-
The introduction of IPv6 gives rise to new security questions both for providers of enterprise networks and for private customers. After all, IPv6 offers new options to compromise a network. One the one hand, this includes variants of existing types of attack, on the other hand, IPv6 opens up new security gaps. To protect an IPv6 network, it is not merely required to clarify these basic security issues but also to find out whether the components used so far—i.e.firewalls, proxies or intrusion prevention systems (IPS)—are actually equipped for IPv6. Which is the correct method for migration under security aspects? Which changes occur due to the permanent availability of public addresses after the elimination of NAT? Which gaps appear in Windows operating systems due to tunneling mechanisms, such as Teredo, without even migrating to IPv6 and how can these gaps be mended? This course gives a detailed overview of these highly topical questions. The students will learn to assess the level of danger introduced in their networks by IPv6 and to plan comprehensive security measures.
-
Course Contents
-
- New points of attack through IPv6
- Securing IPv6 addressing
- The auxiliary protocols ICMPv6 and DHCPv6 from a security perspective
- IPv6 and First Hop Security
- Securing IPv6 networks
- Securing endpoints
- Securing routers for IPv6
- Adapt firewalls to IPv6
- Securing the migration
You will receive the comprehensive documentation package of the ExperTeach Networking series – printed documentation, e-book, and personalized PDF! As online participant, you will receive the e-book and the personalized PDF.
-
Target Group
-
This course is designed for planners, administrators and security managers intending to design, prepare, or assist in a migration to IPv6. Attendance at this course can be credited for T.I.S.P. recertification.
-
Knowledge Prerequisites
-
The students require sound know-how of the traditional IP world and need to be familiar with the new protocol. Participation in the course IPv6 - Addressing, Routing is often recommendable as a preparation. A further requirement is that the students know and understand common security concepts.
| 1 Basic safety considerations |
| 1.1 Basic considerations |
| 1.1.1 Security measures |
| 1.1.2 Personnel and service providers |
| 1.2 IPv4 and IPv6 security in comparison |
| 1.2.1 Differences between IPv4 and IPv6 |
| 1.3 The current security situation |
| 1.3.1 Vulnerable IPv6 stacks |
| 1.3.2 The firewall |
| 1.3.3 Intrusion Prevention System |
| 1.4 The IPv6 header from a security point of view |
| 1.4.1 The Flow Label - Covert Channel |
| 1.4.2 Extension Header Parsing |
| 1.4.3 Security relevance of the extension headers |
| 1.4.4 The filtering of IPv6 |
| 1.5 Testing the security - Tools for IPv6 Vulnerability Tests |
| 1.5.1 NMAP |
| 1.5.2 Nessus and OpenVAS |
| 1.5.3 Packet generators |
| 1.5.4 The THC tools collection |
| 1.5.5 SI6 tools |
| 2 IPv6 addressing from a security point of view |
| 2.1 Security relevance of NAT |
| 2.1.1 IPv6-IPv6 Network Prefix Translation (NAT66) |
| 2.2 Security considerations for address types |
| 2.2.1 EUI 64 - Large recognition value |
| 2.2.2 Temporary addresses |
| 2.3 Exploring IPv6 addresses |
| 2.3.1 Passive sniffing |
| 2.3.2 Detect-New-IP6 |
| 2.3.3 Multicast enumeration |
| 2.3.4 Alive6 |
| 2.3.5 Registry query |
| 2.3.6 IPv6 network scanning |
| 2.3.7 IPv6 address guessing |
| 2.3.8 DNS Reconnaissance |
| 3 IPv6 and First Hop Security |
| 3.1 Neighbor Discovery Attacks |
| 3.1.1 Trust Models and Threats |
| 3.1.2 NDP Spoofing |
| 3.1.3 Neighbor Unreachability Detection (NUD) |
| 3.1.4 DoS_New_IP6 |
| 3.1.5 NDP Exhaustion Attack |
| 3.1.6 Neighbor Advertisement Flooding |
| 3.2 SLAAC Attacks |
