RE: IPv6 support in IDS/IPS products

From: Palmer, Paul (ISSAtlanta) (PPalmer_at_iss.net)
Date: 11/03/05

  • Next message: Palmer, Paul (ISSAtlanta): "RE: RPC Evasion techniques"
    Date: Thu, 3 Nov 2005 14:53:12 -0500
    To: "David Williams" <dwilliamsd@gmail.com>, <focus-ids@securityfocus.com>
    
    

    I do not know anyone who has prepared a list of which IDS/IPS products
    support IPv6 and to what extent. It sounds like a golden opportunity for
    NSS to expand on their already world-class testing process and reports
    ;)

    The vendors that support it will likely take this opportunity to chime
    in. For our part, ISS supports IPv6. We recognize, report, and protect
    against attacks within IPv6 itself as well as fully decode the protocol
    to support all the different tunneling modes we have been able to
    discover: Native 6, 6 in 6, 6 in 4, 4 in 6, 6 over UDP (Teredo), 6 over
    GRE, 6 in GTP, 6 in 4 in GTP, 6 in 4 over GRE, etc. Any of our
    algorithms that trigger on traffic transmitted over IPv4 would also
    trigger if the traffic were transmitted over IPv6 or any of the various
    tunnel configurations.

    Paul

    -----Original Message-----
    From: David Williams [mailto:dwilliamsd@gmail.com]
    Sent: Sunday, October 30, 2005 9:53 AM
    To: focus-ids@securityfocus.com
    Subject: IPv6 support in IDS/IPS products

    Hi list,

    I've read that some IDS/IPS vendors can monitor IPv6, but not
    completely. For example, they might be able to alert on the presence of
    IPv6 traffic, but they can't actually do full analysis because they
    can't parse the headers correctly. Especially for things like IPv6
    tunneled over IPv4, or IPv6 tunneled over IPv6, etc.

    Does anybody have a list of which vendors support what, and to what
    extent?

    thanks,

    D

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

    to learn more.
    ------------------------------------------------------------------------

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: Palmer, Paul (ISSAtlanta): "RE: RPC Evasion techniques"