Analytics // Security Monitoring
6/22/2012
03:18 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Broader Digital Landscape Means More Places To Hide

With IPv6, a deluge of new top-level domains, and DNSSEC all coming, the Internet will become a much bigger place. Defenses that worked in the past won't work in the future

With the slow transition to a trio of technologies -- IPv6, the domain name system security extensions (DNSSEC), and the coming sale of hundreds of global top-level domains -- the Internet is undergoing more changes than it has in three decades.

Click here for more of Dark Reading's Black Hat articles.

Some security experts are wary of what the changes could mean for security technologies that are based on today's communication standard, IPv4, and the far more limited number of top-level domains. The move from the relatively scarce resources of the current Internet to the nearly unlimited IPv6 address space will cause fundamental problems for security technologies, a pair of security researchers plan to argue at the Black Hat USA conference next month.

"The existing scarcity of IPv4 is something that is built into the attacker's and defender's mindset," says Alex Stamos, chief technology officer at security technology firm Artemis. "Finding vulnerable servers is easy. Scanning and attacking every addressable machine on the Internet is totally doable."

Yet a move to IPv6 may mean that attackers can no longer build databases of vulnerable servers because the address space is too big to scan. To put it in perspective, when a system is assigned a dynamic IP address, it gets to choose from two to 40 different options under IPv6 -- a larger set of addresses than the entire current IPv4 address space.

For systems that attempt to detect malicious traffic by assigning IP addresses a certain reputation, the move to IPv6 could spell trouble, Stamos argues. Because attackers can quickly change their IP addresses, the reputation model breaks down.

"Because IP addresses are rare and valuable [today], someone owns it and someone is responsible for the IP address," he says. "That model is going to completely go away."

In a similar way, the expansion of the top-level domain system may make it harder for people to recognize bad sites and easier for attackers to hide in a larger ocean of domain names, he says.

[ The spotty support of the next-generation Internet routing protocol, IPv6, has left companies with a network security problem that has largely passed unnoticed. See Monitoring, Policies Needed To Catch Rogue IPv6 Traffic. ]

That's true for systems that only track negative reputation, but not if the concept of reputation is more malleable, responds Matthew Prince, CEO of Web security firm CloudFlare. Good reputation should be unaffected by the move to IPv6 because good websites will rarely change their IP addresses. In addition, by focusing on different granular levels of the network, security companies will be able to assign a reputation to certain neighborhoods of the IPv6 Internet.

"You are taking whatever information you have," he says. "It's not binary. It is not good or bad. Every visitor has a whole series of data points which give us a reputation, and it's that reputation that helps us make a decision."

While IPv6 may theoretically cause issues for future technology, on a practical level the move is already causing issues with enterprise hardware today, Stamos says. The researchers have tested many security appliances in the lab and found that they generally do not support IPv6 very well.

"These products have been deployed in IPv4 networks for decades," Stamos says. "It will take IPv6 a similar period of time to get to the same level."

That's a problem for companies, many of which already have IPv6 running in their networks, even if they do not know it. The latest versions of Windows, Linux, and the Mac OS all try to create IPv6 networks, as do many routers. This means companies likely have IPv6 traffic that could create a vulnerability.

The lesson for companies is that they should create an IPv6 security team, even if they do not plan to transition in the near future, says Bob Hinden, co-inventor of IPv6 and a fellow at firewall maker Check Point Software.

"I think enterprises need to be upgrading and running the IPv6 side of their operations now, even though they might not be actively running anything on IPv6," he says. "The warning for companies is, 'You can't stop what you can't see.'"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/25/2012 | 12:06:44 AM
re: Broader Digital Landscape Means More Places To Hide
Unknown tunnels can create a security blind spot. Organizations should make sure the security products (firewalls,etc) have the capability to deal with IPv6 traffic.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web