Information Security News mailing list archives
Re: Look Before You Leap into IPv6 with Teredo
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 8 Dec 2006 00:26:51 -0600 (CST)
Forwarded from: Jim Hoagland <jim_hoagland (at) symantec.com> In the interest of clarity... On 12/6/06 10:12 PM, "InfoSec News" <alerts () infosecnews org> wrote:
=== IN FOCUS: Look Before You Leap into IPv6 with Teredo ======= by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
[...]
Hoagland also writes that security devices such as intrusion detection and prevention systems (IDSs/IPSs) that are designed for IPv4 don't understand IPv6 traffic. Thus, the IPv4 devices can't enforce adequate security controls on IPv6 traffic encapsulated in IPv4 packets.
That's not exactly what I wrote actually. The point I made is that unless a firewall/NIDS/NIPS is specifically Teredo aware, the IPv6 content that Teredo is carrying (over UDP over IPv4) will not be properly inspected. Thus, introducing Teredo on your network might well reduce your security posture. I talk about this mainly in Section III-B of the paper (page 8) [1], but I think my blog entry [2] also explains it well. [1] http://www.symantec.com/avcenter/reference/Teredo_Security.pdf [2] http://tinyurl.com/ulk9o Thank you, Jim -- Jim Hoagland, Ph.D., CISSP Principal Security Researcher Advanced Threats Research Symantec Security Response www.symantec.com _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
Current thread:
- Re: Look Before You Leap into IPv6 with Teredo InfoSec News (Dec 07)