Re: [ISN] Look Before You Leap into IPv6 with Teredo

From: InfoSec News (alerts@private)
Date: Thu Dec 07 2006 - 22:26:51 PST


Forwarded from: Jim Hoagland <jim_hoagland (at) symantec.com>

In the interest of clarity...

On 12/6/06 10:12 PM, "InfoSec News" <alerts@private> wrote:
> === IN FOCUS: Look Before You Leap into IPv6 with Teredo =======
>    by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
[...]
> Hoagland also writes that security devices such as intrusion detection 
> and prevention systems (IDSs/IPSs) that are designed for IPv4 don't 
> understand IPv6 traffic. Thus, the IPv4 devices can't enforce adequate 
> security controls on IPv6 traffic encapsulated in IPv4 packets.

That's not exactly what I wrote actually.  The point I made is that 
unless a firewall/NIDS/NIPS is specifically Teredo aware, the IPv6 
content that Teredo is carrying (over UDP over IPv4) will not be 
properly inspected. Thus, introducing Teredo on your network might well 
reduce your security posture.  I talk about this mainly in Section III-B 
of the paper (page 8) [1], but I think my blog entry [2] also explains 
it well.

[1] http://www.symantec.com/avcenter/reference/Teredo_Security.pdf
[2] http://tinyurl.com/ulk9o

Thank you,

  Jim
-- 
Jim Hoagland, Ph.D., CISSP
Principal Security Researcher
Advanced Threats Research
Symantec Security Response
www.symantec.com


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Thu Dec 07 2006 - 22:35:27 PST