AOH :: ISNQ3305.HTM

Re: Look Before You Leap into IPv6 with Teredo




Re: Look Before You Leap into IPv6 with Teredo
Re: Look Before You Leap into IPv6 with Teredo



Forwarded from: Jim Hoagland 

In the interest of clarity...

On 12/6/06 10:12 PM, "InfoSec News"  wrote: 
> === IN FOCUS: Look Before You Leap into IPv6 with Teredo ======>    by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
[...]
> Hoagland also writes that security devices such as intrusion detection 
> and prevention systems (IDSs/IPSs) that are designed for IPv4 don't 
> understand IPv6 traffic. Thus, the IPv4 devices can't enforce adequate 
> security controls on IPv6 traffic encapsulated in IPv4 packets.

That's not exactly what I wrote actually.  The point I made is that 
unless a firewall/NIDS/NIPS is specifically Teredo aware, the IPv6 
content that Teredo is carrying (over UDP over IPv4) will not be 
properly inspected. Thus, introducing Teredo on your network might well 
reduce your security posture.  I talk about this mainly in Section III-B 
of the paper (page 8) [1], but I think my blog entry [2] also explains 
it well.

[1] http://www.symantec.com/avcenter/reference/Teredo_Security.pdf 
[2] http://tinyurl.com/ulk9o 

Thank you,

  Jim
-- 
Jim Hoagland, Ph.D., CISSP
Principal Security Researcher
Advanced Threats Research
Symantec Security Response
www.symantec.com 


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 
 

Site design & layout copyright © 1986-2014 CodeGods