| 3.2.1 Rogue router |
| 3.2.2 Man in the Middle with RAs |
| 3.2.3 Faked Default Gateway |
| 3.2.4 RA flooding |
| 3.3 DHCPv6 attacks |
| 3.3.1 DHCPv6 Starvation |
| 3.3.2 Rogue DHCPv6 server |
| 3.4 ICMPv6 attacks |
| 3.4.1 Amplification attack |
| 3.4.2 Redirect attacks |
| 3.5 ACLs for security |
| 3.5.1 Rogue router exclusion |
| 3.5.2 Prevent rogue DHCP servers |
| 3.5.3 RA Guard |
| 3.5.4 DHCPv6 Guard/Shield |
| 3.5.5 NDP snooping |
| 3.5.6 NDP Inspection |
| 3.6 SEND |
| 3.6.1 Securing RAs with SEND |
| 3.6.2 SEND and stateful autoconfiguration |
| 4 Security of IPv6 networks |
| 4.1 Securing routers in IPv6 networks |
| 4.1.1 Setting up IPv6 ACLs |
| 4.1.2 Inbound traffic |
| 4.1.3 Address filtering |
| 4.1.4 Filtering ICMPv6 |
| 4.1.5 Securing routing protocols |
| 4.1.6 Authentication for routing protocols |
| 4.1.7 BGP-4 - Using Link Local Unicasts |
| 4.1.8 Preventing IP spoofing |
| 4.2 Adapt firewalls |
| 4.2.1 Questioning IPv6 capability |
| 4.2.2 Check Point |
| 4.2.3 Cisco ASA |
| 4.2.4 Palo Alto |
| 4.2.5 Fortinet |
| 4.2.6 Juniper |
| 4.2.7 Barracuda |
| 4.2.8 Customize objects |
| 4.2.9 Adding rule sets |
| 4.2.10 Bogon filtering |
| 4.3 Radius and IPv6 |
| 4.3.1 Establishing IPv6 connectivity |
| 4.3.2 Freeradius and IPv6 |
| 4.3.3 Microsoft - Network Policy Server |
| 4.3.4 RADIUS IPv6 attributes |
| 4.4 IPS in IPv6 networks |
| 4.5 Proxies in IPv6 networks |
| 4.6 IPsec in IPv6 networks |
| 4.6.1 Possible uses of IPsec |
| 4.6.2 Host to Host Scenario |
| 4.6.3 IPv6 VPNs |
| 4.6.4 IPv6 VPDN with IPsec |
| 4.6.5 IPsec RAS VPNs and IPv6 |
| 5 Security during migration |
| 5.1 Mental move to IPv6 |
| 5.2 IPv6 Latent Threats |
| 5.3 Dual Stack - Double Protection Required |
| 5.3.1 Endpoint Security from an IPv6 Perspective |
| 5.4 Questioning the benefits of tunnel technologies |
| 5.4.1 Questioning tunnel security |
| 5.4.2 Secure Configured Tunnel |
| 5.4.3 Encrypt tunnel traffic |
| A Lab Exercises |
| A.1 Lab Exercises in the Course |
| A.1.1 Lab Setup |
| A.2 Exercises Chapter 2 |
| A.3 Exercises Chapter 3 |
| B Lab exercises online |
| B.1 Lab exercises in the course |
| B.1.1 Lab setup |
| B.2 Exercises Chapter 2 |
| B.3 Exercises Chapter 3 |
-
Classroom training
- Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!
-
Hybrid training
- Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.
-
Online training
- You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.
-
Tailor-made courses
-
You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.
Request for customized courses
You can find the complete description of this course with dates and prices ready for download at as PDF.-
The introduction of IPv6 gives rise to new security questions both for providers of enterprise networks and for private customers. After all, IPv6 offers new options to compromise a network. One the one hand, this includes variants of existing types of attack, on the other hand, IPv6 opens up new security gaps. To protect an IPv6 network, it is not merely required to clarify these basic security issues but also to find out whether the components used so far—i.e.firewalls, proxies or intrusion prevention systems (IPS)—are actually equipped for IPv6. Which is the correct method for migration under security aspects? Which changes occur due to the permanent availability of public addresses after the elimination of NAT? Which gaps appear in Windows operating systems due to tunneling mechanisms, such as Teredo, without even migrating to IPv6 and how can these gaps be mended? This course gives a detailed overview of these highly topical questions. The students will learn to assess the level of danger introduced in their networks by IPv6 and to plan comprehensive security measures.
