Analytics // Security Monitoring
6/22/2012
03:18 PM
Connect Directly
RSS
E-Mail
50%
50%

Broader Digital Landscape Means More Places To Hide

With IPv6, a deluge of new top-level domains, and DNSSEC all coming, the Internet will become a much bigger place. Defenses that worked in the past won't work in the future

With the slow transition to a trio of technologies -- IPv6, the domain name system security extensions (DNSSEC), and the coming sale of hundreds of global top-level domains -- the Internet is undergoing more changes than it has in three decades.

Click here for more of Dark Reading's Black Hat articles.

Some security experts are wary of what the changes could mean for security technologies that are based on today's communication standard, IPv4, and the far more limited number of top-level domains. The move from the relatively scarce resources of the current Internet to the nearly unlimited IPv6 address space will cause fundamental problems for security technologies, a pair of security researchers plan to argue at the Black Hat USA conference next month.

"The existing scarcity of IPv4 is something that is built into the attacker's and defender's mindset," says Alex Stamos, chief technology officer at security technology firm Artemis. "Finding vulnerable servers is easy. Scanning and attacking every addressable machine on the Internet is totally doable."

Yet a move to IPv6 may mean that attackers can no longer build databases of vulnerable servers because the address space is too big to scan. To put it in perspective, when a system is assigned a dynamic IP address, it gets to choose from two to 40 different options under IPv6 -- a larger set of addresses than the entire current IPv4 address space.

For systems that attempt to detect malicious traffic by assigning IP addresses a certain reputation, the move to IPv6 could spell trouble, Stamos argues. Because attackers can quickly change their IP addresses, the reputation model breaks down.

"Because IP addresses are rare and valuable [today], someone owns it and someone is responsible for the IP address," he says. "That model is going to completely go away."

In a similar way, the expansion of the top-level domain system may make it harder for people to recognize bad sites and easier for attackers to hide in a larger ocean of domain names, he says.

[ The spotty support of the next-generation Internet routing protocol, IPv6, has left companies with a network security problem that has largely passed unnoticed. See Monitoring, Policies Needed To Catch Rogue IPv6 Traffic. ]

That's true for systems that only track negative reputation, but not if the concept of reputation is more malleable, responds Matthew Prince, CEO of Web security firm CloudFlare. Good reputation should be unaffected by the move to IPv6 because good websites will rarely change their IP addresses. In addition, by focusing on different granular levels of the network, security companies will be able to assign a reputation to certain neighborhoods of the IPv6 Internet.

"You are taking whatever information you have," he says. "It's not binary. It is not good or bad. Every visitor has a whole series of data points which give us a reputation, and it's that reputation that helps us make a decision."

While IPv6 may theoretically cause issues for future technology, on a practical level the move is already causing issues with enterprise hardware today, Stamos says. The researchers have tested many security appliances in the lab and found that they generally do not support IPv6 very well.

"These products have been deployed in IPv4 networks for decades," Stamos says. "It will take IPv6 a similar period of time to get to the same level."

That's a problem for companies, many of which already have IPv6 running in their networks, even if they do not know it. The latest versions of Windows, Linux, and the Mac OS all try to create IPv6 networks, as do many routers. This means companies likely have IPv6 traffic that could create a vulnerability.

The lesson for companies is that they should create an IPv6 security team, even if they do not plan to transition in the near future, says Bob Hinden, co-inventor of IPv6 and a fellow at firewall maker Check Point Software.

"I think enterprises need to be upgrading and running the IPv6 side of their operations now, even though they might not be actively running anything on IPv6," he says. "The warning for companies is, 'You can't stop what you can't see.'"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/25/2012 | 12:06:44 AM
re: Broader Digital Landscape Means More Places To Hide
Unknown tunnels can create a security blind spot. Organizations should make sure the security products (firewalls,etc) have the capability to deal with IPv6 traffic.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4907
Published: 2014-07-11
Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message.

CVE-2014-4908
Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper hand...

CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.