by Josef Weiss
September 15, 2015
The IPv4 Systems with IPv6/Teredo Detected collection leverages a variety of Nessus credentialed and uncredentialed checks to identify IPv6 addresses configured on audited IPv4 devices. Devices with Teredo enabled are also displayed. Proper deployment of IPv6 is critical to reduce abuse or malicious activity. This collection assists the analyst in determining if IPv6 or Teredo exists within your network.
While tunnels can provide vital connectivity between IPv4 and IPv6 networks, they can also introduce a security risk. Tunnels should be kept to a minimum and used only where required and necessary. In many cases tunnels obscure traffic and network security systems are less likely to identify potential attacks and threats.
In many cases, IPv6 is enabled by default, but not always properly configured. Many security devices, such as firewalls, still focus mainly on IPv4 and not IPv6 traffic. This can leave systems exposed and allow malicious attacks to bypass security controls.
Leveraging the following plugins, this dashboard identifies IPv4 systems on your network that have configured IPv6 interfaces:
- 45405 – Reachable IPv6 Address [labeled as Live IPv6]
- 25202 – Enumerate IPv6 Interfaces via SSH [labeled as Unix v6]
- 24272 – Network Interfaces Enumeration (WMI) [labeled as Win v6]
- 14788 – IP Protocols Scan [labeled as v6 to v4]
Plugin 24727 reports both IPv6 and IPv4 interfaces, so a vulnerability text filter of “/64” is used alongside this plugin to match only reports that contain IPv6 addresses. Plugin 14788 reports all supported IP protocols such as TCP, UDP and ICMP. For this dashboard, support for IP protocol 41 is filtered by combining a text filter of “IPv6” and plugin 14788. Plugins 25202 and 24272 require credentials to audit Unix or Windows systems.
The IPv4 Systems with IPv6/Teredo Detected collection also contains several components to assist in Teredo detection. Teredo was originally developed by Microsoft to provide IPv6 connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. This data can traverse through NAT devices, which can introduce an attack vector not normally monitored. Teredo nodes (relays) that have access to the IPv6 network then receive the packets, unencapsulate them, and route them on. Since Teredo assigns globally routable IPv6 addresses to network hosts behind NAT devices, it is important to keep track of systems with this feature enabled.
The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Monitoring.
The dashboard requirements are:
- Tenable.sc 4.8.2
- Nessus 8.6.0
- NNM 5.9.0
Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus and passive vulnerability detection with the Nessus Network Monitor (NNM). Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network, in order to best protect its network from network compromise and data breaches.
The dashboard contains the following components:
- IPv4 Systems with IPv6/Teredo Detected - IPv6 Trend - The IPv6 Trend is a trend chart of each of the four IPv6 plugin filters over the past twenty-five days. Leveraging several plugins, the trend identifies IPv4 systems on your network that have configured IPv6 interfaces. These devices are classified as Live IPv6, Windows, Unix, and IPv6 to IPv4 Systems.
- IPv4 Systems with IPv6/Teredo Detected - Teredo Client Trending - Teredo was originally developed by Microsoft to provide IPv6 connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. This data can traverse through NAT devices, which can introduce an attack vector not normally monitored. This component trends Teredo client activity detected in your network with PVS over the last 7 days.
- IPv4 Systems with IPv6/Teredo Detected - IPv6 Devices - The IPv6 Devices component is a matrix used to enumerate each LAN, the number of active IP addresses on the LAN, and a percentage of IPv6 reported information for each type of check identified above. A color coded bar chart is used to graph the percentages of devices, using red for more than 50% presence of IPv6, yellow for more than 25% presence, and green for under 25% presence. This component may require some custom changes to reflect proper address space within your organization.
- IPv4 Systems with IPv6/Teredo Detected - Teredo Server Detection - Teredo was originally developed by Microsoft to provide IPv6 connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. This data can traverse through NAT devices, which can introduce an attack vector not normally monitored. This component reports on Teredo Servers detected in your network by both passive and active methods. Displayed is the IP address, NetBIOS and DNS name (if available) of the detected servers.
- IPv4 Systems with IPv6/Teredo Detected - Teredo Client Detection - Teredo was originally developed by Microsoft to provide IPv6 connectivity by encapsulating IPv6 datagram packets within IPv4 User Datagram Protocol (UDP) packets. This data can traverse through NAT devices, which can introduce an attack vector not normally monitored. This component reports on Teredo clients detected in the network by Nessus Network Monitor. Displayed is the IP address, NetBIOS and DNS name (if available) of the detected clients.