-
Course Contents
-
- New points of attack through IPv6
- Securing IPv6 addressing
- The auxiliary protocols ICMPv6 and DHCPv6 from a security perspective
- IPv6 and First Hop Security
- Securing IPv6 networks
- Securing endpoints
- Securing routers for IPv6
- Adapt firewalls to IPv6
- Securing the migration
You will receive the comprehensive documentation package of the ExperTeach Networking series – printed documentation, e-book, and personalized PDF! As online participant, you will receive the e-book and the personalized PDF.
-
Target Group
-
This course is designed for planners, administrators and security managers intending to design, prepare, or assist in a migration to IPv6. Attendance at this course can be credited for T.I.S.P. recertification.
-
Knowledge Prerequisites
-
The students require sound know-how of the traditional IP world and need to be familiar with the new protocol. Participation in the course IPv6 - Addressing, Routing is often recommendable as a preparation. A further requirement is that the students know and understand common security concepts.
| 1 Basic safety considerations |
| 1.1 Basic considerations |
| 1.1.1 Security measures |
| 1.1.2 Personnel and service providers |
| 1.2 IPv4 and IPv6 security in comparison |
| 1.2.1 Differences between IPv4 and IPv6 |
| 1.3 The current security situation |
| 1.3.1 Vulnerable IPv6 stacks |
| 1.3.2 The firewall |
| 1.3.3 Intrusion Prevention System |
| 1.4 The IPv6 header from a security point of view |
| 1.4.1 The Flow Label - Covert Channel |
| 1.4.2 Extension Header Parsing |
| 1.4.3 Security relevance of the extension headers |
| 1.4.4 The filtering of IPv6 |
| 1.5 Testing the security - Tools for IPv6 Vulnerability Tests |
| 1.5.1 NMAP |
| 1.5.2 Nessus and OpenVAS |
| 1.5.3 Packet generators |
| 1.5.4 The THC tools collection |
| 1.5.5 SI6 tools |
| 2 IPv6 addressing from a security point of view |
| 2.1 Security relevance of NAT |
| 2.1.1 IPv6-IPv6 Network Prefix Translation (NAT66) |
| 2.2 Security considerations for address types |
| 2.2.1 EUI 64 - Large recognition value |
| 2.2.2 Temporary addresses |
| 2.3 Exploring IPv6 addresses |
| 2.3.1 Passive sniffing |
| 2.3.2 Detect-New-IP6 |
| 2.3.3 Multicast enumeration |
| 2.3.4 Alive6 |
| 2.3.5 Registry query |
| 2.3.6 IPv6 network scanning |
| 2.3.7 IPv6 address guessing |
| 2.3.8 DNS Reconnaissance |
| 3 IPv6 and First Hop Security |
| 3.1 Neighbor Discovery Attacks |
| 3.1.1 Trust Models and Threats |
| 3.1.2 NDP Spoofing |
| 3.1.3 Neighbor Unreachability Detection (NUD) |
| 3.1.4 DoS_New_IP6 |
| 3.1.5 NDP Exhaustion Attack |
| 3.1.6 Neighbor Advertisement Flooding |
| 3.2 SLAAC Attacks |
| 3.2.1 Rogue router |
| 3.2.2 Man in the Middle with RAs |
| 3.2.3 Faked Default Gateway |
| 3.2.4 RA flooding |
| 3.3 DHCPv6 attacks |
| 3.3.1 DHCPv6 Starvation |
| 3.3.2 Rogue DHCPv6 server |
| 3.4 ICMPv6 attacks |
| 3.4.1 Amplification attack |
| 3.4.2 Redirect attacks |
| 3.5 ACLs for security |
| 3.5.1 Rogue router exclusion |
| 3.5.2 Prevent rogue DHCP servers |
| 3.5.3 RA Guard |
| 3.5.4 DHCPv6 Guard/Shield |
| 3.5.5 NDP snooping |
| 3.5.6 NDP Inspection |
| 3.6 SEND |
| 3.6.1 Securing RAs with SEND |
| 3.6.2 SEND and stateful autoconfiguration |
| 4 Security of IPv6 networks |
| 4.1 Securing routers in IPv6 networks |
