Some examples are:

1. Not broadcasting your WLAN SSID. Or, if you do broadcast iy, setting it to something silly (though comical) like OUTOFRANGE or UNAVAILABLE or ERROR.
2. Using Port Security or MAC Filtering as the sole mechanism for controlling access to your network.
3. Hiding files in obscure file system directory structures because “nobody will find them there”
4. Using older/seldom used wireless technologies to transmit data (HomeRF, OpenAir, etc.).
5. Setting your computer name to something obscure like UNKNOWN unwitting users misinterpret the output.

Examples like #1 and #5 are meant to be tongue-in-cheek offerings in class.

Hopefully nobody would ever consider them to be valid efforts at security…

The CompTIA Security+ Certification is a vendor neutral credential. The CompTIA Security+ exam is an internationally recognized validation of foundation-level security skills and knowledge,
and is used by organizations and security professionals around the globe.

Take a peek here to see the newest exam’s objectives! It’s a great study guide as well!

The agencies this directive is applicable to are the Office of the Secretary of Defense (OSD), the Military Departments, the Chairman of the Joint Chiefs of Staff, the Combatant Commands, the Office of the Inspector General of the Department of Defense, the Defense Agencies, the DoD Field Activities, and all other organizational entities in the Department of Defense.

The objective of this directive is to give the DoD workforce a general and common understanding of the concepts and administrationof Information Assurance principles relevant to each “category, specialty, level and function to enhance protection and availability of DoD information, information systems, and networks.” Think of it as an Information Assurance Workforce Improvement Program. Through the use of standardized testing, the DoD will validate this working knowledge and the skills learned.

The certifications used in this validation program will have a strong connection to the Information Assurance workforce levels and duties. Over time, “certification holders must ensure that their certificates stay active. Expired certifications must be renewed and expired certifications are not to be considered in the workforce reports.” Also stated in the directive is that “within 6 months of assignment of IA duties, all IAT personnel must achieve the appropriate IA certification unless a waiver is granted.” “Personnel who are not appropriately certified within 6 months of assignment to a position or who fail to maintain their certification status shall not be permitted privileged access.”

The list of certifications that have been approved by the DoD are as follows:

A+
Network+
Security+
SCNA (Security Certified Network Architect)
SCNP (Security Certified Network Professional)
SSCP (System Security Certified Practitioner)
CISSP (Certified Information Systems Security Professional)
GSEC (GIAC Security Essentials Certification)
GSEC (GIAC Security Essentials Certification)
GISF (GIAC Information Security Fundamentals)
GSLC (GIAC Security Leadership Certificate)
CISM (Certified Information Security Manager)
CISA (Certified Information Security Auditor )

How Can ITdojo Help?

To help get you or your staff in compliance with the DoD 8570.01 directive, ITdojo has several instructor-led seminars that along with giving you quality knowledge that will help you with your Information assurance position, will also help you with your preparation for several of the qualifying certifications listed above.

Our current offerings include:

Security Fundamentals (Security+ Certification Training)
Network Fundamentals (Network+ Certification Training)
CISSP Preparation Training
SSCP Preparation Training

Here is a response I left on another site:

“The idea of using /126′s is little more than scar tissue from our experience with IPv4. It is the application of old ideas to new technologies and the argument that the addresses are being wasted is irrelevant. “We’re never going to use this many addresses” is a saying that is uttered with full knowledge that we said something similar 30 years ago (and we were so horribly wrong). We are afraid that we lack the foresight to anticipate what IP will become and once again allow history to repeat itself.

I have contemplated the seemingly insane; a world where jars of oregano and bottle caps have IPv6 addresses. If I give an IPv6 address to every single item in my home, including separate IPv6 addresses for each sock in a pair I cannot begin to tax the address space available to me as an individual. Corporate considerations are equally unaffected.

Using anything other than /64′s for any link is going to do little more than add an additional complexity with no solid benefit. The conservation argument is inappropriate and I encourage anybody who wants to make it to return to the drawing board with a calculator and some imagination so they can re-learn the futility of trying to put pressure on the IPv6 address space.

We will have figured out a technology better than IP long before we begin to put pressure on the IPv6 address space. This is true even when the day comes that we need to extend the IPv6 address space to support the United Federation of Planets.

