Print 34 comment(s) - last by Bytre.. on Jul 24 at 12:27 AM

Your precious firewall can't save you now!

Weak or nonexistent implementations in computer security software can leave otherwise-secure computers wide open for attack – so open, in fact, that in some cases it’s as if there’s no firewall running at all.

Speaking at the annual HOPE (Hackers on Planet Earth) conference in New York, security researcher Joe Klein of Command Information said that the internet is full of computers surreptitiously running IPv6, unbeknownst to their owners. Compounding the problem is the number of operating systems shipped with IPv6 enabled by default, which includes Windows Vista, Linux’s 2.6 kernel, Sun’s Solaris, Mac OS X, and a variety of cell phones operating systems, including Windows Mobile 5 and 6.

Computers with a lackluster IPv6 setup – even if they have a strong IPv4 firewall or Intrusion Detection System (IDS) in place – are just as naked in IPv6 space as they would be in IPv4-space without a firewall, with any program that listens for connections allowed to accept them. Most operating systems, by default, use a handful of “listeners” used for networking and internal processes – and it is these listeners that are frequently the first to be targeted in an attack.

A number of computer worms, including Blaster and its follow-up Welchia, worked by exploiting a buffer overflow with Windows’ internal RPC infrastructure, which listens on port 135 and is ordinarily covered up by a firewall.

Network administrators who don’t keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley risk non-compliance if they don’t secure their IPv6 implementations – whether they realize they have one or not.

“Essentially, we have systems that are wide open to a network,” said Klein. “It's like having wireless on your network without knowing it.”

Security researchers have for some time found hackers exploiting IPv6. A 2002 post from Lance Spitzer of the Honeynet project observed a hacker that broke in to a Solaris-based honeypot through normal means, enabled IPv6 connectivity in the OS, and then set up a tunnel out of the network that went into another country. The break-in was only discovered due to network packet-sniffing, and even then Spitzer says he was unable to decode the data being sent out.

One of the biggest threats is the variety of backwards-compatibility schemes designed to tunnel IPv6 traffic through an IPv4 system, like Teredo or the 6to4 system: the very act of tunneling often circumvents firewalls by nature.

“Teredo/ISATAP is currently and will continue to be a major red flag for networks that have both IP versions enabled, because tunneling confuses the heck out of a lot of firewalls and IDS deployments,” said an unnamed DoD security specialist, in an interview with Wired’s Threat Level.

With internet progressives trying to switch the internet to IPv6 as fast as it can – a widget on Command Interface’s web site estimates that the internet will run out of IPv4 addresses in about two and a half years – some fear that technological progress may be outpacing the security that keeps it safe.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: Sensationalist
By trejrco on 7/22/2008 1:05:38 PM , Rating: 2
Some snips:

As touched on in another post here, this article is journalistic fear-mongering at its best.

For the most part, I humbly disagree.

No system on the Internet behind a NAT/PAT or any hardware firewall is at any greater risk than before.

For the most part, I humbly disagree.

So if a software firewall protecting such vulnerabilities for some reason wasn't blocking IPv6 access, then yes, IPv6 would be a big security risk at this point. Of course, if host-based software firewalls are really your last line of defense, your security schema has bigger problems than IPv6.

Here is the problem - automatic tunnels exist, MOST tunneled packets are NOT inspected by MOST current FW appliances, and the SW FWs are largely also NOT stopping this traffic. Block Protocol 41 and UDP/3544 is a huge step in the right direction, if you want this traffic to be blocked (not a perfect solution, of course ... but that conversation would take a lot longer ...)

One of the problems with IPv6 described by the researcher in the article is the ability to create tunnels using IPv6 that can evade packet inspection by firewalls that might catch IPv4 tunnels. This is a not a major vulnerability for the vast majority of organizations, and such vulnerabilities will probably always exist in some form.

How is this not "not a major vulnerability for the vast majority of organizations" ... ? Traffic traversing your network, outside of your control & inspection, is not a major problem for "the vast majority of organizations"? I think any moderate-or-larger organization, or any organization with any sort of intellectual property / proprietary data / restricted-access information would probably disagree.

I am not trying to downplay or deny the fact that the very presence of IPv6 on many computers is inherently a security risk, but it's not nearly as big as the article is implying or the quoted security researcher seems to be saying.

It is not the presence of IPv6 that is the risk; it is the lack of support & knowledge in securing it that is the problem.


RE: Sensationalist
By drebo on 7/22/2008 6:33:44 PM , Rating: 2
Outside of Cisco's DMVPN and other such technologies, there's no such thing as an "automatic tunnel". A tunnel must have an explicitly supplied source and destination. Those are not things that can be learned (again, with the notable exception of DMVPN). Further, as far as I know, every single tunneling protocol must be enabled at both ends in order for the tunnel to be active. There is no automatic about it.

RE: Sensationalist
By trejrco on 7/23/2008 12:12:47 PM , Rating: 2
Read up on 6to4, ISATAP and Teredo.
Think relays that use anycast addresses, or automatic DNS lookups.
In Teredo's case you may need to configure a Teredo server (one time) to reach the "entire IPv6 Internet".

There are others, but these are the "current drop of favorites".

"And boy have we patented it!" -- Steve Jobs, Macworld 2007

Most Popular ArticlesFree Windows 10 offer ends July 29th, 2016: 10 Reasons to Upgrade Immediately
July 22, 2016, 9:19 PM
Top 5 Smart Watches
July 21, 2016, 11:48 PM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki