Computers and Electrical Engineering 33 (2007) 425–437 www.elsevier.com/locate/compeleceng
Security aspects in IPv6 networks – implementation and testing Drago Zˇagar *, Kresˇimir Grgic´, Snjezˇana Rimac-Drlje J.J. Strossmayer University of Osijek, Faculty of Electrical Engineering, Kneza Trpimira 2b, Osijek, Croatia Available online 12 July 2007
Abstract IPv6 protocol, which should replace the actual IPv4 protocol, brings many new possibilities and improvements considering simplicity, routing speed, quality of service and security. In comparison to IPv4, IPv6 improves mechanisms for assuring a secure and confidential transfer of information. Despite these improvements, network security remains a very important issue since there are some security threats and attack types that can affect IPv6 network. This paper deals with security issues in IPv6 networks. Security improvements and extensions in the IPv6 protocol are described and explained. Also, security comparison to IPv4 is made. A description of the experimental IPv6 network and a description of tools used for security testing are presented in the paper. Security threats similar in IPv4 and IPv6 networks are described, and some security issues specific for IPv6 networks are also analysed. Different types of attacks in IPv6 networks are analysed and some suggestions for their avoidance are given. Considering security, especially problematic is the transition period of coexistence of both protocols. Because of that, security issues due to different transition mechanisms are analysed. Further, the paper studies firewalls in IPv6 networks. Implementation of firewalls in IPv6 networks and IPv6 specific firewall configurations are analysed. Different tests of firewalls are performed, and their results are analysed. Also, comparison with IPv4 firewalls is made. Some suggestions referring to proper deployment of firewalls are given. This paper also deals with detection of unauthorised intrusion. Different approaches to intrusion detection are explained and different types of intrusion detection systems are described. Suggestions for proper positioning of intrusion detection systems in the local area network are given. In absence of non-commercial intrusion detection systems with IPv6 support, some alternative possibilities of intrusion detection are explained. The paper analyses methods of intrusion detection by using tools for network traffic capturing and analysis (with IPv6 support). Different types of attacks are performed and their effects are presented and explained. Instructions for recognition and detection of different attacks are given. Some recommendations for avoiding certain attack types or reducing their effect are given. Practical advices and guidelines in implementation of security mechanisms for packet filtering and detection of unauthorized intrusion are emphasized. Finally, some recommendations for improving security mechanisms and guidelines for further development of intrusion detection systems with IPv6 support are given. Ó 2007 Elsevier Ltd. All rights reserved. Keywords: IPv6; Network security; Firewall; Intrusion detection
*
Corresponding author. Tel.: +385 31 224 600; fax: +385 31 224 605. ˇ agar),
[email protected] (K. Grgic´),
[email protected] (S. Rimac-Drlje). E-mail addresses:
[email protected] (D. Z
0045-7906/$ - see front matter Ó 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.compeleceng.2007.05.008
426
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
1. Introduction Actual version of the Internet protocol (IPv4) has not significantly changed since it was introduced in 1981. The IPv4 protocol proved robust, relatively easy for implementation and interoperable, which enabled its survival during a rapid growth of the Internet through years. However, the exponential growth of the Internet (whose prediction was impossible at the time when IPv4 emerged) brings new demands that IPv4 cannot fulfil in an acceptable way. Some of the problems are the following: lack of address space, rapid enlargement of routing tables (causing decrement of the routing speed), need for a simpler configuration, demand for a real-time data transfer, and enhanced requirements considering security. To eliminate some of the mentioned imperfections a new version of the Internet protocol (IPv6) was developed in 1990s [1]. Although the IPv6 protocol is still developing, it is fully functional and its implementation and usage in real networks is possible [2]. During the next few years the new IPv6 protocol should replace an old IPv4 protocol. Because of an enormous size of the Internet, transition from IPv4 to IPv6 cannot be instant. It will be a process that will last for a certain period of time and go through different phases. Therefore, during the next years both IPv4 and IPv6 will coexist. The new IPv6 protocol introduces new features, possibilities and improvements, especially considering simplicity, routing speed, quality of service and security. IPv6 brings new security mechanisms that are much improved in comparison to IPv4, but their evasion and misuse is still possible [3]. Considering security, especially problematic is the transition period during which both IPv4 and IPv6 coexist. During the transition period network security can be affected by both security issues specific for IPv4 and IPv6 networks. Besides, different transition mechanisms bring new, previously unknown, security issues that can potentially provide new possibilities of intrusion and misuse of computer systems connected to the network. Since the transition period will not be short, these security threats due to transition mechanisms should be seriously taken into consideration. Generally, the IPv6 protocol is more resistant to some security threats than the IPv4 protocol, but there are some security threats against IPv4 networks that might also affect an IPv6 network. Also, some new security threats specific to IPv6 networks emerged. Different security mechanisms used in computer networks, such as firewalls and intrusion detection systems, must be aware of these new threats. Therefore, firewalls and intrusion detection systems need to be upgraded to support and recognize the IPv6 protocol correctly [4]. 2. Security improvements in IPv6 protocol In the beginning of the Internet, when the IPv4 protocol was introduced, it was used mostly for research and development purposes, and therefore security issues were not of great importance. Because of that the IPv4 protocol was designed with minimal security options, and responsibility for the security of an application was passed along to the application, i.e. security issues were not important at the lower layers of the networking protocol stack. That means that different security functions (such as digital signatures, exchange of encryption keys, entity authentication, access control) were implemented at some higher layer in the protocol stack. For example, Secure Socket Layer (SSL) protocol operates at the transport layer, and Secure HTTP (SHTTP) operates at the application layer. The described approach to IP security leaves many problems unsolved. Encryption at the higher protocol layers leaves some information unencrypted (all information at the lower layers of the protocol stack). For example, if the encryption is performed at the application layer, an unauthorized intruder can easily gather information about computer systems involved in communication together with information about their running processes. Thus, the intention is to implement security mechanisms at the network layer (Internet layer) of the networking protocol stack. There are some goals that should be achieved in order to claim that security mechanisms are implemented satisfactorily. Some of the main goals are authentication, confidentiality and integrity of transmitted data. In public and open networks (as the Internet) it is quite difficult to establish an absolutely secure communication. In such open environment even usage of different security mechanisms (e.g. encryption or digital signatures) does not guarantee absolute security. Some of the present security threats are denial of service (DoS) attacks, spoofing attacks and network traffic interception. Implementation of security mechanisms at the IP level should prevent the mentioned threats, or at least mitigate their impact. To achieve that goal, security architecture for the Internet protocol, also known as IPsec, was introduced [5].
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
427
2.1. The IP security architecture The IPsec (IP security architecture) defines security services to be used at the IP layer, both for IPv4 and IPv6 [6]. IPsec architecture becomes an integral part of IPv6, enabling new possibilities for insuring privacy, integrity and authentication of communication. With properly implemented IPsec computer systems can interact at an acceptably secure level, using particular security algorithms and protocols. Thereby systems may have more than one acceptable encryption algorithm, which allows it to accept some alternate algorithm if the other system does not support the first chosen algorithm. Implementation of IPsec architecture provides different security services at the IP layer. It provides access control to systems or services. Also, IPsec enables connectionless integrity because it is possible to verify integrity of any individual IP packet, without the need to refer to any other packets. This service is usually carried out by using of secure hashing techniques. Further, IPsec provides data origin authentication through the use of digital signature algorithms. IPsec also brings a packet counter mechanism. This mechanism protects against packet replay attacks, where an attacker sends packets that have already been received by the destination system trying to exhaust system resources of the destination host. Through the use of encryption, IPsec provides data confidentiality, allowing access to data only with a proper authorization. Security mechanisms at the IP layer protect IP datagrams mostly without involving the user or any applications. That means that a user is often not aware of these mechanisms as long as the encrypted datagrams are properly decrypted by the destination hosts. There are several possible ways for implementing IPsec security architecture. IPsec can be implemented as part of the IPv6 stack. This approach implies full support for the IP security header incorporated into the IP network protocol stack. It makes the IPsec an integral part of IP protocol implementation, but it requires the entire protocol stack to be updated (software or hardware update) which represents its disadvantage. Another approach represents implementation of IPsec as a ‘‘bump in the stack’’ (BITS). This method involves insertion of the IPsec software code into the network protocol stack, below the existing IP layer software, and above the local link software. The inserted software code intercepts datagrams from the IP layer and performs security processing for these datagrams, before forwarding them to the local link layer. A big advantage of this approach is the possibility of implementing IPsec without a need for reprogramming the IP stack software. IPsec architecture can also be implemented as a ‘‘bump in the wire’’ (BITW). This method connotes the usage of the external hardware for security processing. The external device usually acts as an IP security gateway for all datagrams targeted to the host that it is connected with. When it is used for protecting a single host the BITW approach is very similar to BITS, but it is possible to protect multiple hosts with a single BITW device, which represents an advantage of this approach. 2.2. Security headers in IPv6 protocol In IPv6 all IPsec security services are provided through a proper usage of IPv6 security headers: Authentication header (AH) [7] and encapsulating security payload (ESP header) [8]. Security headers can be used individually or together. A proper usage of the authentication header ensures integrity of the IP datagram carrying content verification data for the datagram it is attached to. It also provides authentication of the IP datagram by linking a communication entity with the datagram contents. In IPv6 the authentication header must be placed after any headers intended to be processed by every node along the datagram’s path (e.g. routing header, hop-by-hop header or fragmentation header). Also, the authentication header must be placed before any headers processed only at the destination node. IPsec architecture defines two basic operating modes: a transport mode and a tunnel mode. Both AH and ESP headers can be used in the transport mode or in the tunnel mode. In the transport mode the authentication header protects the payload of the datagram and other parts of the IP header that do not change on intermediary nodes. That implies that the authentication header protects a destination IP address field and extension headers, since they do not change along the datagram’s path. In the tunnel mode the entire original datagram is protected since it is encapsulated in an entirely new IP datagram sent to the security gateway. The purpose of the Encapsulating Security Payload header is to enable IP nodes to transmit datagrams with encrypted payload. A proper usage of the ESP header ensures confidentiality of datagrams and authentication of data source through the usage of different
428
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
encryption algorithms. The ESP header should be placed after any headers that require processing by intermediate nodes. All data following the ESP header are encrypted. The ESP header (similarly AH) can be used in the tunnel or the transport mode. In the transport mode all headers following the ESP header are encrypted. In the tunnel mode the ESP header encapsulates the entire IP datagram which is then sent through a security gateway. Although IPsec architecture defines security services to be used at the IP layer, both for IPv4 and IPv6, there is a difference. To be used with IPv4 protocol, authentication header and encapsulation security header should be implemented in a proper IPv4 options format. 3. Security threats in IPv6 networks 3.1. Security threats similar in IPv4 and IPv6 networks Despite security improvements implemented in the new IPv6 protocol, IPv6 networks are still exposed to different types of attacks. Some vulnerabilities still exist, so there are different attack types that could potentially harm IPv6 networks. Some types of attacks known in IPv4 networks did not fundamentally change by appearance of the new IPv6 protocol. That means that they can affect both IPv4 and IPv6 networks. A typical example of an attack that affects both IPv4 and IPv6 network is a sniffing attack. The sniffing attack involves capturing of the data being transmitted through the network. In case that confidential data are transmitted in a plaintext protocol, they can easily be compromised by an attacker running sniffing attack. A sniffing attack type can be avoided by a proper use of the IPsec security architecture, which is used in IPv4 as an option and in IPv6 as an obligation. Application layer attacks are the most common attacks today. Here e.g. belong buffer overflow attacks, web application attacks (e.g. CGI attacks), different types of viruses and worms. Unfortunately, transition to the IPv6 protocol will neither prevent computer systems and networks from these attacks nor alleviate their consequences since both IPv4 and IPv6 are protocols of the network layer and these types of attacks are performed at the application layer of the ISO/OSI network model. One of the most frequent attack types present in IPv4 networks is a flooding attack. It connotes flooding a network device (e.g. a router) or a host with large amounts of network traffic. A targeted device is unable to process such large amount of network traffic and becomes unavailable or out of service. A flooding attack can be local or a distributed denial of service attack (DoS) [9], when the targeted network device is being flooded by network traffic from many hosts simultaneously. This type of attack can also affect the IPv6 networks, because the basic principles of the flooding attack remain the same. New types of extension headers in IPv6, new types of ICMPv6 messages and dependence on multicast addresses in IPv6 (e.g. all routers must have site-specific multicast addresses) may provide new ways of misuse in flooding attacks. 3.2. IPv6 specific security threats 3.2.1. Reconnaissance attacks in IPv6 networks The IPv6 protocol brings new features and some changes in protocol specifications. These changes may potentially result in new security problems, previously unknown in IPv4 networks. The first phase of the larger attack is usually a reconnaissance attack. An intruder uses reconnaissance attacks to gather some essential data about the victim network that can be misused later in further attacks. For the reconnaissance attack an intruder can use active methods, such as different scanning techniques, or passive data mining. A reconnaissance attack enables an intruder to gather information about hosts, other network devices and their interconnections in the targeted network. First, an intruder uses ping probes in order to determine which IP addresses are in use in the victim network. After having found an accessible system, an intruder performs the port scan procedure. There are some software tools (such as Nmap) that can perform all these actions together. Although the port scan procedure is identical for both IPv4 and IPv6 networks, there is a major difference in identification of the valid addresses. All reconnaissance techniques are basically the same for IPv4 and IPv6 networks, but the subnet size in the IPv6 networks is much larger than in the IPv4 networks (the default subnet size in IPv6 networks is 64 bits). To perform a scan of the whole subnet an intruder should make 264 probes – so that makes it impossible. Owing to this fact, IPv6 networks are much more resistant to reconnaissance attacks than IPv4 networks. Unfortunately, there are some types of
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
429
multicast addresses used in IPv6 networks that can help an intruder to identify and attack some resources in the targeted network. RFC 2375 [10] defines a node, link and site-specific use of multicast addresses (e.g. all routers have a site-specific address FF05;2). For security reasons, it is very important to disable access to these internal-use addresses from the outside of the network. This can be achieved by filtering network traffic on network’s border routers. 3.2.2. Security threats related to IPv6 routing headers According to IPv6 protocol specification, all IPv6 nodes must be capable of processing routing headers. Unfortunately, routing headers can be used to avoid access controls based on destination addresses. Such behavior can produce some security problems. There is a possibility that an intruder sends a packet to a publicly accessible address with a routing header containing a ‘‘forbidden’’ address (address on the victim network). In that case the publicly accessible host will forward the packet to a destination address stated in the routing header (‘‘forbidden’’ address) even though that destination address is filtered. By spoofing packet source addresses an intruder can easily initiate a denial of service attack by using any publicly accessible host for redirecting attack packets. 3.2.3. Fragmentation related security threats According to IPv6 protocol specification, packet fragmentation by intermediary nodes is not allowed. Since in IPv6 networks the usage of the path MTU discovery method (based on ICMPv6 messages) is an obligation, packet fragmentation is possible only at the source node. The minimal recommended MTU size for IPv6 networks is 1280 octets. For security reasons it is highly recommended to discard all fragments with less than 1280 octets unless the packet is the last in the flow. Using fragmentation an intruder can achieve that port numbers are not found in the first fragment and in that way bypass security monitoring devices (which do not reassemble fragments) expecting to find transport layer protocol data in the first fragment. By sending a large number of small fragments an attacker can cause an overload of reconstruction buffers on the target system potentially implying a system to crash (a type of a denial of service attack). To avoid such problems it is a recommended security practice to limit the total number of fragments and their allowed arrival rate. 3.2.4. Security threats related to ICMPv6 and multicast In IPv4 networks it was possible to block most of ICMP messages without a direct influence to the proper network functionality. Therefore, blocking ICMP messages was common practice for improving security in IPv4 networks. On the other hand, in IPv6 networks some important mechanisms (e.g. neighbour discovery and path maximum transmission unit discovery mechanisms) are dependent on some types of ICMPv6 messages [11]. Consequently, some ICMPv6 messages must be allowed because of proper network operation (e.g. a ‘‘packet too big’’ message is required for the procedure of path maximum transmission unit discovery or a ‘‘parameter problem’’ message is necessary if an unrecognized option occurs in the IPv6 packet header). ICMPv6 specification also allows an error notification response to be sent to multicast addresses (if a packet was targeted to a multicast address). That fact can be misused by an attacker. By sending a suitable packet to a multicast address an attacker can cause multiple responses targeted at the victim (the spoofed source of the multicast packet). 3.3. Security issues related to transition mechanisms Since the transition from the IPv4 to the IPv6 protocol will not be rapid (prior due to enormous size of the global IPv4 network) for a certain period of time both protocols will coexist, and the transition will be gradual. To ensure a smooth transition to a new version of the protocol different transition mechanisms are developed [12]. The most important transition mechanisms are tunnelling and dual-stack configurations (supporting both IPv4 and IPv6 protocols). These transition mechanisms can introduce some new, previously unknown security threats. Thus, it is very important for network designers and administrators to understand security implications of transition mechanisms in order to apply proper security mechanisms, such as firewalls and intrusion detection mechanisms.
430
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
3.3.1. Security of dual-stack configurations A dual-stack approach is a concept that efficiently solves the problem of interoperability with an old version of the protocol during the transition period. The dual-stack network node has two separated protocol stacks (IPv4 and IPv6). A dual-stack node analyses datagrams arriving through its network interface. Then IPv4 datagrams are forwarded to the IPv4 stack and IPv6 datagrams to the IPv6 stack for further processing. There are two types of dual-stack nodes. The first type has support for both protocols, but does not provide support for tunneling. The second type of dual-stack nodes also provides support for tunneling, meaning that they can establish a connection with other similar node through the IPv4 network without any need for using special IPv6 routers. On dual-stack configurations applications can be targeted by both IPv4 and IPv6 attacks. Accordingly, firewalls and intrusion detection systems on such hosts must support both IPv4 and IPv6 protocols and must have proper filtering/detection rules for both protocols. 3.3.2. Security of tunneling mechanism The tunneling mechanism is a very useful and efficient method for interconnection of smaller isolated parts of the global network that are on the IPv6 protocol (IPv6 ‘‘islands’’) through the IPv4 environment (the situation will be reversed at the end of the transition period when most of the global network will be on IPv6 protocol, when the IPv4 ‘‘islands’’ will be interconnected by tunneling through the IPv6 environment). The tunneling mechanism requires that at the ends of the tunnel nodes support both the IPv4 and the IPv6 protocol (i.e. that they are configured as dual-stack devices). By tunneling IPv6 traffic through the IPv4 network, the node at the beginning of the tunnel encapsulates an IPv6 datagram into the IPv4 datagram, where the entire IPv6 datagram becomes payload of the IPv4 datagram. The network node at the end of the tunnel extracts the IPv6 datagram from the IPv4 datagram and forwards it to the targeted IPv6 network. Depending on the type of the network devices at the endpoints of the tunnel there are several types of tunneling: router-torouter, host-to-router or router-to-host, and host-to-host tunneling. Tunneling mechanisms may bring new danger and misuse possibilities [13]. Tunneling can facilitate an intruder to avoid ingress filtering checks. Special attention must be paid to automatic tunneling mechanisms. Two methods of automatic tunneling are specified. The first method is called ‘‘6to4’’ and it connotes encapsulation of the IPv6 packet directly into the IPv4 packet. The ‘‘Teredo’’ tunneling mechanism connotes encapsulation of the IPv6 packet into an IPv4 UDP packet. If these tunneling methods are in use, all receiving nodes must allow decapsulation of packets that can be sourced from anywhere. This can be a serious security problem. The 6to4 tunneling mechanism uses automatic IPv6-over-IPv4 tunneling for interconnection of IPv6 networks. The 6to4 architecture includes 6to4 routers and 6to4 relay routers. The 6to4 router accepts and decapsulates IPv4 packets from other 6to4 router, and the 6to4 relay router accepts packets from native IPv6 nodes. Network addresses within the IPv4 and IPv6 headers may be spoofed, meaning this mechanism can be used for denial of service (DoS) attacks. By misusing a 6to4 transition mechanism a denial of service attack can be targeted to the IPv6 node, the IPv4 node or other 6to4 node [14]. 4. Firewalls in IPv6 networks Firewalls represent one of the most important network security mechanisms. They act as network traffic filters filtering all traffic entering or leaving the local network. Firewalls are usually positioned between the local network (LAN) and the Internet (or other insecure network). It is also possible and advisable to place the firewall on every segment of the local network, even on every single host in the local network. Every received packet is being analyzed and results are compared with a predefined set of rules. According to predefined rules, the packet can be accepted, discarded or sent to an additional check. For IPv4 networks there are many software firewalls (both freeware and commercial) for different platforms, usually with user-friendly graphical interfaces which enable user to define filtering rules easily. Most of firewalls have already predefined sets of filtering rules for frequently used applications (such as web browsers, e-mail clients etc.), but users are allowed to modify the existing rules and add new ones according to their needs. Some firewalls with IPv6 support have lately emerged. Firewalls intended for use in IPv6 networks must have built in support for the IPv6 protocol since filtering rules must be defined separately for IPv4 and IPv6 traffic. The IPv6 protocol introduces a new packet header format (different from the IPv4 header) that must be properly recognized and processed
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
431
by the IPv6 firewall. Other protocols associated with IPv6, such as the ICMPv6 protocol, also have to be properly supported by IPv6 firewall. There are some differences in packet filtering possibilities between the IPv4 and the IPv6 protocol (e.g. in IPv4 networks ICMP messages can be filtered by the firewall, whereas in IPv6 networks some ICMPv6 messages must be allowed since they are essential for proper network functioning). For configuring the IPv6 firewall (i.e. writing filtering rules for IPv6 traffic) there is a tool called ‘‘ip6tables’’. It is included in all recent Linux distributions and it is very similar to the ‘‘iptables’’ tool (a tool for setting an IPv4 firewall on the Linux platform). On the MS Windows platform there is a ‘‘Windows Firewall’’ tool (formerly called ICF – Internet Connection Firewall) with support for the IPv6 protocol. It is included in Service Pack 2 for MS Windows XP and it is not available as a single product. Filtering rules for Windows Firewall can be set through graphical user environment or using the Command Prompt (net shell). In the experimental IPv6 network different tests of firewalls have been performed both on the MS Windows and the Linux platform. Their results and their analysis are given later in this paper. 