Search
  • Timothy Echeandia

Don't Run Away From IPv6

Recently, I've been asking friends, colleagues, and vendors how they deal with IPv6. The answers have ranged from "That's a great question." to "I'll have to get back to you." to the image below:



The problem with ignoring IPv6 in your environment is two fold. First, Windows enables IPv6 by default, you're likely to have it running even if you're not using it. Secondly, Windows prefers IPv6 over IPv4 by default. Much like a hyperactive child, IPv6 is ready, willing, and able to connect to anything that presents itself within your network.



IPv6 is a great covert channel for attackers because so many security tools ignore it. There are also a variety of man-in-the-middle attacks that can be executed via IPv6 if an attacker manages to get a foothold within your network. The articles I've linked below detail two of them.


https://www.fox-it.com/en/news/blog/mitm6-compromising-ipv4-networks-via-ipv6/

https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/


Microsoft doesn't recommend disabling the IPv6 stack, but there are steps that you can take to mitigate the vulnerability. One of the easiest steps you can take is setting IPv4 to be preferred via policy. You can also use the Windows firewall to filter IPv6 traffic. Blocking ICMPv6 stops neighbor and router discovery as well as router advertisements. More guidance regarding configuration from Microsoft can be found here:


https://support.microsoft.com/en-in/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users


Another step you might consider is filtering IPv6 on your network devices if they support it. Documentation from cisco can be found below:


https://community.cisco.com/t5/networking-documents/understanding-dhcpv6-guard/ta-p/3147653

https://community.cisco.com/t5/networking-documents/ipv6-ra-guard/ta-p/3124519


Ignoring a threat won't make it go away. Good network hygiene will save you headaches in the long run and is far more valuable than any security tool. Don't run away. :)



28 views
Contact Us

Orcus, LLC

San Diego, CA, 92130

201.972.5521

info@orcus.com

  • White Facebook Icon
  • LinkedIn
  • Twitter

© 2020 by Orcus