Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: RE: IPv6 support in IDS/IPS products

from [David Williams] Network Security [Permanent Link]
Subject: Re: RE: IPv6 support in IDS/IPS products
Date: Wed, 9 Nov 2005 18:11:22 -0500 
First, if you're doing security you should NEVER "assume" anything. 
That's a sure fire way to NOT get what you want out of a product.

Second, the U.S. Government has lots of checkboxes.  Common Criteria,
FIPS 140, etc.  IPv6 can be viewed as a checkbox if you don't ask the
right question, which is why I specifically am interested in not on
the ability to "detect IPv6", but to actually properly decode IPv6,
all the IPv6 methods, IPv6 tunnels, and other weirdness that I
probably don't know about.  We never ask enough questions about the
ways our vendors implement these requirements and it gets us in
trouble.

For example, in IPv4 a typical header is normally 20bytes, but could
be slightly larger, let's say 60bytes.  Not a big deal for most
people, and even old ASIC technology can handle 64 byte headers.  But,
a normal IPv6 header with options, and tunneling, could easily exceed
the 64 byte header length, since it's arbitrary.  A smart hacker could
add enough options and tunnels to extend the header length to well
past 1K (assuming a large MTU).  I seriously doubt most vendors have
accounted for this.  So, when Cisco claims "enhanced visibility", I
note that they did NOT answer my question specifically, and they don't
go into any details about how they do it.  The phrase "we detect IPv6"
is not the same as the answer given by ISS & NFR.  I'd like to
actually more fully explore those answers, which I will do once I
create a Matrix from vendors that give an appropriate response,
because I STILL don't believe them.

People ask questions around buzzwords, they get an answer, and then
don't follow up with more detailed questions, because they assume
vendors are doing the right thing... when in reality, many vendors
will simply do "just enough".

Sorry for the rant... I've gotten burned by making "assumptions".

-d


On 8 Nov 2005 00:34:12 -0000, barcajax@gmail.com <barcajax@gmail.com> wrote:

I think its safe to assume that most of the IDS/IPS products support IPv6 
because its a U.S. government requirement if I'm not wrong. From personal 
experience, nfr Sentivist is IPv6 aware.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Intrusion Prevention requirements document, Tony Haywood
Next by Date:  RE: IPv6 support in IDS/IPS products, Palmer, Paul (ISSAtlanta)
Previous by Thread:  Re: RE: IPv6 support in IDS/IPS products, barcajax
Next by Thread:  RE: IPv6 support in IDS/IPS products, Palmer, Paul (ISSAtlanta)
Indexes:  [Date] [Thread] [Top] [All Lists]