WindowSecurity.com - Monthly Newsletter - February 2014

Welcome to the WindowSecurity.com newsletter by Richard Hicks (MCSE, MCITP:EA, MVP), Sales Engineering Director for Iron Networks. Each month we will bring you interesting and helpful information pertaining to Windows Security. We want to know what all of *you* are interested in hearing about, so please send your questions and suggestions for future newsletter content to winsec@richardhicks.com.

Editor's Corner

The rapid depletion and impending exhaustion of the global IPv4 address space should not be news to anyone in the information technology field. With the certainty that IPv4 addresses will no longer be available in the future, it is time to start thinking now about addressing this concern. That doesn't mean you should run out and deploy IPv6 immediately, but it is a good idea to start becoming familiar with this new technology as soon as possible. IPv6 is now included with every major operating system, and that includes Microsoft Windows. In fact, IPv6 is enabled by default and preferred beginning with Windows Vista. That means if you have Windows Vista or later clients operating on your network today, you are running IPv6 and you probably don't even know it. Sadly, a knee-jerk reaction to this information is to unilaterally disable IPv6 on corporate-managed systems. Not only is this ill-advised, it is actually not supported! That's right. Microsoft does not test their products in IPv4-only configurations. Instead of burying your head in the sand and disabling the use of IPv6, a better and more productive alternative is to embrace IPv6. Begin by learning the fundamentals and start managing IPv6 on your network. Again, that's different than deploying IPv6. Start today by building out a test lab to understand the protocol, how it operates on your network, and build a foundational knowledge and operational skills to control IPv6 today, and fully implement it in the future. Do it now…don't get left behind!

--Rich

IPv6 Security Considerations

Just like IPv4, there are a number of important security considerations that must be made when deploying IPv6. However, many of the security concerns with IPv6 exist today with IPv4. Some, however, are unique challenges imposed with IPv6. Let's take a look at some of the common security concerns associated with IPv6.

Network Reconnaissance – By virtue of an enormous 128-bit address space that yields 340 undecillion (yes, that's a real word!) unique IPv6 addresses, and a recommended default subnet size of 64 bits that yields 18 quintillion IPv6 addresses, network address scanning will be impossible, assuming that network interface identifiers are randomized. The advantage from a security perspective is that it is difficult to attack a host if you can't find it. However, security by obscurity is not really security at all, so the benefit here is trivial. In addition, there are various other ways in which to identify hosts on an IPv6 subnet without resorting to wholesale scanning. Also, many organizations use proactive network scanning as a means of monitoring for rogue hosts. Here the large address space will render that practice useless.

Firewall Policies – Firewall access control lists (ACLs) used to control traffic on IPv4 networks don't necessarily apply to IPv6 traffic. One important difference here is that ICMP is required for the proper operation of IPv6. It is common on IPv4 networks to block all ICMP traffic. Applying those same policies on an IPv6 network would be disastrous. In addition, bogon filtering on IPv4 networks is manageable due to the stability and relatively small size of the list. By contrast, the bogon list for IPv6 is much larger and changing frequently as IPv6 is being deployed.

Rogue Router Advertisements – Gateway information for hosts is provided by the router via a Router Advertisement. Even when DHCPv6 is in use, the gateway for the network is obtained from the router. A concern is that an attacker could set up a rogue device on a network and send bogus Router Advertisements for the purposes of mounting a man-in-the-middle attack or simply denying service. Mitigations for this issue are no different than that of DHCP in IPv4. Successfully mounting this attack often requires physical network access, so maintaining proper physical security is essential. Another effective strategy is to disable unused ports and to implement port-based authentication. Also, you can implement ACLs on access switches or enable RA Guard to prevent unauthorized router advertisements.

Transition Mechanisms – This is a particularly challenging area of concern for IPv6, and one that is often overlooked. IPv6 offers no backward compatibility with IPv4, so today the most common method of deployment is dual-stack, where both IPv4 and IPv6 are implemented together. For the purpose of enabling IPv6 communication across IPv4 networks, there are a number of transition technologies that can be used. For example, Intrasite Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo are all included with the Windows operating system and enabled by default. These transition technologies effectively tunnel IPv6 packets inside IPv4, which can be used to evade traffic inspection and bypass access control policies. The use of transition technologies should be closely controlled and enabled only for those hosts that require this type of connectivity.

Other Network Devices and Systems – Any technology that is related to networking will be required to support IPv6. This includes Intrusion Detection and Prevention Systems (IDS/IPS), Security Event Information Management (SEIM) solutions, web content filtering and e-mail spam filtering solutions, etc. Will your IDS/IPS inspect IPv6 traffic? Does your SEIM solution have support for recording IPv6 addresses? How will your web content filtering solution respond to requests for IPv6 traffic? And will your anti-spam solutions work correctly when IPv6 is enabled? These questions and more will have to be addressed before you begin a production deployment for IPv6.

There are many more security considerations for IPv6, but this should at least get you started with thinking about IPv6 security. In my opinion, the biggest security risk associated with IPv6 is the lack of knowledge and awareness of the protocol itself. It's running on your network today, no doubt. If you're not managing it, then it presents a potential security risk. Time to learn IPv6!

Practical IPv6 for Windows Administrators

With the rapid depletion of the global IPv4 address pool, the adoption of IPv6 is growing significantly. The total exhaustion of public IPv4 addresses is inevitable, making IPv6 knowledge an important and essential skill that network engineers and systems administrators will need to have to be successful. While there are some excellent IPv6 references available today, until now there has been a lack of practical, real-world implementation guidance for IPv6. Until now! Practical IPv6 for Windows Administrators provides detailed information necessary for network engineers and systems administrators planning to deploy IPv6 on their corporate networks. It covers important topics such as IPv6 address assignment and name resolution, along with specific IPv6 integration information for Microsoft services such as Exchange, SQL, SharePoint, Hyper-V, and more.

