Would like to learn from you what tools I could use in a Network that provides IPv6 visibility and also completely blocks IPv6 from being tunneled through ipv4 only networks.
I have tested this from Linux running some internal penetration test apps,but specifically running Teredo tunneling in Local LAN that is able to completely bypass security paremeters such as websence filtering servers and be able to accessing internet IPv6 sites, even its equivalent IPv6 address based on its IPv4 PAT address could be pinged from outside.. is like the PIX firewall never existed - wide opened door .
Blocking in outbound and inbound direction udp ports 3545 and 3544 seem to done the trick in dropping IPv6 at the PIX/ASA from being tunneled out or in.. Is this so ? Realy ? not to fast!!
None of our local systems - users PCs or servers have IPv6 stack enabled as a policy, however, in reality this poses a serious thread.
For example, Teredo tunneling running in a host inside LAN say by a user who is a hacker can use different UDP ports from the standard listening udp 3545/3544 ports, host will still be able to tunnel IPv6 through IPv4 again, in this case I want to have tool or a strategy that can detect this internally beside being blocked at the firewall, I am looking at AIP for our ASAs would this help? What other tools could I utilized to have some sort of IPv6 awareness in our LAN without having to rung IPv6 that can provide some visibility of this invisible traffic in IPv4 LANs.
Did you find any solution?
I have found only easy solution for ISATAP (blocking protocol 41), but blocking TEREDO (MIREDO) with ASA is problem.
Having router, I would have no trouble with blocking (ie:
http://www.networkworld.com/community/node/47270), but on Security appliance there is no option :
class-map type access-control, or class-map type stack.
There are a lot of ways of tunneling IPv6 over IPv4, so it's hard to block all of them. You can certainly get 99% of the low hanging fruit by:
1) block protocol 41. That takes out ISATAP, 6to4, default 6in4, and 6rd.
2) block the default Teredo server port, udp/3544.
In particular, this will stop the default tunneling behaviors by windows vista/7/8 clients. If you have to worry about GRE, IPSEC, and TLS as evasive measures you probably have bigger problems than just IPv6 tunneling.
Meanwhile, on the LAN side, you want to block rogue RA's and rogue DHCPv6 etc, so add some switchport ACL's or something. On our catalys 3570G's I use:
ipv6 access-list v6client
deny udp any eq 547 any eq 546
deny icmp any any router-advertisement
deny icmp any any redirect
permit ipv6 any any
ipv6 traffic-filter v6client in
on the access switchports. I have a related v4 ACL too, of course.
-- Jim Leinweber, WI State Lab of Hygiene