performance Monitoring 469
SNMP
MIBs for Managing
IPv6 Networks 469
IPvó-Capable
SNMP
Management Tools 471
NetFlow
Analysis
472
Router Syslog Messages 478
Benefits of Accurate Time
481
Managing
IPv6
Tunnels
482
Using Forensics
483
Using Intrusion Detection and Prevention Systems
485
Cisco IPS Version
6.1 486
Testing the IPS Signatures
487
Managing Security Information with CS-MARS
489
Managing the Security Configuration
493
Summary
495
References
496
Chapter^
IPv6
Security Conclusions
499
Comparing
IPv4
and
IPv6
Security
499
Similarities Between
IPv4
and
IPv6 499
Differences Between
IPv4
and
IPv6 501
Changing Security Perimeter
501
Creating an
IPv6
Security Policy
503
Network Perimeter
504
Extension Headers
504
LAN Threats
505
Host and Device Hardening
505
Transition Mechanisms
506
IPsec
506
Security Management
506
On the Horizon
506
Consolidated List of Recommendations
508
Summary
511
References
511
Index
512
|
| any_adam_object | 1 |
| author | Hogg, Scott Vyncke, Eric |
| author_facet | Hogg, Scott Vyncke, Eric |
| author_role | aut aut |
| author_sort | Hogg, Scott |
| author_variant | s h sh e v ev |
| building | Verbundindex |
| bvnumber | BV035874822 |
| callnumber-first | T - Technology |
| callnumber-label | TK5105 |
| callnumber-raw | TK5105.59 |
| callnumber-search | TK5105.59 |
| callnumber-sort | TK 45105.59 |
| callnumber-subject | TK - Electrical and Nuclear Engineering |
| classification_rvk | ST 206 |
| ctrlnum | (OCoLC)234444830 (DE-599)BVBBV035874822 |
| dewey-full | 005.8 |
| dewey-hundreds | 000 - Computer science, information, general works |
| dewey-ones | 005 - Computer programming, programs, data, security |
| dewey-raw | 005.8 |
| dewey-search | 005.8 |
| dewey-sort | 15.8 |
| dewey-tens | 000 - Computer science, information, general works |
| discipline | Informatik |
| format | Book |
| fullrecord | <?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01649nam a2200421 c 4500</leader><controlfield tag="001">BV035874822</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">00000000000000.0</controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">091209s2009 d||| |||| 00||| eng d</controlfield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9781587055942</subfield><subfield code="9">978-1-58705-594-2</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">1587055945</subfield><subfield code="9">1-58705-594-5</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)234444830</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV035874822</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">rakwb</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-M347</subfield><subfield code="a">DE-Aug4</subfield><subfield code="a">DE-739</subfield></datafield><datafield tag="050" ind1=" " ind2="0"><subfield code="a">TK5105.59</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">005.8</subfield><subfield code="2">22</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 206</subfield><subfield code="0">(DE-625)143614:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Hogg, Scott</subfield><subfield code="e">Verfasser</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">IPv6 Security</subfield><subfield code="c">Scott Hogg ; Eric Vyncke</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Indianapolis, IN</subfield><subfield code="b">Cisco Press</subfield><subfield code="c">2009</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XXI, 540 S.</subfield><subfield code="b">graph. Darst.