Colin Weaver”

Head over to the official World IPv6 Day web site and get going. http://worldipv6day.org/

Why do people use Network Address Translation?
Because they always have, that’s why. “That’s the way we’ve always done it” is one of the dumbest reasons we do things. It precludes continued thought and absolves us the responsibility to think about why we are doing something. Network Address Translation (NAT) has been a bellwether of the Internet world for so long that many of us can’t remember a time without it. Many in the business rally around its role as a mechanism of security in our networks, “hiding the internal network” from the outside world. When presented in such a light it certainly sounds compelling. Being hidden from the evil, nasty outside world? Yeah! I-want-to-go-to-there.
Alas, it’s a crock. A fib. And in the words of Don King, a falsitude. NAT exists for one single reason: To help alleviate the pressure on the IPv4 address space. Forced to conserve IP addresses we long ago began using “private” IP addressess on our internal networks. Private IP addresses, by design, are not routed by Internet routers. Its not that there is anything inherently wrong with the addresses. They’re just designated by RFC 1918 as being “private” and any packet on the Internet coming from or going to one of the addresses should be dropped by Internet routers (via ACL or via the lack of a route in the default-free routers). As a result, any node configured to use an RFC 1918 private IP address is doomed to a life without Internet connectivity. Now, enter your nemesis doing business as a friend: NAT. With a NAT device configured with a private IP address on the internal (private) interface and a public, internet routable, IP address on the external (Internet) interface we can translate the IP address of packets leaving the private on their way to the public. At this very moment there are billions of computers accessing the Internet via this exact mechanism (including the one I am using to write this). NAT and private IP addressessing are like peas and carrots, Bonnie and Clyde, chips and salsa, Lois and Clark, and Colin and awesomeness. They just go together.
NAT got lumped into the security mechanism category when it became normal to include NAT and firewalling capabilities in the same device. But hear me on this one very important point. THE FIREWALLING FUNCTION OF A DEVICE AND THE NAT FUNCTION OF A DEVICE HAVE NOTHING TO DO WITH ONE ANOTHER. They just happen to be taking place on the same device. The firewalling function controls what is allowed in and what is allowed out. In some cases it can also be used to control whether or not a packet will be NAT-ed. The NAT function occurs after the firewalling function has made an ALLOW decision. To summarize, the firewalling function protects the inside from the outside and the NAT function translates the addresses to allow the un-routable to become routable.

NAT-free Network – Global Unicast Addresses for Everybody!!! Bye-Bye NAT!

What happens where there is no longer any pressure on the IP address space? Imagine there are more addressess available than we can conceive uses for (famous last words, I know). If there is no pressure on the IP address space why do you need a device to translate the private to the public (and back again)? Uh, you don’t. So, no pressure on address space means no NAT necessary. We still need the firewall function, of course. The need to protect the inside from the outside will remain forever. And there is it, the future: IP version 6. IPv6 eliminates the pressure on the IP address space. Everybody on this planet will have enough IP addresses available to them that they will never again have to worry about whether or not there are enough IP addresses. Well good. That’s one less thing to worry about, right? All that remains is the need to firewall. And that is all that needs to stand between your so-called private network and the Internet. And that’s the way it should be. For some of us that will be a new paradigm. Without that false sense of security we get from NAT there are many who will feel exposed with their internal nodes having public IP addresses and only a firewall (or two or three or four) to protect them from the nasties. Trust me, it’s going to be OK.

IPv6!!!!

Cheers,

Colin Weaver

It’s tough to argue against the fact that most IPv6 addresses are not much fun to type.  Being four times longer than IPv4 addresses and expressed in hexadecimal means things can get ugly on the keyboard pretty quickly.  For people in the IT field one very common mechanism for testing IP connectivity is to ping the default gateway.  And in IPv4 networks, the default gateway is always different for every layer-3 network.  It has now been a thousand bajillion times in my career when I have either asked someone or told someone what the default gateway is for a host who is having connectivity problems.  In IPv6 the ability (or inability) to ping the default router is just as helpful as it ever was in IPv4.  But there are a few apparent problems/challenges:

1. IPv6 default router addresses can be painfully long.  Something like fe80::21a:a0ff:fe97:9ad3 is not unusual.  That’s a lot to type and if it fails you are always going to have to double-check to make sure you didn’t fat-finger the address (“Can I really not ping the gateway or is it that I just can’t type?)
2. Assuming you have more than one interface in your device (an ethernet card and a WLAN card, for instance) you will need to specify the interface when pinging the link-local IPv6 address of the default router.  Because every interface has a link-local IPv6 address the system won’t know out which interface to send the packet unless you tell it.
   • For Windows:  ping fe80::21a:a0ff:fe97:9ad3%15 (where %15 identifies the interface number)
   • For Linux: ping -I eth0 -c 5 fe80::21a:a0ff:fe97:9ad3 will do it.

