Network security protection under IPv6 scale deployment-IPv6 Security Technology question 7, ipv6 question 7
Due to the huge address space, IPv6 has a natural advantage in coping with some security attacks, network security is enhanced in terms of traceability, anti-hacker sniffing capabilities, neighbor discovery protocols, security neighbor discovery protocols, and end-to-end IPSec secure transmission capabilities.
This article provides a detailed explanation of network security protection for the sixth version of Internet protocol (IPv6) scale deployment Action Plan, to undertake the impact of the IPv6 industry in the previous phase, this issue focuses on IPv6 security technologies.
IPv6's huge address space allocates a unique network address for each network device. It does not need to solve the address shortage problem through NAT in an IPv4 network, so as to facilitate future tracing, improve security.
Anti-hacker sniffing capability
Due to the large IPv6 address, it is more difficult for hackers to use sniffing in IPv4 networks.
NDP & SEND
In IPv6, ARP is replaced by the Neighbor Discovery Protocol (NDP. The Neighbor Discovery Protocol identifies other nodes on the Link, judges the addresses of other nodes, and finds available routes. Compared with ARP, NDP is only implemented at the link layer and is more independent from the transmission media. The Next Generation Internet's secure Neighbor Discovery (SEND) protocol ensures Transmission security through another encryption method independent of IPSec.
End-to-End IPSec secure transmission capability
IPSec provides data source authentication, integrity, and confidentiality for each node in the IPv6 network to implement end-to-end security encryption.
What is the difference between the new security features of Q1IPv6 and IPv4?
IPv6 network security, because only IP headers and addressing methods have changed, the end-to-end security mechanism is built in, So compared with IPv4, in terms of security, IPv6 does not greatly improve the prevention of current security risks.
Q2 based on security considerations, IPv4 networks use NAT technology to hide Intranet IP addresses. Does IPv6 networks also need similar technologies to improve security?
The Network Prefix Translation (RFC6296) Protocol of IPv6 can implement functions similar to IPv4 NAT and allow a IPv6 ing of IPv6 addresses to hide internal IPv6 addresses.
Q3 what are the effects of IPv6 defense methods and methods on application-layer attacks?
The Application Layer defense function generally includes protocol identification, IPS, anti-virus, URL filtering, and so on. It mainly detects the application layer load of packets and is almost not affected by the IPv4/IPv6 network layer protocol. Therefore, most application layer security capabilities under the traditional IPv4 protocol are not affected in the IPv6 network.
However, a small number of IPv4 network protocols need to change under the IPv6 network. For example, if the DNS protocol is upgraded to DNSv6, the corresponding application layer security detection needs to be adjusted according to the protocol changes.
Q4IPv6 adds the IPSec end-to-end encryption capability in the expansion header. If the application enables this function, how can network security devices detect and defend against encrypted traffic?
Generally, network security devices cannot decrypt the encrypted IPSec traffic and can only control the traffic based on IP addresses. However, according to the current situation, this "embedded" IPSec requires key distribution technology, which is not mature in general and has a high management cost. In addition, if the network security device is normal, it cannot decrypt the IPSec traffic. Firewall and other network security devices cannot detect the IPSec traffic at the network and application layer. In a sense, the system security cannot be completely guaranteed. For general enterprise applications, we recommend that you still use the firewall to implement IPSec VPN encryption and decryption based on management costs and security considerations, and perform security checks such as IPS and status firewalls at the gateway location, end-to-end encryption is deployed after the technology is mature.
Q5SSL proxy is affected under the IPv6 protocol?
The SSL Proxy does not rely on the specific protocols at the network layer, but can still decrypt the IPv6 SSL encrypted traffic.
Q6 how does one implement security policy management through the firewall for IPv6 networks? What is the difference between the security policy and the IPv4 Security Policy?
The security policy control of IPv6 is the same as that of IPv4. You still need to configure an ACL-based quintuple one by one. Only IPv6 addresses become longer, making the policy configuration more complex.
Q7 after the IPv4/IPv6 Dual-stack function is enabled on an existing security device, what impact does the function and performance have on IPv4 services?
Enabling IPv4/IPv6 Dual-stack generally does not affect the functions of security devices, but mainly affects the performance of devices. Because IPv6 stacks occupy resources such as CPU and memory of IPv4 services, as a result, the existing IPv4 service may decrease the session table capacity, new rate, and throughput to varying degrees. We recommend that you evaluate the processing capability of existing security devices before upgrading/enabling IPv4/IPv6 Dual-stack. If necessary, you can replace existing security devices to avoid affecting existing IPv4 services.