Are Your IPv6 Defenses Ready for World IPv6 Day?
World IPv6 day is nearly upon us and many networks are not ready to repel borders (hackers). As the world becomes more aware of IPv6, more people will try to exploit potential weaknesses in our IPv6 defenses.
My recommendations, even if your network is not connected directly to an IPv6 connection are:
- Turn off Teredo (Shipworm support on your PC’s). This is literally one of the IPv6 support protocols of last resort, and can leave your network vulnerable to attack. This worm (Teredo is Latin for Shipworm) and can easily burrow its way into your network.
- In your firewalls set them to block protocol 41 (IPv6 encapsulated with IPv4).
- Disable ping support on your Firewall.
- If possible disable IPv6 on your corporate PC’s, even if you are not actively supporting IPv6. By simply having IPv6 enabled (Windows 7 defaults to enable IPv6) your network is more susceptible to attack. One of the most publicized attacks is the “SLAAC ATTACK”. For more details check this link: http://resources.infosecinstitute.com/slaac-attack/#comment-18675
- Remember IPv6 can be tunneled into your network via IPv4. Your firewalls may not be capable of doing a deep packet inspection into the tunnel.
Note: Full name for Shipworm in Latin is: “Teredo Navalis”
comments powered by