AIX Security Tips for an IPv6 World
IBM's AIX has always enjoyed a reputation for security above the cut of other Unix platforms. For example, the AIX Security Expert (AIXpert) streamlines security implementation, and features such as Role Based Authentication (RBAC), Trusted AIX (multilevel security), and Trusted Execution (code and file signatures) provide built-in security bulwarks that let you seriously lock down any AIX box.
Alas, there is one security milieu that has gotten short shrift by AIX. The Internet's follow-on to IPv4 addressing, the IPv6 protocol, presents major security vulnerabilities to AIX installations (as well as those of other OSes). These vulnerabilities have fallen below the radar of many security managers because they haven't explicitly implemented IPv6 yet. Some may have even explicitly disabled IPv6 on AIX -- following the security dictum of least privilege -- leading to a false sense of safety.
Unfortunately, IPv6 security issues exist whether you have officially implemented IPv6 or not, because the most popular desktop OSes -- Windows, Mac OS X, and Linux -- currently have IPv6 enabled by default. Hackers know this and can exploit IPv6 right under your nose to provide back-door access to your core enterprise network. The best defense against such exposures is carefully and thoughtfully deploying IPv6 in your network in a secure fashion. That's possible to do today, but it requires attention to detail, which translates into labor and time, which equals money, which is in short supply.
IPv6 security exposures in "IPv4-only" networks is bad enough, but IPv6 security problems are about to become more acute. With the last few million addresses dribbling out of the Internet's pot of available IPv4 IPs, IT administrators are finally turning their gaze on the looming IPv6 deployment problem. It's quite possible that the Internet Assigned Numbers Authority (IANA) IPv4 pool will be depleted by Christmas, at which point the remaining IPv4 addresses at the five Regional Internet Registries will be a hot commodity -- and possibly begin commanding a high price. The new high cost of IPv4 likely will cause a rush to implement IPv6 without the necessary attention to security, creating millions of new, insecure IPv6 networks for hackers to exploit.
The Four-Step Program
Here are a four tips to keep you ahead of IPv6 hacks and loopholes. The effort required to implement these measures isn't trivial -- we IT technologists collectively lost that opportunity by eschewing IPv6 for the last decade. But the results of these protections are worthwhile, perfectly doable.
1. Assess current IPv6 status
In security matters, it's better to know than not know about vulnerabilities, and IPv6 vulnerabilities begin with systems that have IPv6 turned on. With Windows and other desktop operating systems, you can assume that Windows 7 and Vista have IPv6 enabled, as does Mac OSX. These employ IPv6 for local service discovery and transport, so simply turning off IPv6 in them will likely break some important networking features, ruling that out as a quick fix.
For AIX systems, you can determine if IPv6 is enabled by running the "lsattr -EH -l en0" command (substitute your interface identifier for "en0" if necessary. Look for any of the following three lines:
These don't necessarily mean IPv6 is running, only that it is enabled. If your machine is actually running IPv6 it will have an IPv6 address on one or more interfaces, which you can determine with the "ipconfig -a" command. Look for lines similar to the following in the command's output:
The first line shows a "link local" address -- one beginning with "fe80:" -- which IPv6 devices assign to themselves for local LAN communications. That's enough IPv6 connectivity for a hacker to exploit and do some serious mischief. The second is more serious, showing a globally-routable address that can be used to communicate with other IPv6 devices anywhere on the Internet.
When ferreting out IPv6 capabilities, don't neglect Linux and its ilk, which can be found not just in computers, but in all manner of IP-enabled devices, such as printers, routers, and switches. There is no simple, common way to detect IPv6 in these devices. You'll have to muddle through their management interfaces to locate IPv6 controls and status information.
Once you've assessed IPv6 status for all network devices, you're ready to start locking down IPv6 at your borders, where it's most likely to cause problems.
2. Filter unauthorized IPv6 traffic in border devices: firewalls, routers, and application gateways
The most common IPv6 exploit is a 6-in-4 (IPv6 encapsulated in IPv4 packets) tunnel through your border security to the wider IPv6 Internet. Hackers that invade a desktop machine via a virus or other malware can readily create such tunnels, and if you're not looking for them, they will be completely invisible to your network security infrastructure.