| 4.1.1 Setting up IPv6 ACLs |
| 4.1.2 Inbound traffic |
| 4.1.3 Address filtering |
| 4.1.4 Filtering ICMPv6 |
| 4.1.5 Securing routing protocols |
| 4.1.6 Authentication for routing protocols |
| 4.1.7 BGP-4 - Using Link Local Unicasts |
| 4.1.8 Preventing IP spoofing |
| 4.2 Adapt firewalls |
| 4.2.1 Questioning IPv6 capability |
| 4.2.2 Check Point |
| 4.2.3 Cisco ASA |
| 4.2.4 Palo Alto |
| 4.2.5 Fortinet |
| 4.2.6 Juniper |
| 4.2.7 Barracuda |
| 4.2.8 Customize objects |
| 4.2.9 Adding rule sets |
| 4.2.10 Bogon filtering |
| 4.3 Radius and IPv6 |
| 4.3.1 Establishing IPv6 connectivity |
| 4.3.2 Freeradius and IPv6 |
| 4.3.3 Microsoft - Network Policy Server |
| 4.3.4 RADIUS IPv6 attributes |
| 4.4 IPS in IPv6 networks |
| 4.5 Proxies in IPv6 networks |
| 4.6 IPsec in IPv6 networks |
| 4.6.1 Possible uses of IPsec |
| 4.6.2 Host to Host Scenario |
| 4.6.3 IPv6 VPNs |
| 4.6.4 IPv6 VPDN with IPsec |
| 4.6.5 IPsec RAS VPNs and IPv6 |
| 5 Security during migration |
| 5.1 Mental move to IPv6 |
| 5.2 IPv6 Latent Threats |
| 5.3 Dual Stack - Double Protection Required |
| 5.3.1 Endpoint Security from an IPv6 Perspective |
| 5.4 Questioning the benefits of tunnel technologies |
| 5.4.1 Questioning tunnel security |
| 5.4.2 Secure Configured Tunnel |
| 5.4.3 Encrypt tunnel traffic |
| A Lab Exercises |
| A.1 Lab Exercises in the Course |
| A.1.1 Lab Setup |
| A.2 Exercises Chapter 2 |
| A.3 Exercises Chapter 3 |
| B Lab exercises online |
| B.1 Lab exercises in the course |
| B.1.1 Lab setup |
| B.2 Exercises Chapter 2 |
| B.3 Exercises Chapter 3 |
-
Classroom training
- Do you prefer the classic training method? A course in one of our Training Centers, with a competent trainer and the direct exchange between all course participants? Then you should book one of our classroom training dates!
-
Hybrid training
- Hybrid training means that online participants can additionally attend a classroom course. The dynamics of a real seminar are maintained, and the online participants are able to benefit from that. Online participants of a hybrid course use a collaboration platform, such as WebEx Training Center or Saba Meeting. To do this, a PC with browser and Internet access is required, as well as a headset and ideally a Web cam. In the seminar room, we use specially developed and customized audio- and video-technologies. This makes sure that the communication between all persons involved works in a convenient and fault-free way.
-
Online training
- You wish to attend a course in online mode? We offer you online course dates for this course topic. To attend these seminars, you need to have a PC with Internet access (minimum data rate 1Mbps), a headset when working via VoIP and optionally a camera. For further information and technical recommendations, please refer to.
-
Tailor-made courses
-
You need a special course for your team? In addition to our standard offer, we will also support you in creating your customized courses, which precisely meet your individual demands. We will be glad to consult you and create an individual offer for you.
Request for customized courses
You can find the complete description of this course with dates and prices ready for download at as PDF.
Guaranteed with the next booking
Classroom Training
Hybrid Training
Trainer language German