|
|
|||
|
||||
OverviewFull Product DetailsAuthor: Scott Hogg , Eric VynckePublisher: Pearson Education (US) Imprint: Cisco Press Dimensions: Width: 19.00cm , Height: 3.50cm , Length: 23.00cm Weight: 0.977kg ISBN: 9781587055942ISBN 10: 1587055945 Pages: 576 Publication Date: 22 December 2008 Audience: Professional and scholarly , Professional & Vocational Format: Paperback Publisher's Status: Active Availability: In Print This item will be ordered in for you from one of our suppliers. Upon receipt, we will promptly dispatch it out to you. For in store availability, please contact us. Table of ContentsIntroduction Chapter 1 Introduction to IPv6 Security Reintroduction to IPv6 3 IPv6 Update 6 IPv6 Vulnerabilities 7 Hacker Experience 8 IPv6 Security Mitigation Techniques 9 Summary Recommended Readings and Resources Chapter 2 IPv6 Protocol Security Vulnerabilities The IPv6 Protocol Header ICMPv6 ICMPv6 Functions and Message Types ICMPv6 Attacks and Mitigation Techniques Multicast Security Extension Header Threats Extension Header Overview Extension Header Vulnerabilities Hop-by-Hop Options Header and Destination Options Header IPv6 Extension Header Fuzzing Router Alert Attack Routing Headers RH0 Attack Preventing RH0 Attacks Additional Router Header Attack Mitigation Techniques Fragmentation Header Overview of Packet Fragmentation Issues Fragmentation Attacks Preventing Fragmentation Attacks Virtual Fragment Reassembly Unknown Option Headers Upper-Layer Headers Reconnaissance on IPv6 Networks Scanning and Assessing the Target Registry Checking Automated Reconnaissance Speeding Up the Scanning Process Leveraging Multicast for Reconnaissance Automated Reconnaissance Tools Sniffing to Find Nodes Neighbor Cache Node Information Queries Protecting Against Reconnaissance Attacks Layer 3 and Layer 4 Spoofing Summary References Chapter 3 IPv6 Internet Security Large-Scale Internet Threats Packet Flooding Internet Worms Worm Propagation Speeding Worm Propagation in IPv6 Current IPv6 Worms Preventing IPv6 Worms Distributed Denial of Service and Botnets DDoS on IPv6 Networks Attack Filtering Attacker Traceback Black Holes and Dark Nets Ingress/Egress Filtering Filtering IPv6 Traffic Filtering on Allocated Addresses Bogon Filtering Bogon Filtering Challenges and Automation Securing BGP Sessions Explicitly Configured BGP Peers Using BGP Session Shared Secrets Leveraging an IPsec Tunnel Using Loopback Addresses on BGP Peers Controlling the Time-to-Live (TTL) on BGP Packets Filtering on the Peering Interface Using Link-Local Peering Link-Local Addresses and the BGP Next-Hop Address Drawbacks of Using Link-Local Addresses Preventing Long AS Paths Limiting the Number of Prefixes Received Preventing BGP Updates Containing Private AS Numbers Maximizing BGP Peer Availability Disabling Route-Flap Dampening Disabling Fast External Fallover Enabling Graceful Restart and Route Refresh or Soft Reconfiguration BGP Connection Resets Logging BGP Neighbor Activity Securing IGP Extreme Measures for Securing Communications Between BGP Peers IPv6 over MPLS Security Using Static IPv6 over IPv4 Tunnels Between PE Routers Using 6PE Using 6VPE to Create IPv6-Aware VRFs Customer Premises Equipment Prefix Delegation Threats SLAAC DHCPv6 Multihoming Issues Summary References Chapter 4 IPv6 Perimeter Security IPv6 Firewalls Filtering IPv6 Unallocated Addresses Additional Filtering Considerations Firewalls and IPv6 Headers Inspecting Tunneled Traffic Layer 2 Firewalls Firewalls Generate ICMP Unreachables Logging and Performance Firewalls and NAT Cisco IOS Router ACLs Implicit IPv6 ACL Rules Internet ACL Example IPv6 Reflexive ACLs Cisco IOS Firewall