By all outward appearances the days of simply pinging your gateway (default) are gone.  But wait!  Not so!  What may appear to the first glances of many as an unappreciated addition of complexity can actually be much more simple than anything IPv4 could have offered.  Consider these facts:

1. Unless otherwise configured most routers will automatically advertise themselves as a default router on each network segment they support.  This means that your devices never need to be configured with a default router; they learn it automatically by listening to the router’s advertisements.  Effort required by IT staff:  zero.
2. Odd as it seems the IPv6 address of the default router is usually a link-local IPv6 address.  Link-local addresses are only relevant and useful on the local network segment (hence the name).  They have no meaning on other interfaces, even when those interfaces are on the same device.  This means that the link-local IPv6 address on interface fa0/1 of your router has nothing to do with the link-local IPv6 address on interface fa0/2 of the same router.  And this is true even though the addresses are technically on the same logical subnet (fe80::/10).  In IPv4 the router admins would be getting errors about overlapping networks but not so with IPv6.  The magic here is that the link-local IPv6 addresses on fa0/1 and fa0/2 are not overlapping or conflicting because they are not on the same network.  This means that they can even have the exact same IPv6 address and not conflict with each other!  That’s outright blasphemy in IPv4!  And this is exactly what I suggest you give some thought to doing:  make the link-local IPv6 address for every router interface in your whole internal network the exact same address (something simple, like fe80::1111 would do nicely).
3. If every router interface has the same link-local IPv6 address the answer to the “what  is the default router’s address” question is never again going to be a mystery; it’s the same address for every single computer in your enterprise, no matter what network/VLAN they are currently connected to.

In the diagram below the two PC’s are on different physical networks (which translates to different logical layer-3 networks as well).  Both have a link-local IPv6 address that allows them to communicate with other nodes on their local LAN segment.  They cannot communicate with each other using these addresses.  They will need a Unique-Local or Global Unicast address if they want to exchange packets.  Each device has the same default router …or so it seems.  In actuality they both have a different default router, the address just happens to be the same.  The node on the left side of the diagram communicates with the link-local address configured on fa0/1 of the router.  The node on the right communicates with the link-local address configured on fa0/2 of the router.  The fact that both of those interfaces happen to have the same address is not relevant; the addresses are link-local.

Once you come to terms with functionality like this you begin to understand how IPv6 can take networking to new level while sometimes, just sometimes, making things more simple in the process.

Cheers,

Colin Weaver

In the world I see my toaster will have an IPv6 address.  So will my alarm clock, my washer and dryer, my dishwasher, my oven, my microwave, my home theater components, my remote controls, my light switches, my sprinkler system, my garage doors, my ceiling fans, my garbage disposal, my keg-erator, my hot water heater, my air conditioner, my water purifier and my refrigerator.

I know.  Many of these devices already have IPv6 addresses.  But I see a world beyond that.  In the world I see the books in my library will have IPv6 addresses (if paper books are still printed, that is).  They will be in my entertainment database and I can query a myriad of information about them.  My system will look them up on-line and return an author bio, related materials, suggested readings, blog posts about the book and other such information.  In the world I see all I need to do is buy the book and bring it home.  When I come in the door it will be automatically detected and added to a pending queue in my database.  Once approved it will become part of my collection.  It’s location will be monitored in my home.  If I misplace it I will be able to use my wireless location system to find its exact location (was it in the upstairs or downstairs bathroom?).  The current induced into the book by my RFID system will reveal all to me.

My car keys will never be lost in the house again.  Neither will my TV remote control.  Nor my cell phone or my wrist watch.  Their location will be tracked.  RFID.  The IPv6 address of my keys will be different than those of my wife.  I won’t find her keys.  I will find mine.

In the world I see the milk in my fridge will have an IPv6 address.  So will the bread on my counter and the box of Triscuits in my pantry (Cracked Pepper and Olive Oil are the best).  The Earl Grey tea (Picard) in my cupboard will have an IPv6 address and so will each individually labeled packet it contains.  The cinnamon, taragon, red peppers, basil and oregano won’t be left out.  Those jars will also be IPv6 enabled.  When I buy these products and bring them home they will be automatically added to my kitchen database.  When they are used and disposed of they will be automatically removed.  As they approach their last day of freshness I will receive an informational warning on my refrigerator display as well on the main page of my home management system.  If I choose I will also receive an email alert.  Perhaps I will choose to have a periodic message played over my home sound system.  So many choices.  When they exceed their expiration date I will receive an email notification telling me of their demise.  This includes my bananas, my apples and my pears.  That little sticker on each piece of fruit …that’s got an IPv6 address that is read via RFID.  Nothing will expire without my being warned.  “Waste is a thief!” When is the Ben & Jerry’s I bought going to get freezer burned?  I don’t know.  Buy my kitchen does.  She will tell me.

