Cisco Blogs


Cisco Blog > Security

IPv6 First Hop Security (FHS) concerns

There are a growing number of large-scale IPv6 deployments occurring within enterprise, university, and government networks. For these networks to succeed, it is important that the IPv6 deployments are secure and the quality of service (QoS) must rival the existing IPv4 infrastructure. An important security aspect to consider is the local links (Layer 2). Traditional Layer 2 security differs between IPv4 and IPv6 because instead of using ARP—like IPv4—IPv6 moves the traditional Layer 2 operations to Layer 3 using various ICMP messages

IPv6 introduces a new set of technology link operations paradigms that differ significantly from IPv4. The changes include more end nodes that are permitted on the link (up to 2^64) and increased neighbor cache size on end nodes and the default router, which creates more opportunities for denial of service (DoS) attacks. There are also additional threats to consider in IPv6 including threats with the protocols in use, a couple of which are listed below:

  • Neighbor Discovery Protocol (NDP) integrates all link operations that determine address assignment, router discovery, and associated tasks.
  • Dynamic Host Configuration Protocol (DHCP) can have a lesser role in address assignment compared to IPv4.

Finally, non-centralized address assignment in IPv6 can create challenges for controlling address misuse by malicious hosts.

For more information on FHS concerns. read the new IPv6 FHS whitepaper.

Tags: , , ,

The Cost of Security During the Olympics

May 24, 2012 at 10:31 am PST

This summer the world will be watching London. At the same time, the city will have to deal with millions of extra people and the logistical challenges that go with it. Obviously, one of the most important of these challenges is security. We’ve all seen the furore in the papers about the government spending more on security than they initially planned – up from £282 million to over £550 million. . I don’t know about you, but I’d rather we spend the money than be underprepared during the Olympics and Paralympics…when all eyes are on London.

So, what does £550 million buy you these days? 23,700 security personnel to cover 100 venues, for a start. However, there are also virtual threats to consider. During the 2008 Beijing Olympics, China suffered 14 million online attacks. It’s no surprise; the information infrastructure is critical to the Games running smoothly. That’s why, as the networking infrastructure supporter  of the London 2012 Olympic and Paralympic Games, we’ve been working closely with BT and Atos as the Communications Services Partner and the Global IT Partner respectively to provide robust and secure network infrastructure. But it’s not just those involved in the Games that need to think about security. Businesses are vulnerable while the Games are on too. And it’s a time when they should be capitalising on increased demand and opportunity. Unfortunately 42% of businesses have not reviewed their security arrangements for the Games and will be vulnerable to serious threats throughout the Games period. A key part of this is ensuring their networks are set up to cope with increased demand and potential threats.

That’s why Cisco is holding a security webinar with Deloitte, Atos and G4S on June 1st at 12:30 pm (PST). Read More »

Tags: , , , , ,

Personal Security Incidents Can Put Everyone at Risk

When employees use their own devices for work, there’s no such thing as a personal security breach

It’s no exaggeration to say that mobile smart devices have changed the way people work. With smartphone in hand, employees now expect to be able to check email from their kid’s baseball game, finalize financial transactions on the fly, and log into cloud-based services at the gym—not to mention play Angry Birds whenever they want. The downside to this round-the-clock connectivity is the security risk it can introduce to your network and, because devices are personally owned, the difficulty of locking them down. These days, there’s no such thing as a personal security breach. A security incident on a personal device can put your entire network at risk.

Read More »

Tags: , , ,

The Missing Manual: CVRF 1.1 Part 2 of 2

This post is a continuation of The Missing Manual: CVRF 1.1 Part 1 of 2.

Praxis: Converting an existing document to CVRF

Now it’s time for some XML! Let’s take what you’ve learned and manually convert the Cisco RVS4000 and WRVS4400N Web Management Interface Vulnerabilities security advisory into a CVRF document. Please note that this process is meant to be instructive and somewhat of a stream-of-consciousness-narrative of how to manually build your first CVRF document. It is expected that, by and large, this process would itself be automated and CVRF document producers would have in-house code to parse their own documents and emit CVRF.
Read More »

Tags: , , , ,

The Missing Manual: CVRF 1.1 Part 1 of 2

Prolegomenon

In this post you will learn about some of the design decisions behind the 1.1 release of the Common Vulnerability Reporting Framework (CVRF). Particular attention is paid to explaining some of the required elements and the Product Tree. After those tasty tidbits, we will convert a recent Cisco security advisory into a well-formed and valid CVRF document. To close, you are treated to some of the items on the docket for future versions of CVRF. It bears mentioning that this paper is not meant to be an exhaustive explanation of the CVRF schemata. It is a rather capricious, if somewhat disorganized look at some outliers that aren’t fully explained elsewhere. It is assumed the reader has a working knowledge of the Common Vulnerability Reporting Framework and of XML.

Read More »

Tags: , ,