In this course, you will receive hands-on training for the latest security issues related to IPv6. You will learn how to recognize and proactively mitigate IPv6 attacks by configuring IPv6 Access Control Lists (ACLs) and creating firewall stateful rules. Hands-on labs will reinforce topics discussed during class, and you will use IPv6 hacking tools to actively attack ACL and firewall configurations.

What You'll Learn

• How to write an IPv6 security policy and best practices
• Create ACL and reflexive ACLs to protect your company's network
• Make firewalls IPv6 aware
• Build objects and perform firewall filtering
• IPSec filtering and configuring IPSec tunnels
• Security issues related to IPv6 tunneling
• Protect against IPv6 extension headers attacks
• Recon attacks and exploits within the enterprise network
• Implement security policies on local operating systems and servers
• Configure packet filtering on firewalls and routers

Who Needs to Attend

Security administrators, technicians and managers or anyone requiring an extensive overview of IPv6 security

Prerequisites

• IPv6 Foundations: Protocols, Services, and Migration

Follow-On Courses

There are no follow-ons for this course.

Course Outline

1. IPv6 Security Overview

• Hacker types
• Day zero preparations/prevention
• Assessing your threats
• CIA triad
• Authentication methods
• 802.1x support
• User authorization
• Cryptographically Generated Addresses (CGA)
• Private addressing
• Security overview
• Privacy addresses

2. Port Probing and Security

• IPv6 address
• Address probing
• EUI-64 probing
• Mitigating the hacker probe

3. ICMPv6 Protocol Threats

• ICMPv6 protocol overview
• ICMPv6 header
• Mitigating ICMPv6 issues

4. Reflexive ACL Filtering

• ACL overview
  • Named ACLs
  • Standard and extended
• Reflexive ACLs
• Reflexive configuration examples
• ACL show commands
• Distribute list example
• Route map example
• Viewing syslog events

5. DNS Issues and threats

• Configure a dual-stack DNS server
• Deploying IPv6 DNS
• Security issues running dual-stack DNS
• IPv6 DNS threats

6. Extension Header Threats

• Summary of address threats
• Extension header overview
• Extension address threats
• Extension header order
  • Routing header hack
  • Fragment header
  • Authentication header
  • ESP header
  • Destination options
  • Upper layer
• Extension header hacks
  • Hop-by-Hop header hack
  • Routing header issues
  • Fragmentation header hacks
  • Destination Options header duplication
• Scapy6 hacking tool
• Filtering with ACL and firewalls

7. ICMPv6 ND Suite

• Hacker Threats for IPv6
• Neighbor Discovery
• DHCPv6
  • Easy to guess addressing
  • Security concerns
  • Public to public addressing
  • DHCPv6 attack and authentication
• Denial of Service (DoS)
• Neighbor spoofing attack
• Neighbor cache poisoning
• Man-in-the-middle attack
• DoS attack
  • ICMPv6 attacks
• Anycast threat
• Mitigate Neighbor Discovery threats
• Secure Neighbor Discovery (SEND)

8. Denial of Service

• Anycast address and address association
• All ICMPv6 host address and router address
• Other multicast address attacks

9. Operating System Security

• Windows security overview
• Windows threats
  • XP
  • 2007
  • Server 2008
  • Microsoft SDI (Server and Domain Isolation)
• Dual-stack host
  • Configuring a dual-stack host
  • Why run dual-stack
  • Dual-stack threats
  • Local firewall configuration
• Linux
  • IPSecconfig and IPSeckey
  • Central server control Dynamic Multi-Point Virtual Private Network (DMVPN)

10. Firewalls and IPSec

• Layer 2 firewalls and IPv6
• Layer 3 firewalls and IPv6
• IPSec overview
  • Building an SPD or SAD
  • IKE static key
  • IKE dynamic key
  • Diffie-Helman
  • IPSec configuration example
• Site-to-site
• Authentication methods
• Suggested security steps for remote access
• SEND
• Host DoS hack
• Perfect Forward Secrecy (PFS)
• DAD attack
• Router hacks
• Using /127 serial links

11. Tunneling with IPSec

• 6to4 manual tunneling (IPSec)
  • Sample configuration
  • Static point-to-point
  • Dynamic IGP tunneling
  • 6to4 threats
  • Mitigating 6to4 threats
• GRE tunneling
  • Multipoint GRE 350
• Dynamic Multi-Point Virtual Network (DMVPN)
  • Next-Hop Resolution Protocol (NHRP)
  • Next-Hop Server (NHS)
• ISATAP Tunneling
  • ISATAP threats
  • Mitigating 6to4 threats
• Teredo configuration
• Teredo threats
• Mitigate Teredo threats
• SSL VPN

12. IPv6 Tunneling Attacks

• Tunneling hacks
• Defend against tunneling issues
• Firewall limitations
• ACL limitations
• Routing loop attacks using IPv6 tunnels
• Teredo tunneling problem
• Using IPS and Firewall IPS against tunneling

13. Mobility Security

• IPv6 mobility overview
• Home Agent (HA)
• Care of Address (CoA)
• Binding update and acknowledgement
• Security concerns
• Routing header issues
• NEMO overview and services
• Security issues

Labs

Lab 1: Initial IPv6 Security Lab

• Perform initial IPv6 VLAN configuration on assigned firewall
• Configure IPv6 addressing and routing on assigned router
• Set up host workstation for IPv6 network
• Configure both IPv4 and IPv6 addressing

Lab 2: Standard IPv6 ACL

• Configure standard IPv6 ACL on assigned router
• Test each ACL for proper configuration
• Use show commands to view current configured ACLs

Lab 3: Reflexive IPv6 ACL

• Configure classroom reflexive ACL
• Perform proper filtering for connectivity for HTTP, FTP, SMTP, POP3, and TFTP protocols
• Use show command to verify ACLs are using correct reflexive stateful operation

Lab 4: Windows Local Firewall Security/Application Security for IPv6

• Configure local host firewall for filtering network traffic
• Filter specific assigned applications

Lab 5: Configuring IPSec Firewall

• Configure firewall stateful filtering
• Configure specific filtering rules on each student's firewall

Lab 6: Hacking Tools for Creating IPv6 Hacks

• Configure Scapy6 to craft IPv6 headers and perform classroom hacks
• Use Alive6 for testing classroom firewalls
• Test SourceIPv6
• Use IPv6 probing for address and port number discovery
• Configure and test NMAP

Lab 7: Multicast Filter

• Configure firewall to only except specific multicast traffic
• Configure firewall to filter unwanted IPv6 traffic

Lab 8: IPSec 6to4 Tunneling

• Configure 6to4 tunnels
• Test 6to4 tunneling to core network
• Filter unwanted traffic over IPv6 tunneling

Lab 9: DMVPN for IPv6

• Configure Dynamic Multipoint VPN (DMPVN)
• Use show commands to verify proper configuration
• Test DMVPN connection into backbone network

Lab 10: Creating an ISATAP VPN over an ISATAP Tunnel

• Each POD will create an ISATAP VPN over an IPv4 network
• Test ISATAP connectivity by communicating with other students' PODs