5. Intrusion detection in IPv6 networks Together with a rapid growth of the global network a number of attempts of unauthorized intrusion to computer networks and hosts drastically increases. Damage caused by unauthorized intrusions to computer systems can be enormous, and consequences often immense. Therefore, it is crucial to undertake proper protective measures. The most important security mechanism used for detection of unauthorized intrusion is the intrusion detection system (IDS). 5.1. Types of intrusion detection systems and their optimal implementation The intrusion detection system (IDS) is a hardware or software system for supervision and analysis of different events occurring in the network or on the particular host. The IDS system analyses network events searching for any signs of unauthorised intrusion. The term ‘‘intrusion’’ connotes all attempts to compromise confidentiality, integrity or availability of computer or network, such as all attempts to avoid network security mechanisms (e.g. firewalls). Intrusion can be caused by outside attackers, but also by authorized users who attempt to gain additional privileges and users who misuse their privileges. A properly implemented IDS system has plural significance. It is capable of detecting preliminary activities that an intruder performs before intrusion, such as examination of the targeted network and testing the victim network searching for security vulnerabilities. In case the IDS registers attempt of security vulnerabilities testing by an unauthorised person, it will identify this attempt as a suspicious behaviour. In that case an IDS system can log this event, alarm competent personnel or block the running attack and undertake adequate countermeasures. Operation of the intrusion detection system has three different phases. In the first phase the IDS system gathers information about different events occurred in the monitored system. Through the second phase the IDS system organizes and analyses the gathered information in order to recognise unauthorised activities. The third phase includes actions and measures that system undertakes if unauthorised intrusion occurred. These measures can be active (some kind of automatic response) or passive (alert to an authorised person). Considering control strategy (the way of administration and control of the IDS system) intrusion detection systems can be categorised to several classes. IDS system can be centralised, where all functions of monitoring, detection and reporting are performed from one centre location. Furthermore, an IDS system can be partially distributed, where all mentioned functions are performed from local control nodes which are hierarchically connected to one or more centre locations. Finally, an IDS system can be fully distributed. By a fully distributed IDS system all decisions considering monitoring, detection and response are made on the local nodes. There are two main types of IDS systems: host-based IDS systems (HIDS) and network-based IDS systems (NIDS). Application-based IDS systems (AIDS) are sometimes classified as a separate type of IDS systems, but they can also be considered as a subtype of host-based IDS systems. The network-based IDS system captures and analyses network traffic on the whole local network, on the network segment or on the switch. In this way a single NIDS can protect multiple interconnected hosts simultaneously. A NIDS system may have several sensors or hosts placed on different positions inside the network which perform a local traffic analysis and send reports to the main control console. The host-based IDS system protects a single host. Because information is collected from a single
432
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
host, their analysis can be more reliable and accurate. The HIDS system is capable of determining which processes and users participate in each particular attack or intrusion. Since HIDS can directly monitor files and system processes targeted by the attack it can immediately notice consequences of performed attack. Application-based IDS systems analyse events occurred inside the particular application, so they can detect suspicious behaviour of authorised users attempting to exceed their privileges. Proper positioning of IDS systems in the local area network is very important for improving network security. Only properly configured and positioned IDS systems can fully comply with its purpose – protection of systems in the local network from intrusion. To achieve full protection it is necessary to combine network-based and host-based intrusion detection systems. A network-based IDS system (NIDS) can be implemented on every segment (subnet) of the local area network. A NIDS system should be positioned at least between the Internet and the local network if it is not located on every subnet. If the local network is separated from the Internet with a firewall which serves as an ingress filtering point, it is advisable to locate an IDS system on both sides of the firewall: first between the ingress firewall and the local network and second between the ingress firewall and the Internet. An IDS system located outside the firewall (between the firewall and the Internet) will detect all outside attempts for intrusion, and the IDS system located between the firewall and the local network will detect attacks that successfully avoided the ingress filtering mechanism. In that way NIDS systems can contribute to discovery of eventual problems in ingress firewall configuration. Such placed NIDS systems can detect an attack by analysing the outgoing network traffic even when the attack was not detected by analysis of incoming traffic. For achieving an even higher level of protection it is desirable to install the host-based intrusion detection system (HIDS) on particular hosts in the local network, since the HIDS system protects a single host. 5.2. Intrusion detection possibilities in IPv6 networks For IPv4 networks there are some open source IDS systems. By using software IDS systems in IPv4 networks the procedure of intrusion detection can be fully automated. In that case an attempt of unauthorized intrusion will be recognized and properly logged by the IDS system and the user will be warned. Considering IPv6 support by non-commercial IDS systems, the situation is, unfortunately, still not so good. Currently there are several commercial IDS systems with IPv6 support, but no freeware known to authors. Because of the absence of freeware IDS software for IPv6 networks this article considers a possible method for intrusion detection by using a packet capturing tool (network analyzer). By using this method, an intrusion detection procedure will not occur automatically (unlike automated intrusion detection in IPv4 networks with appropriate IDS tools). This method of intrusion detection will require an educated administrator able to properly recognise an attempt of intrusion from a captured pattern of network traffic. The IDS system with IPv6 support must consider some new facts typical of the IPv6 protocol. The IPv6 protocol defines a new header format which must be properly recognized by the IDS system. IPv6 introduces extension headers (e.g. hop-by-hop, routing header, fragment header, destination options header, authentication header, encapsulation security payload) in order to simplify the main header. A next header format also allows new types of IPv6 extension headers to be defined and implemented later. The IDS system must implement a proper support for all types of IPv6 extension headers. The standard also defines a proper order of IPv6 extension headers. Therefore, it is highly desirable for an IDS system with IPv6 support to check the proper order of IPv6 extension headers. It is recommended to IDS to discard a packet with an undefined next header value and record it as an incident. The only header examined at each hop along the path between the source and the destination node is the hop-by-hop options header. Because it may include multiple or repeated options an IPv6 IDS system should detect irregular or duplicate options. A destination options header is processed at the destination node and it should also be checked by IDS in order to detect the header with irregular or duplicate options. The check is necessary because a bad destination option or a hop-by-hop option can be set up intentionally by an attacker. If the network node is set to send an ICMPv6 error message in case of bad options, it can be misused for a smurf-like attack. An attack will be targeted back to the spoofed source address via the remote network. IPv6 traffic tunnelled in IPv4 protocol should also be properly recognised and analysed by the intrusion detection system with an IPv6 support. That implies necessity for support for both automatic and manual tunnels. Proper deployment of the IDS system is also of great importance. If a node or network has separate connections for both IPv4 and IPv6 it is necessary to deploy the proper
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
433
IDS for every connection. An intrusion detection system deployed on a dual-stack node with a single connection must recognize and support both IPv4 and IPv6 protocols. If IPv6 traffic is tunnelled, it is good security practice to terminate the tunnel outside the IPv6 firewall and deploy the IDS at the ingress point of network. 6. Testing security aspects in experimental IPv6 network 6.1. Testing environment For experimenting purposes at the Faculty of Electrical Engineering, University of Osijek, a small IPv6 network has been established (Fig. 1). The network consists of three computers, two desktop PCs (based on Intel Celeron and Intel P4 CPUs) and one notebook (Gericom Hummer, based on Intel Celeron CPU). All computers have been configured as dual-boot configurations driven by MS Windows XP (with SP2 included) and Mandrake Linux 10 operating systems. Also, all computers in the experimental network have been configured as dual-stack devices supporting both IPv4 and IPv6 protocols. A local IPv6 network is connected to the CAR6Net network (CAR6Net – experimental IPv6 network established by CARNet, Croatian Academic and Research Network). All tests of security aspects in IPv6 networks have been performed in the described experimental network. In the testing environment different tests of firewalls on both MS Windows and Linux platform have been done. Also, different types of reconnaissance attacks have been performed and some possibilities for their successful detection have been analysed. All security tests have been performed both on the Windows XP and the Linux platform. 6.2. IPv6 firewalls testing For setting the firewall filtering rules command-line applications Netshell (on the Windows XP platform) and ip6tables (on the Linux platform) have been used. Settings of the Windows XP and the Linux firewall were identical for the purpose of a better comparison. For testing purposes (scanning for security vulnerabilities) Nmap application [15] have been used. The official version of Nmap application supports the IPv6 protocol, but there is an adapted version of Nmap based on an older official version (version 2.54BETA36) with an improved support for IPv6 protocol. Authors of the original Nmap recommend this adapted version for use with IPv6 protocol, so an adapted version was used for testing purposes. This version of Nmap supports more scanning techniques, such as TCP connect scan, SYN scan, ACK scan, FIN scan, Xmas Tree scan and UDP scan. TCP connect scan technique is a default scan type in the Nmap application. It connotes attempts
Fig. 1. Experimental IPv6 network.
