Computer and Network Administration
IPv6 Security and Practices
The IPv6 Security and Practices class will provide a foundational knowledge of the underlying security risks, threats and best practices for an IPv6 enabled network. This course will review the security fundamentals required to plan for, design, integrate and even audit IPv6 integration in their current infrastructure. The student will be exposed to various security capabilities as well as interoperability mechanisms that will enable the student to ensure a smooth introduction of IPv6 into their environment.
Prerequisites
It is assumed that participants attending this course:
- Students have a novice-to-intermediate level understanding of computer networking and security to include:
- IPv4
- Routing / Switching / Firewalls / Mobile Devices
- Host based configurations including Windows / Mac / *NIX / Mobile
- Students should have fluency in basic computer functions such as web-browsing, network configuration and configuration tuning.
Upon completion of this course, the student will be able to:
- Understand basic security concepts as it pertains to IPv6 • Understand the structure of the IPv6 Protocol
- Understand Port Probing and Operating System Security
- Understand unique IPv6 threats: ICMPv6 Protocol Threats, Denial of Services, Extension Header Threats
- Understand how “dual-stack” networks introduce additional risks into an enterprise environment
- Understand Firewalls, tunneling, and IPSEC as they related to transition technologies within IPv6 environments
- Concepts, risks and threat within the Mobile IPv6 environments
1. IPv6 Overview
a. History
b. Impacts of IPv6
c. Security Overview
d. General Risks/Threats
e. Security Triads: CIA/AAA
2. Security and Cryptography
a. Symmetric Key Encryption
b. Asymmetric/Public Key Encryption
c. Checksum and HASH Functions
3. IPSEC
a. IPSEC Implementation
b. Authentication Header (AH)
c. Encapsulating Security Payload (ESP)
d. Extended Sequence Number (ESN)
e. AH and ESP
f. IPSEC, IPv6, and Tunneling
4. Network Security in IPv6 Environments
a. IPv4 Device Visibility
b. IPv4/IPv6 Stacks
c. Countermeasure in Dual-Stack Environments
d. Firewalls and Intrusion Detection
e. IPv6 and DNS
5. IPv6 Implementation Headaches
a. Immature solutions
b. Untested Code
6. Neighbor Discovery Protocol Issues
a. DoS
b. ICMPv6
c. Solicitation Types
d. Additional Attacks
7. First Hop Security
a. Router Advertisement spoofing
b. DNS and SEND attacks
c. RA Guard
d. RA & NDP
e. Atomic Fragments & ICMPv6
f. SEND & NDP
g. IGMP Snooping
h. DHCPv6 Guard
i. IPv6 Destination Guard
8. IPv6 Esoteric Vulnerabilities
a. Extension Headers
b. Commonly used Extension Headers
c. Risks and Threats: ACLS, Hop by Hop, DoS
d. Fragmentation … is still an issue
e. NDP /SEND
f. Fragmentation …. Is STILL a problem
9. Address & Port Scanning
a. Protocol specifications & RFC4846
b. Defenses against scanning
c. NetFlow & NDP cache to track Address scanning
d. Port scanning in IPv6
e. IDS/IPS able to see this type of scanning?
10. IPv6 & Multicast
a. Directed attacks from flooding to resource starvation
b. Define site boundaries
c. Management of Nodes in multicast groups
11. 6to4 DOS
a. Routers must accept and decapsulate IPv4
b. No guarantee of symmetric routing
c. Go Native!
12. Transition and Tunneling issues
a. IPv4 is here for the long term
b. Tunneling tech necessary for flow between v4 and v6
c. Transition zones used as backdoors since at LEAST 2002
d. Automatic Tunnels & Filtering
e. Transition and 6to4 – NO PROD!
f. 6to4 DDoS
13. Access Control Lists
a. What is it? IPv4/v6
b. Filtering in IPv6
c. IPv6 Extended ACLs
d. RACLs (Reflexive ACLs)
14. IPv6 Firewall Filter Rules
a. Dual Stack makes things complicated
b. ICMP in dual-stack
c. Filtering at perimeter
d. Host based firewalls
e. Mobile operations
f. RE0
g. Layer3 and link-local forwarding
15. Host Based Security Controls
a. Dual Stack
b. Malware targeting IPv6 enabled host
c. Patching and filtering
d. Spurious tunnels, rogue neighbors, forwarding of IPv6 packets
e. Processing of ICMPv6
f. Host based firewalls are more complicated on v6 enabled systems
g. Windows, Linux, BSD and other
16. Mobile IPv6 AKA MIPv6
a. Always on is a challenge
b. Threats against devices, connection/network, MITM, Protocol level attacks
c. Devices require host-based agent
d. Connection Interception
e. Mobile Media Security
f. Man in the Middle
g. Connection Interception and RFC 3775
h. MIPv6 Signaling & Communication
i. Spoofing
j. DoS
k. IPSEC with MIPv6
l. Filtering: Active & ACLs
m. MIPv6 Summary
17. IPv6 Security Summary
a. Philosophy: v4 vs v6
b. IPv6 Specific issues
c. Short term and long term risks
Is there a discount available for current students?
UMBC students and alumni, as well as students who have previously taken a public training course with UMBC Training Centers are eligible for a 10% discount, capped at $250. Please provide a copy of your UMBC student ID or an unofficial transcript or the name of the UMBC Training Centers course you have completed. Asynchronous courses are excluded from this offer.
What is the cancellation and refund policy?
Student will receive a refund of paid registration fees only if UMBC Training Centers receives a notice of cancellation at least 10 business days prior to the class start date for classes or the exam date for exams.