IPv4 is a dead man walking. IPv6 is the way of the future; in fact, it is here now! Order your copy of Practical IPv6 for Windows Administrators today.

Image

Click here to order your copy today!

Microsoft Security Bulletins for February 2014

For the month of February, Microsoft released 7 security bulletins. 4 bulletins are rated as critical and three are rated as important. Affected software includes all supported versions of Windows, Forefront Protection for Exchange, .NET Framework, and IPv6. In addition, a cumulative security update for Internet Explorer is also available. For more information about February's security bulletins click here.

Security Articles of Interest

  1. Continuing the theme of IPv6 security in this month's newsletter, it's important to remember that for all the fear, uncertainty, and doubt (FUD) surrounding IPv6, fundamentally it is nothing more than one (albeit significant) change to the OSI networking model, that being the network layer. At the end of the day, many of the security concerns with IPv6 are present today with IPv4. The time is now to begin learning IPv6 and building a working knowledge of the protocol so that we can understand the security concerns and mitigate them as we do today with IPv4.
    https://community.infoblox.com/blogs/2014/02/04/paul-ebersman-ipv6-security-its-not-whole-new-ball-game

  2. As I stated earlier in this month's newsletter, IPv4 addresses are quickly being exhausted, and at a rate that will completely deplete the pool in the near future. Here's a great infographic that illustrates the depletion rate and remaining address pool broken down by region.
    http://www.thewhir.com/blog/ipv4-addresses-depleted-december-2014-infographic

  3. Recently the IETF published a new RFC that outlines the security implications of running IPv6 on IPv4 networks. Definitely a recommended read for anyone managing an enterprise network today.
    http://tools.ietf.org/html/rfc7123

  4. Microsoft DirectAccess is a remote access technology that relies exclusively on IPv6 for network layer communication. For many, myself included, this is where we were first exposed to IPv6. A few months ago, Microsoft released security advisory 2862152 that addressed a vulnerability in DirectAccess (and IPsec) that could allow security feature bypass. The security bulletin has caused a fair amount of confusion, so Jason Jones and I authored some articles in an attempt to clear up some of the confusion and share some best practices and guidance for deploying this important security update.

    http://blogs.technet.com/b/jasonjones/archive/2013/11/29/how-to-install-and-configure-kb2862152-for-a-directaccess-scenario.aspx

    http://directaccess.richardhicks.com/2014/01/07/configuration-guidance-for-directaccess-security-advisory-kb2862152/
  5. The U.S. National Institute of Standards and Technology (NIST) recently published its Cybersecurity Framework document. This framework was created for the purpose if improving the security infrastructure for the nation's critical infrastructure.
    http://www.nist.gov/cyberframework/
  6. In addition to the security bulletins released this month, Microsoft has also made the update for security advisory 2862973, an update for the deprecation of MD5 hashing algorithm for the Microsoft root certificate program, an automatic update in Windows Update. This is not likely to cause any issues, as the update has been available for testing since August of last year, and the deprecation of MD5 has been an industry best practice for quite some time.
    http://technet.microsoft.com/en-us/security/advisory/2862973
  7. Adobe also released an update for their Shockwave Player this month. The update addresses critical vulnerabilities that could allow remote code execution. This update applies to Windows and Mac systems.
    http://helpx.adobe.com/security/products/shockwave/apsb14-06.html
  8. As we learn more details about the recent Target data breach, more and more troubling details are being uncovered. According to the latest information, attackers leveraged credentials stolen from a third-party vendor in the attack. Security is like a chain, and we're only as strong as our weakest link. Here, it appears that Target was not requiring multifactor authentication for remote access, as required by PCI-DSS.
    http://www.govinfosecurity.com/target-breach-credentials-stolen-a-6452

WindowSecurity.com Articles of Interest

  1. Web Browser Security Revisited – Part 1
  2. User and Group Accounts: What's in a Name?
  3. RSA SecurID Voted WindowSecurity.com Readers' Choice Award Winner – Authentication/Smart Cards
  4. Web Browser Security Revisited – Part 2
  5. The Hardening of the Core – Part 2 – Network Access Control

Windows Security Tip of the Month

Throughout this month's newsletter I've been preaching that it is time to learn IPv6. While there are a number of excellent references on the subject, nothing is better than hands-on experience for learning new technologies. Microsoft has published a Test Lab Guide that provides highly detailed and prescriptive, step-by-step guidance for installing, configuring, and troubleshooting IPv6 network connectivity in a multi-subnet network. You can download that guide here. Another excellent way to get some practical IPv6 experience is to deploy DirectAccess, which is part of the remote access role in Windows Server 2012 and 2012 R2. In addition, as you gain knowledge and experience with IPv6, you will likely want to expand your horizons and begin communicating on the IPv6 public Internet. If your Internet Service Provider (ISP) provides you with an IPv6 address, that's easy enough. However, this is quite uncommon (at least here in the U.S.). For making connections to the public IPv6 Internet from an ISP that supports only IPv4, you can use a service called a “tunnel broker”. A tunnel broker service will allow you to tunnel IPv6 traffic to the public Internet over your existing IPv4 connection. It is an invaluable service for branching out and learning more about IPv6. There are a number of companies that provide this service, and the one I'm using is at tunnelbroker.net. Sign up today and get on the IPv6 Internet!