Cisco Blogs


Cisco Blog > Security

IPv6 First Hop Security (FHS) concerns

There are a growing number of large-scale IPv6 deployments occurring within enterprise, university, and government networks. For these networks to succeed, it is important that the IPv6 deployments are secure and the quality of service (QoS) must rival the existing IPv4 infrastructure. An important security aspect to consider is the local links (Layer 2). Traditional Layer 2 security differs between IPv4 and IPv6 because instead of using ARP—like IPv4—IPv6 moves the traditional Layer 2 operations to Layer 3 using various ICMP messages

IPv6 introduces a new set of technology link operations paradigms that differ significantly from IPv4. The changes include more end nodes that are permitted on the link (up to 2^64) and increased neighbor cache size on end nodes and the default router, which creates more opportunities for denial of service (DoS) attacks. There are also additional threats to consider in IPv6 including threats with the protocols in use, a couple of which are listed below:

  • Neighbor Discovery Protocol (NDP) integrates all link operations that determine address assignment, router discovery, and associated tasks.
  • Dynamic Host Configuration Protocol (DHCP) can have a lesser role in address assignment compared to IPv4.

Finally, non-centralized address assignment in IPv6 can create challenges for controlling address misuse by malicious hosts.

For more information on FHS concerns. read the new IPv6 FHS whitepaper.

Tags: , , ,

Compliance-minded? Join the Conversation!

Share your knowledge by taking the 5-minute Cisco Regulatory and Industry Compliance Survey

Greetings from Cisco’s Compliance Solutions team!

Over the past several years, we have developed an architectural approach to achieving and maintaining regulatory and industry compliance. Our latest work provides – in great detail – both a framework for achieving PCI DSS compliance and recommendations about how to make your Cisco-based network PCI compliant.

To address the topic with authority, we integrated Cisco and technology partner products together into a comprehensive solution based on foundational Cisco architectures, had a QSA auditor – Verizon Business – assess it for PCI DSS 2.0 compliance, and documented the results in a publicly-available Design and Implementation Guide which can be found here: www.cisco.com/go/pci

Our team’s broader vision is to enable Cisco customers to manage risk by achieving and maintaining compliance with a broad range of regulatory and industry mandates. We believe that

  1. Your challenges around compliance are growing and that you are looking for sound guidance as you work to achieve and maintain compliance with multiple mandates;
  2. The value we deliver starts with a thoughtfully-developed architectural framework but also includes a broad array of Cisco and partner technology that has been tested and assessed by third party auditors;
  3. Integrated and proven compliance solutions will give you confidence in Cisco’s ability to act as the foundation for achieving and maintaining compliance.

Looking forward, we plan to engage in conversations with our readers. You will hear from the team regularly on a variety of topics and we’ll ask about your views as they relate to compliance. Your thoughtful responses will help guide our future work.

In that spirit, we are very interested in your thoughts right now! We developed the “2012 Cisco Regulatory and Industry Compliance Survey” which can be found at:
https://www.ciscofeedback.vovici.com/se.ashx?s=6A5348A773762B88

The survey is anonymous and it will take about 5 minutes to complete. In future blog posts, we will share the results with you.

Thanks in advance for your contribution.

Cisco Compliance Solutions Group
www.cisco.com/go/pci

Tags: , , , ,

The Missing Manual: CVRF 1.1 Part 2 of 2

This post is a continuation of The Missing Manual: CVRF 1.1 Part 1 of 2.

Praxis: Converting an existing document to CVRF

Now it’s time for some XML! Let’s take what you’ve learned and manually convert the Cisco RVS4000 and WRVS4400N Web Management Interface Vulnerabilities security advisory into a CVRF document. Please note that this process is meant to be instructive and somewhat of a stream-of-consciousness-narrative of how to manually build your first CVRF document. It is expected that, by and large, this process would itself be automated and CVRF document producers would have in-house code to parse their own documents and emit CVRF.
Read More »

Tags: , , , ,

The Missing Manual: CVRF 1.1 Part 1 of 2

Prolegomenon

In this post you will learn about some of the design decisions behind the 1.1 release of the Common Vulnerability Reporting Framework (CVRF). Particular attention is paid to explaining some of the required elements and the Product Tree. After those tasty tidbits, we will convert a recent Cisco security advisory into a well-formed and valid CVRF document. To close, you are treated to some of the items on the docket for future versions of CVRF. It bears mentioning that this paper is not meant to be an exhaustive explanation of the CVRF schemata. It is a rather capricious, if somewhat disorganized look at some outliers that aren’t fully explained elsewhere. It is assumed the reader has a working knowledge of the Common Vulnerability Reporting Framework and of XML.

Read More »

Tags: , ,

Should IT Fear Mother’s Day?

This past weekend was Mother’s Day here in the United States, and being a mother of two high-tech savvy teenage children, I pondered what my kids has in store for me. I was surprised with the latest iPad! Eventually, I started asking myself: would Cisco allow me to use it for work?

Luckily, Cisco has a BYOD policy in place and a long-term vision for an Any Device, empowering our employees to use the device they want to be productive. For other working mothers who may have also gotten a new iPad or mobile device for Mother’s Day, what does  your company say about using this new personal device? Will you “Lock It Up or Free It Up”? (a notion introduce at RSA conference this year). How will IT department respond to this request?

One of the biggest concerns folks have for BYOD is security. Just this past week, Cisco was showcasing our Secure BYOD solution at Interop, with the TechWiseTV folks sitting down with my colleague Bill McGee to help you answer the call of mobile devices on your corporate network. Take a look at the video for yourself, but blurring the lines between personal and corporate device doesn’t pose such a security challenge anymore. Related to this topic, we are holding a webcast May 16th focused on the Network Built for the Mobile Experience. You can join our CTO and SVP, Padmasree Warrior, along with stories from British Telecom and Eagle Investment on how they are transforming their workplace, and allowing their employees to work “Your Way” without compromising the business. For more details click here, and for those who want to continue this conversation–

Working Mothers: I would like to hear from you – did you get that new mobile device this Mother’s Day or do you already have a neat personal device – Do you bring it into work? Do you share it with your family?

IT departments: What is your BYOD policy is, and are you busy provisioning all those new mobile devices from this past weekend?

Tags: , , , , ,