434
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
to establish a TCP connection on different ports on the targeted host. If the destination port is listening, the connection will be established. Otherwise the port will be unreachable. This type of scan uses a ‘‘connect’’ system call (the same high-level system call used by web browsers and other network-enabled applications for establishing a connection). Since it does not use writing of raw network packets, this scanning method can be performed by any user (without administrative privileges). By this scanning method full TCP connection is established to the listening targeted port and then closed without sending data. Because of that the TCP connect scanning method is easiest to detect by the IDS system on the targeted host. The SYN scan technique is often referred to as a half-open scanning because it does not establish a full TCP connection. By a SYN scan technique a SYN packet is sent to the targeted host, similarly to the procedure of establishing a full TCP connection. A SYN/ACK response indicates that the targeted port is listening, while RST response designates a non-listening port. This scanning method is relatively stealthy because it never establishes a full TCP connection, meaning that it can easier avoid ingress filtering checks in the targeted network and it is harder to detect it by IDS systems. The ACK scanning method sends an ACK packet (probe packet that has only an ACK flag set) with random looking acknowledgement/sequence numbers to the specified port. Unfiltered ports will send an RST response to the ACK probe packet. The Xmas Tree scanning method sets flags FIN, URG and PUSH in the probe packet. A closed port should reply with the RST packet, while the open port ignores the probe packet. The FIN scanning technique acts exactly the same as the Xmas Tree method except it sets just flag FIN in the probe packet. By the UDP scanning method 0 byte UDP packets (just UDP headers) are sent to the targeted ports. In that case a received ICMP port unreachable message denotes a closed port. All described scanning methods have been performed in the experimental IPv6 network. On the Linux platform none of the scanning methods could bypass the firewall and discover port settings on the targeted host (Fig. 2). On the Windows XP platform some scanning techniques (TCP connect scan and SYN scan) successfully discovered port settings of the targeted host through the firewall (Fig. 3).
Fig. 2. Scanning results on the Linux platform.
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
435
Fig. 3. Scanning results on the MS Windows platform.
Therefore, the Linux firewall currently provides a higher security level than the Windows firewall. Testing of firewalls in IPv6 network indicated that, considering security, situation is similar to IPv4 networks, where also Linux firewall provides higher security level than Windows firewall. Consequently, in networks requiring a higher security level the usage of the Linux firewall is recommended. 6.3. Alternative methods for intrusion detection The highest possible security level (considering firewalls and intrusion detection systems) connotes usage of properly configured firewalls and IDS systems positioned on appropriate locations inside the local network. The first step toward this goal is positioning the firewall at the ingress point of the local network (i.e. between the local network and the Internet). It is advisable to deploy an IDS system behind and in front of that ingress filtering point. The IDS system located between the firewall and the Internet will record all intrusion attempts, and the IDS system positioned behind the firewall will record intrusions that successfully passed through the firewall. Deployment of the firewall and the IDS system on every segment of the local network is also recommended. It is even possible to install the firewall and the host-based IDS system on every single host in the local network. A possibility of intrusion detection is very important in the networks that require a high-level of security and protection. Since currently there are no non-commercial intrusion detection systems for IPv6 networks, some other available approaches and methods for successful detection of an unauthorised intrusion have been considered. Historically, prior to the appearance of different software tools that automated the procedure of intrusion detection (i.e. intrusion detection systems) different packet dumping tools have been used for that purpose. Thus, in absence of an IDS tool with IPv6 support, a network capture and analysis tool called Ethereal has been used [16]. Ethereal is a network packet analyser with a very good support for decoding many network protocols and application layer traffic, including full support for the IPv6 protocol. It is often used for troubleshooting network problems, examining security problems, debugging protocol implementations and learning purposes. Ethereal can be used to actively monitor network traffic or to analyse previously captured traffic. It implements powerful and fully adjustable filtering options and is available on both MS Windows and Linux/UNIX platforms. Ethereal can be successfully used for intrusion detection in IPv6 networks. For testing purposes we performed different types of reconnaissance attacks by using the Nmap Table 1 Reconnaissance attack pattern captured by Ethereal #
Source
Destination
Protocol
Info
1 2 3 4 5 6 7 8
2001:b68:8001;2 2001:b68:8001;3 2001:b68:8001;2 2001:b68:8001;3 2001:b68:8001;2 2001:b68:8001;3 2001:b68:8001;2 2001:b68:8001;2
2001:b68:8001;3 2001:b68:8001;2 2001:b68:8001;3 2001:b68:8001;2 2001:b68:8001;3 2001:b68:8001;2 2001:b68:8001;3 2001:b68:8001;3
TCP TCP TCP TCP TCP TCP TCP TCP
34405 > epmap [SYN] Seq = 0 Ack = 0 Win = 5760 Len = 0 epmap > 34405 [SYN; ACK] Seq = 0 Ack = 1 Win = 17280 Len = 0 34406 > 136 [SYN] Seq = 0 Ack = 0 Win = 5760 Len = 0 136 > 34406 [RST; ACK] Seq = 0 Ack = 0 Win = 0 Len = 0 34407 > 134 [SYN] Seq = 0 Ack = 0 Win = 5760 Len = 0 134 > 34407 [RST; ACK] Seq = 0 Ack = 0 Win = 0 Len = 0 34405 > epmap [ACK] Seq = 1 Ack = 1 Win = 5760 Len = 0 34405 > epmap [RST; ACK] Seq = 1 Ack = 1 Win = 5760 Len = 0
436
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
