Virtualisation of Critical Network Services – Best Practice Document

,

, IPv6, Networking

This document describes a way to virtualise the number of network servers that are required for the operation of a large campus network. These servers provide services, including DHCP, DNS, VPN, email, network monitoring, and radius. Most of these services are so important that the network must operate two or … Read More

Pavel KislingerVirtualisation of Critical Network Services – Best Practice Document

Hiding TCP Traffic: Threats and Counter-measures

IPv6, Monitoring, Security @Security and Protection of Information 2013, Brno, CZ

Computer networks were designed to be simple and routers do not validate the integrity of the processed traffic. Consequently, an attacker can modify his or her traffic with the aim of confusing any analyser that intercepts the traffic, e.g. monitoring and security software or lawful interception. This paper studies the … Read More

Libor PolčákHiding TCP Traffic: Threats and Counter-measures

Behaviour of various operating systems during SLAAC, DAD, and ND

IPv6, Monitoring

This post contains the report from the study phase of the behaviour of various operating systems during SLAAC and DAD analysis for our paper called “A New Approach for Detection of Host Identity in IPv6 Networks”, which will be presented at DCNET 2013. This post also contains PCAP files that … Read More

Libor PolčákBehaviour of various operating systems during SLAAC, DAD, and ND

Rogue Router Advertisement Attack

,

, IPv6, Security

This article describes first hop security issue of IPv6 Neighbor Discovery Protocol. Vulnerability of this protocol is exploited to perform a Rogue Router Advertisement attack. Currently, there are few mitigation techniques available against this type of attack. Most of them, however are useful only in specific scenarios, or not widely used, mainly because insufficient support of vendors. This article presents probably the most applicable mitigation technique against the Rogue RA attack — RA Snooping. Specifically, its implementations by Cisco and HP (H3C).

Jozef PivarnikRogue Router Advertisement Attack

Security challenges in IPv6 from the campus perspective

IPv6, Networking @Oslo, NORDUnet 2012 Conference

Growing number of IPv6 devices in the network would bring new security challenges. Are there any security improvements comparing to IPv4 or IPv6 brings some new security threads. IPv6 have been developed for more than 15 years so far and presentation tries to find the answer if IPv6 provides better … Read More

Tomas PodermanskiSecurity challenges in IPv6 from the campus perspective

IPv6 RA flood DoS attack in Windows 8

IPv6, Networking, Security

RA flood attack is known for a few years. It appeared in many operating systems. Some vendors have already fixed the issue. Unfortunately Microsoft Windows product are still vulnerable including the latest version of Windows 8. Following video demonstrates the flood attack on on the latest version Windows 8 using thc-ipv6 toolkit.

Tomas PodermanskiIPv6 RA flood DoS attack in Windows 8

Deploying IPv6 – practical problems from the campus perspective

, ,

, , IPv6, Monitoring, Networking, Security @TNC 2012, Reykjavik, IS

On February 2011, IANA has run out of IPv4 addresses. On April 2011, APNIC pool reached the final /8 IPv4 address block. Projected address pool exhaustion for other RIRs varies from the beginning of the 2012 to the end of 2014. This situation pushes organizations to think about transition to IPv6. Unfortunately IPv4 and IPv6 are incompatible protocols that make the transition more difficult and raise new security issues. This paper shares experiences of deploying IPv6 in the university campus network, describes the most significant troubles that we have been faced with and describes the best practices in the practical IPv6 deployment. The article discusses differences in IPv6 and IPv4 networks with focus on the first hop security, autoconfiguration (SLAAC, DHCP, DHCPv6) and different client’s support.

Tomas PodermanskiDeploying IPv6 – practical problems from the campus perspective

Analysis of tunneled traffic

IPv6, Monitoring, Networking @Campus network monitoring workshop

Traditional firewall techniques usually permit traffic according to IP addresses or port numbers. More advanced firewalls inspect even packet’s payload – e.g. http traffic. However, neither of these techniques is sufficient when dealing with IPv6 transition techniques. An attacker can easily avoid a security policy in a network by using … Read More

Matej GregrAnalysis of tunneled traffic