Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke Mark Townsley

Published byAbner Gaines Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke Mark Townsley"— Presentation transcript:

1 Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke ev@cisco.comev@cisco.com Mark Townsley townsley@cisco.comtownsley@cisco.com Andrew Yourtchenko ay@cisco.comay@cisco.com November 2011

2 Advanced Security User Feedback IPS Dynamic Policy & Signatures Update On-line Access to IP Address Reputation In short: traffic is allowed until proven guilty CPE or internal router

3 Overview 7 policies are identified in the -03. These are largely based on features which are commonly available in “advanced” security gears (UTM) for enterprises for several years Home edge/internal router is not something that is purchased and thrown away when obsolete. Instead, it is actively updated like many other consumer devices are today (PCs, iPods and iPhones, etc.) Business model may include a paid subscription service from the manufacturer, a participating service or content provider, consortium, etc.

4 Why is this important to IPv6 & HOMENET?

5 Opening THE Can of Worms NAT is Useless for Security Most botnet members are behind a NAT Malware are downloaded nowadays… Allowing PCP or UPnP to open NAT pin- holes puts a huge trust in the host integrity There is a need to apply security between guest and home security domains

6 Default Security Policy 1. RejectBogon: including uRPF checks 2. BlockBadReputation: for in/outbound traffic 3. AllowReturn: and apply IPS on in/outbound traffic 4. AllowToPublicDnsHost Allow inbound traffic to inside host with a AAAA & reverse-DNS 5. ProtectLocalOnly: Block all inbound traffic to inside which never transmitted to the outside (à la full-cone) 6. CrypoIntercept: Intercept all inbound SSL/TLS connection, present (self-signed) cert, decrypt and re-encrypt Goal is to apply IPS 7. ParanoidOpeness: Allow ALL inbound traffic by default See more next slide

7 More on Paranoid Openness Rate limit (SYN & plain data) To protect low-bandwidth residential links Basic protection against host scan If authenticated flow (e.g. HTTP) Perform dictionary attack on credential and reject too obvious ones (or default ones) Goal is to force user to select good credentials IPS must be applied If protocol unknown, then flow MAY be permitted If attack is detected, then flow MUST be denied

8 -00 at IETF 76 -00 presented at V6OPS & SAAG Globally positive reaction The crypto part could be improved/better presented Paranoid Openness is very much needed for IPv6 Already known as Universal Threat Mitigation for large enterprises Could/should cross pollination with simple- security ID

9 Between IETF76 & 82 But, little progress done (Eric’s & Mark’s fault) -03 delta Some cosmetics More reference to UTM Reference to previous I-D & RFC 6092 More consistent with HOMENET

Download ppt "Advanced IPv6 Residential Security draft-vyncke-advanced-ipv6- security-03 Eric Vyncke Mark Townsley"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 9 – Firewalls and.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
Internet Gateway Device (IGD)

Internet Gateway Device (IGD)
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.

1 Cost-Effective Strategies for Countering Security Threats: IPSEC, SSLi and DDoS Mitigation Bruce Hembree, Senior Systems Engineer A10 Networks.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Similar presentations

Ads by Google