[AusNOG] My Predictions for the ISP Industry
Eric Pinkerton
Eric.Pinkerton at stratsec.net
Thu Mar 15 15:16:24 EST 2012
>Your attack surface is probably already increased, because autotunnelling protocols mean your users are quite probably already running IPv6 behind your back without even realizing it.
That's not so much increasing your attack surface with V6, as an example of poor egress filtering in V4. Regardless that a bit like saying you don't need a helmet because your seat belt is already broken.
>> of course because many of the current defensive measures are behind the curve here.
>At a network level, why would the defensive measures be any differnent?
>Mirror your IPv4 ACLs with IPv6 ACLs; your dual-stack firewall appliance is probably already controlling both protocols.
Easier said than done if you have say a legacy Checkpoint deployment with 2500 rules and a SIEM that can't understand IPV6 addresses in log files.
>> Also you can draw your own conclusions about the efficacy of current > LI solutions where IPV6 is concerned.
>Again: Why would they change?
Because LI solutions tend to be complex and heavily customised to specific environments, and so "may" require some "tweaks" before they work for IPV6 traffic.
>I don't think anyone ever seriously believed that IPv6 was or could be inherently more secure than its predecessor. I mean, sure, there've been a lot of years featuring a lot of people who don't know what they're talking about saying a lot of things, but nobody has actually listened to them, right?
I have heard from people working in Law enforcement who think that hacking will stop once we roll out IPV6 because hackers can't disguise their mac address! ......I shit you not!
>> Add to this an increase in the opportunity for configuration > mistakes and you start to appreciate why many organisations are > in 'wait and see what everyone else does' mode.
>Ah, right -- so that's how professionals in this industry deal with things they don't know how to do these days, is it?
Nah, it's how professionals in every industry have dealt with things they don't know how to do for time immemorial.
Just sayin!
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg
More information about the AusNOG
mailing list