application. All attacks we performed both on the Linux and the MS Windows platform. All attack-related IPv6 traffic was successfully recognised and logged by Ethereal on both platforms. Owing to this fact we could detect all attack attempts by analysing the captured traffic. Table 1 shows an example of a reconnaissance attack logged by Ethereal. In this example we could recognise a reconnaissance attack as a sequence of connection attempts to different ports on the victim host during a very short period of time (Table 1 shows only one small fragment of the captured network traffic). This approach to intrusion detection requires constant monitoring of the network traffic or analysis of Ethereals log file afterwards by an educated administrator. The described method of intrusion detection can be very successful, but a necessity of constant monitoring by a well-educated administrator represents its big disadvantage, since Ethereal has no possibility for an automatic alert or response to an attack. The described example represents a situation where an intrusion was efficiently detected, but it also represents a situation where an attacker successfully collected the desired information about port configuration on the victim host that can be misused later for further attacks. Namely, an attacker in this case passed through the firewall and got a SYN/ACK response from port 135 at the victim host, so he concluded that the port is listening. 7. Conclusions After a certain period of coexistence the IPv6 protocol will replace the IPv4 protocol. Every day the IPv6 protocol becomes more accepted and used throughout the global network. IPv6 provides many improvements in comparison to IPv4, among others considering simplicity and security. Despite numerous improvements some potential security problems are still present and require consideration. Certain vulnerabilities and misuse possibilities known in IPv4 networks persist, and some new transition-related and IPv6 specific security issues emerged. Successful solving of these security issues will certainly contribute to wider acceptance and usage of IPv6 protocol. Because of the existence of some security issues in IPv6 networks, it is necessary to undertake all possible steps for achieving the highest possible security level. For an improved protection in IPv6 networks it is recommended to implement security mechanisms for packet filtering (firewalls) and intrusion detection. It is good practice for improving IPv6 network security to filter internal-use IPv6 addresses at border routers in order to avoid some reconnaissance attacks. All unneeded services should be filtered at the firewall. For avoidance of certain types of fragmentation attacks it is highly advisable to discard all fragments smaller than 1280 octets (except the last one in the flow) and to limit the fragment arrival rate. Total forbiddance of ICMPv6 messages in IPv6 networks is not possible, but their selective filtering is also highly recommended for security reasons. Since tunnelling mechanisms have some security issues it is advisable to use dual-stack configurations rather than tunnelling. If tunnelling is in use, it is more secure to use static tunnels rather than dynamic. Considering issues of intrusion detection in IPv6 networks, appearance of a non-commercial IDS system for the IPv6 network would certainly raise security of IPv6 networks to a much higher level. The results obtained in experimental testing of security aspects of IDS systems in IPv6 networks show that the implemented techniques could be very successful and useful in the intrusion detection process, but for the higher level of security some of the automatic response techniques should be developed and implemented. Nevertheless, security of IPv6 protocol and IPv6 networks can still be improved, but this fact should not be an obstacle to its acceptance, usage and further development. References [1] RFC 2460. Internet Protocol, Version 6 (IPv6) Specification. [2] Cooper M, Yen DC. IPv6: business applications and implementation concerns. Computer Standards and Interfaces, vol. 28. Elsevier Science; 2005, 27–41. [3] Zagar D, Vidakovic S. IPv6 Security: improvements and implementation aspects. In: Proceedings of the Eighth International Conference on Telecommunications, Contel. Zagreb; 2005. [4] Sklavos N, Koufopavlou O. Mobile communications world: security implementations aspects – a state of the art. CSJM J Inst Math Comput Sci 2003;11(32):168–87, Number 2. [5] RFC 4301. Security Architecture for the Internet Protocol. [6] Molva R. Internet security architecture. Comput Networks, Vol. 31. Elsevier Science; 1999, 787–804. [7] RFC 4302. IP Authentication Header.
D. Zˇagar et al. / Computers and Electrical Engineering 33 (2007) 425–437
437
[8] RFC 4303. IP Encapsulating Security Payload (ESP). [9] Douligeris C, Mitrokotsa A. DDoS attacks and defense mechanisms: classification and state-of-the-art. Computer Networks, Vol. 44. Elsevier Science; 2004. [10] RFC 2375. IPv6 Multicast Address Assignments. [11] RFC 2463. Internet Control Message Protocol (ICMPv6) for the IPv6 Specification. [12] RFC 2893. Transition Mechanisms for IPv6 Hosts and Routers. [13] Zagar D, Martinovic G, Rimac-Drlje S. Security Analyses of IPv4/IPv6 Tunneling Tools. WSEAS Trans Comput 2006;5(1):194–201. [14] RFC 3964. Security Consideration for 6to4. [15] http://www.insecure.org/nmap (Nmap). [16] http://www.ethereal.com (Ethereal).
ˇ agar received the B.Sc., M.Sc. and Ph.D. from the University of Zagreb, Faculty of Electrical Engineering Drago Z and Computing, in 1990, 1995, 2002, respectively. From the 1990 he was affiliated with the Department of communications, Faculty of Electrical Engineering, University of Osijek, where he has reached a rank of associate professor. From 2003 to 2005 he was the Vice-Dean for education, and currently he is the Vice-Rector for education and students at the University of Osijek. His main research interests include Quality of Service in IP networks, formal methods for protocol verification and computer networks. He has served in technical program committees of several conferences. He is a member of IEEE, Communication Society and Computer Society.
Kresˇimir Grgic´ received the B.Sc. degree in electrical engineering from J.J. Strossmayer University of Osijek (Croatia) in 2005. Since 2005 he is an assistant on the Faculty of Electrical Engineering (Department of Communications) in Osijek, Croatia. He is currently a doctoral student at the same faculty. His research interests include areas of computer networks and protocols, network and communication security, intrusion detection and error-control coding.
Snjezˇana Rimac-Drlje received the B.Sc., M.Sc. and Ph.D. from the University of Zagreb, Faculty of Electrical Engineering and Computing, in 1987, 1994, 2000, respectively. Since 1987 she has worked in Faculty of Electrical Engineering, University of Osijek, where she was Vice-Dean for science and Vice-Dean for education. Currently she is associate professor in Department of Communications. Dr. Rimac-Drlje research interests include image/ video compression, wavelet transform, signal/image/video processing and digital communication systems.
