Observations on an enterprise IPv6 firewall and IDS

1
Observations onan enterprise IPv6firewall and
IDS

• Tim Chown
• tjc_at_ecs.soton.ac.uk

IETF 68, 19th March 2007 Prague
2
Talk outline

• Scenario
• IPv6 firewall and IDS deployment
• Observations on firewall activity
• Observations on IDS activity
• Considerations for firewall management
• Considerations for IDS developers

3
Scenario

• Enterprise (academic) network
• Approx 1,000 hosts/servers
• Up to 2,000 users
• Using various OSes and hardware
• Running a dual-stack deployment
• IPv6 pervasively on the wire
• Most network services dual-stack (DNS, MX, web,
  etc)
• Operational now for over three years
• Partially done through 6NET project
  (www.6net.org)

4
Border firewall and IDS

• Lacking a suitable commercial solution at this
  time, currently looking for unified IPv4/IPv6
  solutions
• Currently use parallel paths into our site
• Commercial IPv4 firewall
• BSD pf for IPv6
• Snort IDS for both
• Dual-stack DMZs including wireless LAN

5
IPv6 firewall experience

• Currently logging all pf blocked connections
• Averaging around 20-30k entries per week
• Very low compared to IPv4
• Most logged filter events are between our IPv6
  DMZ and the internal IPv6 network
• Similar level and protocols to existing IPv4 DMZ
  filtering
• Around 500 or so miscellaneous entries per week
• No real evidence of systematic port scans
• Probing is to ports on publicly advertised
  systems, e.g. DNS servers, MX servers, Web
  servers, NTP servers

6
Miscellaneous filters

• In the miscellaneous category
• X11 traffic
• http
• Highlights ruleset inconsistencies between IP
  versions.
• ftp
• SubethaEdit (port 6942)
• ssh
• auth
• microsoft-ds (port 445)

7
Microsoft-ds example

• Log entries
• 153318.038763 20028c6d14e78c6d14e7.51878 gt
  augur.ecs.soton.ac.uk.microsoft-ds S
  919595593919595593(0) win 8192 ltmss
  1220,nop,wscale 8,tcpgt
• 153321.034973 20028c6d14e78c6d14e7.51878 gt
  augur.ecs.soton.ac.uk.microsoft-ds S
  919595593919595593(0) win 8192 ltmss
  1220,nop,wscale 8,tcpgt
• 153327.028456 20028c6d14e78c6d14e7.51878 gt
  augur.ecs.soton.ac.uk.microsoft-ds S
  919595593919595593(0) win 8192 ltmss
  1220,nop,nop,sackOKgt
• Target is a publicly advertised IPv6 node
• The 2002/16 source prefix is 6to4
• 8c 6d 14 e7 is 140.109.20.231
• Apparent source
• 231.20.109.140.in-addr.arpa. 86400 IN PTR
  guppy.iis.sinica.edu.tw.

8
Malformed packets

• An example sent towards our web server, perhaps
  looking to exploit an OS-specific bug/feature
• 063510.825875 200104136e378012c069f8e96c
  gt augur.ecs.soton.ac.uk no next header
• 063520.825276 200104136e378012c069f8e96c
  gt augur.ecs.soton.ac.uk no next header
• 063549.824144 200104136e378012c069f8e96c
  gt augur.ecs.soton.ac.uk no next header

9
Rarer probing example

• One host (in Thailand) checking presence/route to
  a number of publicly advertised systems
• 200651.850661 2001f008.45821 gt
  augur.ecs.soton.ac.uk.33434 udp 16 hlim 1
• 200703.935552 2001f008.45822 gt
  sixprints.ecs.soton.ac.uk.33434 udp 16 hlim 1
• 200914.044278 2001f008.45824 gt
  seven.ecs.soton.ac.uk.33434 udp 16 hlim 1
• 200923.785148 2001f008.45825 gt
  zepler.ecs.soton.ac.uk.33434 udp 16 hlim 1
• 200933.249159 2001f008.45826 gt
  moorhen.ecs.soton.ac.uk.33434 udp 16 hlim1
• 200943.009118 2001f008.45827 gt
  crow.ecs.soton.ac.uk.33434 udp 16 hlim1
• 200952.503731 2001f008.45828 gt
  jackdaw.ecs.soton.ac.uk.33434 udp 16 hlim1
• 201002.243615 2001f008.45829 gt
  coot.ecs.soton.ac.uk.33434 udp 16 hlim 1

10
Intrusion Detection Systems

• We use Snort open source IDS/IPS
• http//www.snort.org/
• A patch is available for IPv6 transport
  inspection
• Just looks at certain application layer
  signatures
• Fuller support in release code soon
• We expect a new test (beta) version any day now
• Will include official IPv6 support for some
  features
• Probably Stream5, HTTP Inspect, DCERPC and FTP
  Telnet preprocessors
• New record type for IPv6 events
• Will also need IPS IPv6 communication to firewall
• To react to observed potential attacks

11
Observations on our IDS

• Running on our external link path
• Note Snort supports multiple probe points
• In a recent weeks logs
• Events logged from 26 different sources
• Some from same /64 link, so its possible IPv6
  privacy addresses may mask true number of sources
• Can check the signature IDs, e.g
• http//www.snort.org/pub-bin/sigs.cgi?sid1042

12
Example IDS events seen

• Logged events include
• WEB-IIS view source via translate header
• BAD-TRAFFIC udp port 0 traffic
• WEB-MISC backup access
• WEB-MISC SSLv3 invalid data version attempt
• IIS UNICODE CODEPOINT ENCODING
• ATTACK-RESPONSES 403 Forbidden
• TCP Portsweep
• DOUBLE DECODING ATTACK
• OVERSIZE REQUEST-URI DIRECTORY
• Similar to what we see for IPv4 IDS

13
Firewall management

• Currently we have two firewall platforms
• Could be managed via single interface/GUI
• Need a consistent management interface for IPv4
  and IPv6 hosts
• Allow dual-stack or multiaddressed nodes to be
  managed
• Reduce management complexity
• Avoid inconsistencies
• Not the case for all platforms looked at to date
• Also important to consider IPv6-enabled status of
  all services for an IPv6 DNS-advertised host

14
IDS considerations

• The Snort weve used only examines application
  layer data for potential attacks
• Uses the same signatures as IPv4
• We need to understand IPv6-specific issues to
  detect in IPv6 IDS systems, e.g.
• Excessive hop-by-hop headers/options
• Routing Header usage
• Header ordering
• Malformed headers
• Transition tool abuse
• Snort wont see these issues today

15
Summary

• IPv6 firewall activity light (but so is traffic
  level)
• Probing activity targeted at advertised IPv6
  addresses
• IPv6 IDS seeing IPv4-like attacks
• But were only looking at the application not the
  IP layer
• And no way to do IPS messaging over IPv6 yet
• Need to consider how firewalls can be
  consistently managed for dual-stack IPv4/IPv6
  nodes
• Need to discuss IPv6-specific IDS considerations
• Testing new Snort version soon
• Seeking people to help start an ID on this topic