Unfortunately, IPv6 supports myriad 6-in-4 protocols, including Generic Routing Encapsulation (GRE) and IPsec. The common "allow all outbound traffic" policy of many enterprise networks isn't going to block IPv6 tunneling unless you explicitly block every potential tunneling protocol, which turns out to be impractical. A better approach is to implicitly block all traffic and only permit known secure protocols to reach the Internet. That's perfectly doable, but you have to know which protocols your users are using to properly configure egress rules. At a minimum you need to permit HTTP, HTTPS and DNS. SMTP should be only permitted through your outbound mail server, and other email protocols should be limited to authorized inbound mail servers. IPsec should be controlled on a case-by-case basis. Permissive IPsec tunneling lets an interloper compromise your network with basic IPv4 connectivity!
Even these tightened outbound security measures are no guarantee against IPv6 intrusion. A clever hacker could tunnel IPv6 through HTTP or HTTPS connections. You can block that avenue by employing an HTTP proxy server for outbound web access.
Don't neglect internal routers and switches (which often have routing capabilities): if compromised they can be turned into IPv6 tunnel endpoints. Review their configurations to ensure IPv6 isn't already being exploited, then lock down these devices by limiting management access and disabling unnecessary or insecure protocols, such as DNS and Telnet.
3. Disable IPv6 where it isn't needed
As noted earlier, you can't readily disable IPv6 on Windows and Mac OSX desktops without impacting local communications features that users may depend upon. However, you can safely turn off IPv6 on AIX servers that don't need it yet, as well as on printers and other network devices, such as internal routers and switches. Once you're ready to deploy IPv6 officially you can re-enable it securely.
To turn off IPv6 in AIX, edit /etc/rc.tcpip and comment-out the lines for IPv6 services, as shown below:
Next, verify that the DNS resolver configured in /etc/netsvc.conf specified hosts = local, bind4 (not just hosts = local or hosts = bind6). Using the Berkeley Internet Name Daemon (BIND) for IPv4-only queries prevents IPv6 DNS queries.
4. Monitor for unauthorized IPv6 activity on your LAN
You've assessed your network's IPv6 status, locked down IPv6 at the border, and disabled IPv6 where it isn't needed. Is it safe yet? You don't know, and won't know until you actively measure IPv6 activity on your internal network. That's not trivial, because IPv6 "chatter" is common today even on so-called IPv4-only networks, owing to the automatic enablement on newer OSes and network elements. The trick is differentiating between good and evil IPv6.
Newer firewalls that include built-in Intrusion Detection and Prevention (IDS/IPS) features are beginning to add IPv6 monitoring that can help you detect evil IPv6. An IPv6-capable firewall can monitor for attempts to send IPv6 to the outside world. They can also detect rogue IPV6 Network Discovery Protocol (NDP) router advertisements, which hackers often set up to trick devices into joining hidden IPv6 networks operated by the interloper.
If your firewall doesn't have IPv6 IDS/IPS, you can add it to your network in the form of a dedicated IPS appliance, such as those running the open source Snort IDS tool set. Snort version 2.8 includes IPv6 capabilities and attack signatures, but the just-released version 2.9 supports more sophisticated IPv6 packet decoders. Proprietary IDS systems also sport IPv6 monitoring. Both Snort and proprietary systems can alert you to out-of-policy IPv6 activity, while not generating false positives on routine local IPv6 traffic.
The Real Cure Is The Real Deal
The most effective guard against IPv6 security exposures is a properly-deployed, fully operational IPv6 network. It's much easier to control IPv6 when your entire network supports it, because your entire IP infrastructure becomes IPv6-aware, curtailing the dark backwaters where IPv6 interlopers can lurk. And with IPv4 addresses virtually exhausted, now is the time to start your IPv6 deployment planning in earnest.
On processing, please waiting for ...
|
- May, 2012 ( 14 )
- April, 2012 ( 20 )
- March, 2012 ( 12 )
- February, 2012 ( 6 )
- January, 2012 ( 9 )
- December, 2011 ( 5 )
- November, 2011 ( 9 )
- October, 2011 ( 7 )
- September, 2011 ( 10 )
- August, 2011 ( 6 )
- July, 2011 ( 7 )
- June, 2011 ( 5 )
- May, 2011 ( 9 )
- April, 2011 ( 6 )
- March, 2011 ( 9 )
- February, 2011 ( 5 )
- January, 2011 ( 6 )
- December, 2010 ( 6 )
- November, 2010 ( 4 )
- October, 2010 ( 11 )
- September, 2010 ( 9 )
- August, 2010 ( 4 )
- July, 2010 ( 6 )
- June, 2010 ( 4 )
- May, 2010 ( 7 )
- April, 2010 ( 3 )
|