Configuring IOS Firewall IOS Firewall Example IOS Firewall Port-to-Application Mapping for IPv6 Cisco PIX/ASA/FWSM Firewalls Configuring Firewall Interfaces Management Access Configuring Routes Security Policy Configuration Object Group Policy Configuration Fragmentation Protection Checking Traffic Statistics Neighbor Discovery Protocol Protections Summary References Chapter 5 Local Network Security Why Layer 2 Is Important ICMPv6 Layer 2 Vulnerabilities for IPv6 Stateless Address Autoconfiguration Issues Neighbor Discovery Issues Duplicate Address Detection Issues Redirect Issues ICMPv6 Protocol Protection Secure Neighbor Discovery Implementing CGA Addresses in Cisco IOS Understanding the Challenges with SEND Network Detection of ICMPv6 Attacks Detecting Rogue RA Messages Detecting NDP Attacks Network Mitigation Against ICMPv6 Attacks Rafixd Reducing the Target Scope IETF Work Extending IPv4 Switch Security to IPv6 Privacy Extension Addresses for the Better and the Worse DHCPv6 Threats and Mitigation Threats Against DHCPv6 Mitigating DHCPv6 Attacks Mitigating the Starvation Attack Mitigating the DoS Attack Mitigating the Scanning Mitigating the Rogue DHCPv6 Server Point-to-Point Link Endpoint Security Summary References Chapter 6 Hardening IPv6 Network Devices Threats Against Network Devices Cisco IOS Versions Disabling Unnecessary Network Services Interface Hardening Limiting Router Access Physical Access Security Securing Console Access Securing Passwords VTY Port Access Controls AAA for Routers HTTP Access IPv6 Device Management Loopback and Null Interfaces Management Interfaces Securing SNMP Communications Threats Against Interior Routing Protocol RIPng Security EIGRPv6 Security IS-IS Security OSPF Version 3 Security First-Hop Redundancy Protocol Security Neighbor Unreachability Detection HSRPv6 GLBPv6 Controlling Resources Infrastructure ACLs Receive ACLs Control Plane Policing QoS Threats Summary References Chapter 7 Server and Host Security IPv6 Host Security Host Processing of ICMPv6 Services Listening on Ports Microsoft Windows Linux BSD Sun Solaris Checking the Neighbor Cache Microsoft Windows Linux BSD Sun Solaris Detecting Unwanted Tunnels Microsoft Windows Linux BSD Sun Solaris IPv6 Forwarding Microsoft Windows Linux BSD Sun Solaris Address Selection Issues Microsoft Windows Linux BSD Sun Solaris Host Firewalls Microsoft Windows Firewall Linux Firewalls BSD Firewalls OpenBSD Packet Filter ipfirewall IPFilter Sun Solaris Securing Hosts with Cisco Security Agent 6.0 Summary References Chapter 8 IPsec and SSL Virtual Private Networks IP Security with IPv6 IPsec Extension Headers IPsec Modes of Operation Internet Key Exchange (IKE) IKE Version 2 IPsec with Network Address Translation IPv6 and IPsec Host-to-Host IPsec Site-to-Site IPsec Configuration IPv6 IPsec over IPv4 Example Configuring IPv6 IPsec over IPv4 Verifying the IPsec State Adding Some Extra Security Dynamic Crypto Maps for Multiple Sites IPv6 IPsec Example Configuring IPsec over IPv6 Checking the IPsec Status Dynamic Multipoint VPN Configuring DMVPN for IPv6 Verifying the DMVPN at the Hub Verifying the DMVPN at the Spoke Remote Access with IPsec SSL VPNs Summary References Chapter 9 Security for IPv6 Mobility Mobile IPv6 Operation MIPv6 Messages Indirect Mode Home Agent Address Determination Direct Mode Threats Linked to MIPv6 Protecting the Mobile Device Software Rogue Home Agent Mobile Media Security Man-in-the-Middle Threats Connection Interception Spoofing MN-to-CN Bindings DoS Attacks Using IPsec with MIPv6 Filtering for MIPv6 Filters at the CN Filters at the MN/Foreign Link Filters at the HA Other IPv6 Mobility Protocols