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="650" ind1=" " ind2="7"><subfield code="a">Coupe-feu (sécurité informatique)</subfield><subfield code="2">ram</subfield></datafield><datafield tag="650" ind1=" " ind2="7"><subfield code="a">Ordinateurs - Accès - Contrôle</subfield><subfield code="2">ram</subfield></datafield><datafield tag="650" ind1=" " ind2="7"><subfield code="a">Protection de l'information (informatique)</subfield><subfield code="2">ram</subfield></datafield><datafield tag="650" ind1=" " ind2="7"><subfield code="a">Réseaux d'ordinateurs - Mesures de sûreté</subfield><subfield code="2">ram</subfield></datafield><datafield tag="650" ind1=" " ind2="7"><subfield code="a">Systèmes informatiques - Mesures de sûreté</subfield><subfield code="2">ram</subfield></datafield><datafield tag="650" ind1=" " ind2="7"><subfield code="a">Échange électronique d'information - Mesures de sûreté</subfield><subfield code="2">ram</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Computer networks</subfield><subfield code="x">Security measures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">TCP/IP (Computer network protocol)</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Vyncke, Eric</subfield><subfield code="e">Verfasser</subfield><subfield code="4">aut</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">Digitalisierung UB Passau</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=018732531&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-018732531</subfield></datafield></record></collection> |
| id | DE-604.BV035874822 |
| illustrated | Illustrated |
| indexdate | 2024-07-09T22:06:32Z |
| institution | BVB |
| isbn | 9781587055942 1587055945 |
| language | English |
| oai_aleph_id | oai:aleph.bib-bvb.de:BVB01-018732531 |
| oclc_num | 234444830 |
| open_access_boolean | |
| owner | DE-M347 DE-Aug4 DE-739 |
| owner_facet | DE-M347 DE-Aug4 DE-739 |
| physical | XXI, 540 S. graph. Darst. |
| publishDate | 2009 |
| publishDateSearch | 2009 |
| publishDateSort | 2009 |
| publisher | Cisco Press |
| record_format | marc |
| spelling | Hogg, Scott Verfasser aut IPv6 Security Scott Hogg ; Eric Vyncke Indianapolis, IN Cisco Press 2009 XXI, 540 S. graph. Darst. txt rdacontent n rdamedia nc rdacarrier Coupe-feu (sécurité informatique) ram Ordinateurs - Accès - Contrôle ram Protection de l'information (informatique) ram Réseaux d'ordinateurs - Mesures de sûreté ram Systèmes informatiques - Mesures de sûreté ram Échange électronique d'information - Mesures de sûreté ram Computer networks Security measures TCP/IP (Computer network protocol) Vyncke, Eric Verfasser aut Digitalisierung UB Passau application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=018732531&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis |
| spellingShingle | Hogg, Scott Vyncke, Eric IPv6 Security Coupe-feu (sécurité informatique) ram Ordinateurs - Accès - Contrôle ram Protection de l'information (informatique) ram Réseaux d'ordinateurs - Mesures de sûreté ram Systèmes informatiques - Mesures de sûreté ram Échange électronique d'information - Mesures de sûreté ram Computer networks Security measures TCP/IP (Computer network protocol) |
| title | IPv6 Security |
| title_auth | IPv6 Security |
| title_exact_search | IPv6 Security |
| title_full | IPv6 Security Scott Hogg ; Eric Vyncke |
| title_fullStr | IPv6 Security Scott Hogg ; Eric Vyncke |
| title_full_unstemmed | IPv6 Security Scott Hogg ; Eric Vyncke |
| title_short | IPv6 Security |
| title_sort | ipv6 security |
| topic | Coupe-feu (sécurité informatique) ram Ordinateurs - Accès - Contrôle ram Protection de l'information (informatique) ram Réseaux d'ordinateurs - Mesures de sûreté ram Systèmes informatiques - Mesures de sûreté ram Échange électronique d'information - Mesures de sûreté ram Computer networks Security measures TCP/IP (Computer network protocol) |
| topic_facet | Coupe-feu (sécurité informatique) Ordinateurs - Accès - Contrôle Protection de l'information (informatique) Réseaux d'ordinateurs - Mesures de sûreté Systèmes informatiques - Mesures de sûreté Échange électronique d'information - Mesures de sûreté Computer networks Security measures TCP/IP (Computer network protocol) |
| url | http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=018732531&sequence=000002&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |
| work_keys_str_mv | AT hoggscott ipv6security AT vynckeeric ipv6security |