Sophie

Sophie

distrib > Mandriva > 2010.1 > x86_64 > by-pkgid > 965e33040dd61030a94f0eb89877aee8 > files > 3196

howto-html-en-20080722-2mdv2010.1.noarch.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>IPv6 security auditing</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Linux IPv6 HOWTO (en)"
HREF="index.html"><LINK
REL="UP"
TITLE="Security"
HREF="chapter-security.html"><LINK
REL="PREVIOUS"
TITLE="Access limitations"
HREF="x2317.html"><LINK
REL="NEXT"
TITLE="Encryption and Authentication"
HREF="chapter-encryption-authentication.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Linux IPv6 HOWTO (en)</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="x2317.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 18. Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="chapter-encryption-authentication.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="IPV6-SECURITY-AUDITING"
></A
>18.3. IPv6 security auditing</H1
><P
>Currently there are no comfortable tools out which are able to check a system over network for IPv6 security issues. Neither <A
HREF="http://www.nessus.org/"
TARGET="_top"
>Nessus</A
> nor any commercial security scanner is as far as I know able to scan IPv6 addresses.</P
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2326"
></A
>18.3.1. Legal issues</H2
><P
>ATTENTION: always take care that you only scan your own systems or after receiving a written order, otherwise legal issues are able to come up to you.
CHECK destination IPv6 addresses TWICE before starting a scan.</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2329"
></A
>18.3.2. Security auditing using IPv6-enabled netcat</H2
><P
>With the IPv6-enabled netcat (see <A
HREF="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#security-auditing"
TARGET="_top"
>IPv6+Linux-status-apps/security-auditing</A
> for more) you can run a portscan by wrapping a script around which run through a port range, grab banners and so on. Usage example:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
># nc6 ::1 daytime
13 JUL 2002 11:22:22 CEST</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2334"
></A
>18.3.3. Security auditing using IPv6-enabled nmap</H2
><P
><A
HREF="http://www.insecure.org/nmap/"
TARGET="_top"
>NMap</A
>, one of the best portscaner around the world, supports IPv6 since version 3.10ALPHA1. Usage example:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
># nmap -6 -sT ::1
Starting nmap V. 3.10ALPHA3 ( www.insecure.org/nmap/ ) 
Interesting ports on localhost6 (::1): 
(The 1600 ports scanned but not shown below are in state: closed) 
Port       State       Service 
22/tcp     open        ssh 
53/tcp     open        domain 
515/tcp    open        printer 
2401/tcp   open        cvspserver
Nmap run completed -- 1 IP address (1 host up) scanned in 0.525 seconds</PRE
></FONT
></TD
></TR
></TABLE
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2339"
></A
>18.3.4. Security auditing using IPv6-enabled strobe</H2
><P
>Strobe is a (compared to NMap) more a low budget portscanner, but there is an IPv6-enabling patch available (see <A
HREF="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-apps.html#security-auditing"
TARGET="_top"
>IPv6+Linux-status-apps/security-auditing</A
> for more). Usage example:</P
><TABLE
BORDER="1"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="SCREEN"
># ./strobe ::1 strobe 1.05 (c) 1995-1999 Julian Assange &#60;proff@iq.org&#62;.
::1 2401 unassigned unknown
::1 22 ssh Secure Shell - RSA encrypted rsh 
::1 515 printer spooler (lpd)
::1 6010 unassigned unknown 
::1 53 domain Domain Name Server</PRE
></FONT
></TD
></TR
></TABLE
><P
>Note: strobe isn't really developed further on, the shown version number isn't the right one.</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="AEN2345"
></A
>18.3.5. Audit results</H2
><P
>If the result of an audit mismatch your IPv6 security policy, use IPv6 firewalling to close the holes, e.g. using netfilter6 (see <A
HREF="firewalling-netfilter6..html"
>Firewalling/Netfilter6</A
> for more).</P
><P
>Info: More detailed information concerning IPv6 Security can be found here: </P
><P
></P
><UL
><LI
><P
><A
HREF="http://www.ietf.org/ids.by.wg/v6ops.html"
TARGET="_top"
>IETF drafts - IPv6 Operations (v6ops)</A
></P
></LI
><LI
><P
><A
HREF="http://www.faqs.org/rfcs/rfc3964.html"
TARGET="_top"
>RFC 3964 / Security Considerations for 6to4</A
></P
></LI
></UL
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="x2317.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="chapter-encryption-authentication.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Access limitations</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="chapter-security.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Encryption and Authentication</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional