I knew the topic of IPv6 Security was likely to see many changes in the years to come because it is such a dynamically evolving technology area. One of the topics that didn’t make it into our book on IPv6 Security was Cisco’s Intrusion Prevention System (IPS) 6.2. In November 2008 the book had already gone to the printing process when Cisco announced this new version of their IPS software. Therefore, I have been anxious to test the software and see the new IPv6 features.
One of the problems that I have encountered is that IPS 6.2 is not supported on the Cisco 4215 IPS sensor. In fact, the 4215 is end of sale and end of life (EOS/EOL). This is the only sensor model that I have ready access to in our lab. The Release Notes for IPS 6.2(1)E3 confirm that the 4215 has been thrown by the wayside and we will have to upgrade our lab to stay current. Therefore, I have no way of testing it but I have been reading the documents on the software version and Cisco’s 4200 IPS Sensors.
Here are some links to the critical documents that you should read if you are going to deploy this latest IPS 6.2 software.
IPS 6.2 Install Guide
The drivers for Cisco to incorporate IPv6 capabilities into their IPS sensors is to capture business of U.S. government customers who have a mandate to only purchase products that have some form of IPv6 capability. While the definition of “IPv6-capable” has been hotly debated, procurement officers look for the word IPv6 somewhere in the product description to help justify the purchase. Cisco says that they have “Support for IPv6”, “Cisco IPS software provides protection for both IPv4 and IPv6 networks”, “The Atomic IP Advanced engine enhances the detection capabilities of Cisco IPS platforms with native IPv6 inspection capabilities”, and “IME filtering, grouping, and reporting elements support IPv6 addresses in addition to IPv4 addresses.”
Cisco IPS 6.2 is supported on the 4200-series IPS Sensors, the ASA AIP module, the IDSM-2, the AIM-IPS for ISRs, and the NME-IPS. Cisco IPS Device Manager (IDM) or Cisco IPS Manager Express (IME) can still be used to manage the IPS 6.2 sensors in addition to the CLI.
IPS 6.2 still has the same Atomic IPv6 signatures, 1600-1607 as previous IPS versions. However, IPS 6.2 adds the ability to configure IPv6 addresses. You can configure a Target Value Rating (TVR) using an IPv6 address of the critical host.
The problem is that the IPv6 capabilities are only supported on the 4200 appliance IPS sensors. This is documented in the Release Notes. The issue is that with the AIM-IPS, ASA AIP-SSM, IDSM-2, and NME-IPS don’t have any capabilities to get the IPv6 traffic sent to these modules from their base router/switch or firewall platform. The IPS 6.2 software can inspect the IPv6 traffic but if you can’t send the IPv6 traffic from the router to the module then the module can’t even begin to inspect the traffic for IPv6 signatures. On Cisco Catalyst switches VACLs don’t support handling IPv6 traffic. Therefore, the only option to get the IPS 6.2 traffic from the switch to the ISDM-2 is to use the Switch Port ANalyzer (SPAN) ports.
Jamey Heary wrote about this in his blog entries titled “Yet another trick for spanning ports and capturing traffic on Cisco switches” and “VACL capture provides Cisco customers an unlimited number of SPAN ports.”
The IPS 6.2 Release Notes also documented server other caveats related to IPv6 traffic. The release notes mentions that “AD does not support IPv6 traffic; only IPv4 traffic is directed to the AD processor” and “IPv6 does not support the following event actions: Request Block Host, Request Block Connection, or Request Rate Limit.” There is also a bug in the IPS 6.2 software that is documented in the release notes with the issue number “CSCsj14632—IP fragmented attacks through IPv4-in-IPv6 tunnel can be missed.” This caveat seems to indicate that if IPv6 traffic is encapsulated in an IPv4 tunnel that the IPS sensor won’t be able to inspect the traffic. This is not necessarily a surprise because it has been widely known that encapsulating IPv6 traffic will help avoid detection by firewalls and IPSs.
I think that Cisco is moving in the right direction by incorporating more IPv6 capabilities into their security products. Even though the IPv6 support in IPS 6.2 is not perfect I think it is more that most organizations need at the present time because of the slow pace of IPv6 migrations. I think that by the time that most organizations need full IPv6 IPS capabilities, Cisco will have a product that is far ahead of its competitors. I look forward to checking out the new IPv6 security features that Cisco develops.