Archive for October, 2011

What We’re Reading, Week of 10/24

Posted: October 28, 2011 in Highlights

InfoWorld, Interest in IPv6 booms despite puny traffic levels
SearchEnterpriseWAN.comVPN security breaches: How to avoid them
eSecurity Planet, The Save Traveler’s VPN Shopping Guide
Channel Insider, Top Tales of IT Terror


Editor’s Note: For part one, click here.

By Daniel P. Dern

So, how does a company add IPv6 support? “Your operating systems have to be IPv6-ready,” said Rainer Enders, CTO, Americas, for NCP engineering. “Your network providers have to support IPv6, in a secure way. Check whether they support native IPv6 end-to-end, for a full backbone if possible, as opposed to ‘split tunneling’ – we feel the latter is not a good idea and have concerns about that approach. Some ISPs are already rolling out pure native IPv6, especially for business-class service, and some will soon also be doing this on the consumer side.”

Split tunneling is when a VPN user is accessing a public network and a LAN or WAN, using the same network connection.  The public network, however, can pose a threat to the LAN or WAN, if it becomes vulnerable.

If IPv6 isn’t available end-to-end within your enterprise, “We recommend staying with IPv4 for now,” says Enders. “This is some of why IPv6 is slow to roll out. And you have to make sure all the relevant components are fully IPv6-compliant.”

Meanwhile, advises Enders, “If I were shopping for an IPsec or VPN technology, I would look for a vendor that offers a true dual-stack implementation of IPv6 and IPv4, so you are future-proofed. And the same applies when you have a refresh cycle — make sure you are getting true native support for IPv6.”

This provisioning includes any broadband gateways that home or remote users are getting, and also desktop operating systems. (Note: Both Windows 7 and MacOS include IPv6 support — however, this does not equate to guaranteeing that applications will work with IPv6.)

Steven J. Vaughan-Nichols, editor-in-chief of Practical Technology and independent contributor to publications including IEEE Spectrum and ZDnet, says, “IPv6 will make IPsec more popular than ever. After all, IPsec runs on IPv6. So, if you’re using IPsec-based VPNs today, one worry you’re not going to have about migrating to IPv6 is replacing or tuning IPsec. It’s already baked in.”

Daniel P. Dern is a freelance technology writer based in Newton Center, MA.  You can read more of his work at his website or technology blog.

By Daniel P. Dern

What does the coming of IPv6 mean for companies relying on IPsec for secure site-to-site and remote VPN connections to the company network?

“Nothing would change,” says Rainer Enders, CTO, Americas, for NCP engineering. “From an end-user point of view, there is zero impact at the application layer. Using IPv6 instead of IPv4 will be transparent to the user.”

What does this mean for IT admins responsible for provisioning and administering IPsec VPNs and VPN capability? “You still have to have your VPN application in place, and that application has to be managed, monitored, and controlled,” says Enders. “You want to make sure you have the right technology deployed, for instance at the operating system, patch, and security level.”

IPv6 increases the need to have the appropriate security technology for VPNs and other networking activity, Enders notes. “Static firewalls work fairly well in an IPv4 environment, because there are other layers of protection, such as private addresses. However, with IPv6, the world is ‘flatter’ and much better connected. So IT admins will want a managed-client firewall, and take more security precautions, to focus more on protecting devices.”

Stay tuned for Part 2 on how a company can add IPv6 support.

CIO, By The Numbers: The Impact of Data Breaches 
Network World, The SSL certificate industry can and should be replaced
InfoSec Island, How IPv6 and the Cloud Will Help Us be More Secure
CSO, IPv6 will change network attack surface, albeit slowly: Huston 

Onto the next post in our series debunking SSL myths. Today’s myth: Online banking via SSL session is secure. The answer is  [SPOILER ALERT] — false.

Companies often use SSL to secure sensitive information transfer from customers or partners. But vulnerabilities in this approach are frequently exposed. For example, a recent attack targeted CitiGroup’s 21 million customers and resulted in a 1% success rate. This might seem low, but remember that 1% of 21 million translates to 210,000 compromised users.

Even worse, the CitiGroup breach wasn’t an isolated case. Swiss researchers recently published a memo describing a way to gather information about the data transmitted over an SSL channel by exploiting a vulnerability in the implementations of block ciphers, such as AES. It’s worth noting that AES was developed by Defense Advanced Research Projects Agency (DARPA) and is widely accepted as the strongest form of encryption. The memo, however, pointed out that in certain circumstances, it’s possible to decrypt some of the data in the messages, including encrypted passwords.

This vulnerability is linked to the way error handling is implemented in applications that use the cipher-block chaining mode, such as AES in SSL. One of the best ways to avoid this pitfall is to never use the same key stream to encrypt two different documents.

The cipher-block chaining also exhibits well-known weaknesses that can be exploited to break SSL communication. Just how easy it is to crack SSL/TLS was demonstrated recently by two researchers, Thai Duong and Juliano Rizzo. They demoed a straightforward attack against SSL/TLS using a Java Applet to decrypt — or even take over — a SSL/TLS secured session.

Of course, there are numerous ways an attacker can mount a successful attack against the Web browser—too many to name in this article. If you’re interested in more details, the Open Web Application Security Project (OWASP) is a good resource.