IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

Slides:

Advertisements

Similar presentations

David A. Brown Chief Information Security Officer State of Ohio

Advertisements

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Module 3 Windows Server 2008 Branch Office Scenario.

System and Network Security Practices COEN 351 E-Commerce Security.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Chapter 7 HARDENING SERVERS.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Stephen S. Yau CSE , Fall Security Strategies.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Security Management prepared by Dean Hipwell, CISSP

E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

IT security in an IPv6 world David Kelsey (STFC-RAL) GridKa School, KIT 7 Sep 2015.

Module 14: Configuring Server Security Compliance

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

IPv6 security for sites (based on my GridKa School talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 16 Sep 2015.

Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Chapter 2 Securing Network Server and User Workstations.

Small Business Security Keith Slagle April 24, 2007.

Module 11: Designing Security for Network Perimeters.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

Security fundamentals Topic 10 Securing the network perimeter.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Security Discussion IST Retreat June IT Security Statement definition In the context of computer science, security is the prevention of, or protection.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Information Security tools for records managers Frank Rankin.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Best Cyber Security Practices for Counties An introduction to cybersecurity framework.

Common Network Penetration Testing Techniques Russel Van Tuyl.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Security fundamentals

David Kelsey (STFC-RAL) IPv6 workshop pre-GDB, CERN 7 June 2016

Cybersecurity - What’s Next? June 2017

Working at a Small-to-Medium Business or ISP – Chapter 8

Critical Security Controls

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Security Standard: “reasonable security”

Secure Software Confidentiality Integrity Data Security Authentication

Cyber Protections: First Step, Risk Assessment

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

Joe, Larry, Josh, Susan, Mary, & Ken

NYBA 2017 Technology, Compliance &

Implementing and Auditing the Critical Controls

12 STEPS TO A GDPR AWARE NETWORK

Information Security Awareness

Designing IIS Security (IIS – Internet Information Service)

6. Application Software Security

Presentation transcript:

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016

Issues for Sites 22 Jan 2016IPv6 Security (Kelsey)2

NIST quote The deployment of IPv6 reinforces the basic security lessons learned with IPv4. These security practices include defense in depth, diversity, patching, configuration management, access control, and system and network administrator best practices. Good security practices remain unchanged with the deployment of IPv6. Good security practices will reduce exposure and recovery time in case of a security event. 22 Jan 2016IPv6 Security (Kelsey)3

Critical Security Controls for Effective Cyber Defense (© SANS, CC-BY-ND) Top 20 Critical Security Controls (Version 5) 22 Jan 2016IPv6 Security (Kelsey)4 1: Inventory of Authorized and Unauthorized Devices 2: Inventory of Authorized and Unauthorized Software 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4: Continuous Vulnerability Assessment and Remediation 5: Malware Defenses 6: Application Software Security 7: Wireless Access Control 8: Data Recovery Capability 9: Security Skills Assessment and Appropriate Training to Fill Gaps 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 11: Limitation and Control of Network Ports, Protocols, and Services 12: Controlled Use of Administrative Privileges 13: Boundary Defense 14: Maintenance, Monitoring, and Analysis of Audit Logs 15: Controlled Access Based on the Need to Know 16: Account Monitoring and Control 17: Data Protection 18: Incident Response and Management 19: Secure Network Engineering 20: Penetration Tests and Red Team Exercises

ISSeG: Top 12 Recommendations EU FP6 Project – partners: CERN, FZK (now KIT), STFC (Integrated Site Security for Grids) R0 : Perform a site security risk assessment R1 : Create and review your information security policy R8 : Encourage information security awareness, education and training R14 : Separate your development, test, and operational facilities R16 : Install and regularly update malicious code detection and repair software for example anti-virus R18 : Establish backup and restore policies and procedures R23 : Enable audit logging of user activities, exceptions and security events R26 : Restrict and control the allocation of privileges R28 : Enforce good practices in the selection and use of passwords R29 : Ensure that unattended equipment is appropriately protected R36 : Establish a CSIRT and incident response procedures R39 : Protect your confidential and sensitive data Copyright (c) Members of the ISSeG Collaboration Jan 2016IPv6 Security (Kelsey)5

UK Jisc advice Technical Security for e-Infrastructures (Nov 2014) Considers the Cyber-Security Council’s Top 20 controls General, not IPv6 infrastructure-security-access-management- wg/ infrastructure-security-access-management- wg/ 22 Jan 2016IPv6 Security (Kelsey)6

Things to add Refer to IETF OPSEC documents IPv6 penetration testing tools – E.g. THC 22 Jan 2016IPv6 Security (Kelsey)7

IPv6 issues for security/network teams Control IPv6 if not using it Use Dual-stack and avoid use of tunnels wherever possible Drop packets containing RH Type 0 and unknown option headers Deny packets that do not follow rules for extension headers Filter IPv6 packets that enter and leave your network Restrict who can send messages to multicast group addresses Create an Address management plan Create a Security Policy for IPv6 (same as IPv4) Block unnecessary ICMPv6 Protect against LAN RA, ND and DHCP attacks – NDPMON and RAFIXD on critical segments Check/modify all security monitoring, logging and parsing tools 22 Jan 2016IPv6 Security (Kelsey)8

Issues for Sys Admins 22 Jan 2016IPv6 Security (Kelsey)9

IPv6 issues for sys admins Follow best practice security guidance – System hardening as in IPv4, see for example – US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linu x-6-Security_Guide-en-US.pdf US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linu x-6-Security_Guide-en-US.pdf – Specific advice on IPv6 hardening, see for example – Servers_For_IPv6_v1_0.pdf Servers_For_IPv6_v1_0.pdf Check for processes listening on open ports – # netstat, lsof Review neighbour cache for unauthorised systems – # ip -6 neigh show Check for undesired tunnel interfaces – # ip -6 tunnel show, # route –A inet6 22 Jan 2016IPv6 Security (Kelsey)10

Sys admins (2) Ensure not unintentionally forwarding IPv6 packets – /proc/sys/net/ipv6/conf/*/forwarding files – Or net.ipv6.conf.*.forwarding sysctl Use OS embedded IPv6 capable stateful firewall – filter based on EH and ICMPv6 message type Ip6tables (can we give examples, provide advice?) IPv6 aware intrusion detection – E.g. Snort, Suricata, Bro – open-source-ids open-source-ids Use IPsec between critical servers to secure communications? 22 Jan 2016IPv6 Security (Kelsey)11