Additional IETF Mobile IPv6 Protocols Network Mobility (NEMO) IEEE .16e Mobile Ad-hoc Networks Summary References Chapter 10 Securing the Transition Mechanisms Understanding IPv4-to-IPv6 Transition Techniques Dual-Stack Tunnels Configured Tunnels 6to4 Tunnels ISATAP Tunnels Teredo Tunnels 6VPE Protocol Translation Implementing Dual-Stack Security Exploiting Dual-Stack Environment Protecting Dual-Stack Hosts Hacking the Tunnels Securing Static Tunnels Securing Dynamic Tunnels 6to4 ISATAP Teredo Securing 6VPE Attacking NAT-PT IPv6 Latent Threats Against IPv4 Networks Summary References Chapter 11 Security Monitoring Managing and Monitoring IPv6 Networks Router Interface Performance Device Performance Monitoring SNMP MIBs for Managing IPv6 Networks IPv6-Capable SNMP Management Tools NetFlow Analysis Router Syslog Messages Benefits of Accurate Time Managing IPv6 Tunnels Using Forensics Using Intrusion Detection and Prevention Systems Cisco IPS Version 6.1 Testing the IPS Signatures Managing Security Information with CS-MARS Managing the Security Configuration Summary References Chapter 12 IPv6 Security Conclusions Comparing IPv4 and IPv6 Security Similarities Between IPv4 and IPv6 Differences Between IPv4 and IPv6 Changing Security Perimeter Creating an IPv6 Security Policy Network Perimeter Extension Headers LAN Threats Host and Device Hardening Transition Mechanisms IPsec Security Management On the Horizon Consolidated List of Recommendations Summary References 1587055945 TOC 11/25/2008ReviewsAuthor InformationScott Hogg, CCIE No. 5133, has been a network computing consultant for more than 17 years. Scott provides network engineering, security consulting, and training services, focusing on creating reliable, high-performance, secure, manageable, and cost-effective network solutions. He has a bachelor’s degree in computer science from Colorado State University and a master’s degree in telecommunications from the University of Colorado. In addition to his CCIE he has his CISSP (No. 4610) and many other vendor and industry certifications. Scott has designed, implemented, and troubleshot networks for many large enterprises, service providers, and government organizations. For the past eight years, Scott has been researching IPv6 technologies. Scott has written several white papers on IPv6 and has given numerous presentations and demonstrations of IPv6 technologies. He is also currently the chair of the Rocky Mountain IPv6 Task Force and the Director of Advanced Technology Services at Global Technology Resources, Inc. (GTRI), a Cisco Gold partner headquartered in Denver, Colorado. Eric Vynckeis a Distinguished System Engineer for Cisco working as a technical consultant for security covering Europe. His main area of expertise for 20 years has been security from Layer 2 to applications. He has helped several organizations deploy IPv6 securely. For the past eight years, Eric has participated in the Internet Engineering Task Force (IETF) (he is the author of RFC 3585). Eric is a frequent speaker at security events (notably Cisco Live [formerly Networkers]) and is also a guest professor at Belgian Universities for security seminars. He has a master’s degree in computer science engineering from the University of Liège in Belgium. He worked as a research assistant in the same university before joining Network Research Belgium, where he was the head of R&D; he then joined Siemens as a project manager for security projects including a proxy firewall. He coauthored the Cisco Press book LAN Switch Security: What Hackers Know About Your Switches. He is CISSP No. 75165. Tab Content 6Author Website:Countries AvailableAll regions |