Long story short, I am currently working a finding identified by the pentest company we hire annually to check both our external and internal vulnerabilities. One such vulnerability reported to us this year was that a bad actor could set up an IPv6 DHCP server to maliciously reroute such traffic through their server and perform man-in-the-middle attacks. We're a relatively small shop that only uses IPv4 (that's a discussion for a different day) and current IT leadership doesn't want to implement IPv6. Our DHCP servers are IPv6 capable, but nothing is configured. That said, they want this remediated so we can perform a rescan soon to verify we've fixed the issues identified. All of our network infrastructure is Cisco Catalyst hardware so any changes I am looking at are strictly IOS.
I will admit that while I have a degree in CIS, my career path since college diverged from that and has taken me more into SysAdmin and leadership than the nitty gritty networking security I thought I'd do. As such I am adept but anything IPv6 is still wayyyy above my head, and I have to balance time on this with all the other daily tasks I have to help run the business.
Anyway - I recently found some info on RAGuard which, to my understanding so far, should do the trick. I've watched some videos a redditor sent my way and at least feel like I understand the concept of what it's doing. The commands I have found are:
#ipv6 nd raguard policy SomeName #device-role host #int [interfaceID] #ipv6 nd raguard attach policy SomeName
Where I am struggling to understand is how this should be applied to our infrastructure and where. The examples I saw were focused on policing a specific port where the "bad actor server" was, but didn't really tell me how it'd work in a more generalistic way with how our network is laid out. At a high level, our networking is pretty linear, with a single ISP going through a Cisco 2921 router, a pair of HA PaloAlto firewalls, which are portchanneled to a 4-switch Cisco 3960 "core stack (where all our servers/VM clusters are patched in). From there, we have two edge stacks of Cisco 2960X switches which each have two portchanneled fiber connections to the 3960 core stack.
With all of that said... my questions are:
- How is RAguard applied to the three stacks of switches so we're adequately protected? The examples I've seen focused on applying it to a host, but I see that device-role has other options. I'm not really sure what they functionally do and whether any would apply to my example.
- Do I need to configure our DHCP servers for IPv6 in any way? And if I do, could that negatively impact production traffic? As mentioned, we have direction to not use/configure IPv6, but my understanding is that I need to configure RAGuard to trust somewhere...
I am sure I am forgetting crucial details here so feel free to ask. I can provide anything that might help you better understand what's going on and what I am trying to do.
Appreciate the help!
No comments:
Post a Comment