In the world I see the IPv6 address on my milk carton is only the beginning.  I will not only know the expiration date of the milk but I will also know whether it is skim, 1%, 2% or whole.  I will know the brand, the nutritional information and I will know how much milk is left in the container.  I will be able to query this from work and know if a fresh glass is waiting for me upon my return.  This is also true of tonight’s dinner.  I’m feeling like breakfast for dinner.  In the world I see I will be able to query my kitchen to verify the necessary ingredients are available to make waffles, sausage (patties, not links), bacon, scrambled eggs, english muffins, orange juice (I’ll need two glasses, please), coffee and fresh strawberry’s.  If an any ingredients are missing I will be notified and an order for the missing components of tonight’s dinner will be submitted to my favorite grocery store.  The order will be pulled, paid for with my credit card linked account and waiting for me to pick up on my way home.  Or maybe I will have it delivered.  After dinner is done I will be able to store my leftovers in a programmable plastic container (patented burp!) indicating the contents, the date/time of storage and any other information I choose.  No longer will I find moldy surprises at the back of the fridge.  Carpe leftovers!

In the world I see my car will have an IPv6 address.  Many of them, actually.  After verifying that the doors are locked I will be able to start my car from my iPhone while shaving in my bathroom.  The songs I downloaded last night to my home music library will be automatically synced to my car or, if I choose, my car will be connected via VPN to my home and will stream the content directly from my home library.  This will be true no matter where I drive.  My 200 terabyte movie library will be available to my daughter as we drive to visit grandma and grandpa.  She will enjoy the latest high-definition episodes of Sesame Street or Max & Ruby.  Or perhaps we will just talk to each other as we drive.  Technology, after all, isn’t a babysitter.  And of course, the oil filter will be IPv6 enabled, as will the other filters in the car.  We shouldn’t forget the windshield washer fluid level nor the ability to synchronize my current mileage with the manufacturers recommended maintenance.  It’s all there.  Maintenance history, fuel economy, and tire wear …it’s all automatically recorded for me.  Seeing a used car for sale with all the maintenance history will be the norm, not the exception.

In the world I see the air filters installed in my HVAC system will be changed regularly.  I won’t forget about them any more.  Their installation date is automatically recorded in my home management system (HMS) and I am notified when it is time to change them.  If my supply of filters is running low I can configure my HMS to automatically order replacements.  I need only accept them from the delivery driver, not even needing to know that they were ordered until they arrive.  Or, if I don’t trust my system that much, I can approve the order before it goes out.  My choice.

In the world I see the efficiency of my AC unit will be monitored.  As the efficiency drops because the system gets dirty, I will be notified.  A service call be scheduled and paid for with the click of a button.  As I come to trust her judgment I will let her (my HMS, that is) make the appointment for me automatically.  I’ll know the work was done well because my system will report efficiency improvements to me.  I’ll have evidence to support complaints of sub-par work.  I will also be able to query the amount of hot water available in my hot water heater.  I will be able to compile reports on hot water usage by user and/or faucet to determine who is consuming the greatest quantities.  If my son is taking 40 minutes showers while I’m at work, I’ll need to explain him that it costs money to make water hot.  If necessary, excessive use of hot water can be automatically deducted from his allowance (which is automatically deposited into his bank account, of course).  This is also true of his propensity to stand in front of the open fridge, staring aimlessly at the food.  Does he feel that cold air falling on his feet?  It’s not cold air, actually.  It’s nickels and dimes.  Excessive use results in automated allowance deductions.  But I don’t have to catch him doing it.  My kitchen monitors when he opens the fridge, how long it stays open and what he takes out.  I think it will be called a KIDS, a Kid Idiocy Detection System (or maybe it’s Kid Idiocy Prevention System, a KIPS).  Did I mention that we all have RFID chips embedded under our skin?

In the world I see my liquor cabinet is also safe from my teenage daughter and her boyfriend.  When I’m not home my HMS is configured to monitor when a bottle is moved or the amount in a bottle changes.  Each bottle, like the milk in the fridge, comes with an IPv6 address.  If a bottle is moved I am immediately sent an email and a text message.  The cameras in my home security system also begin to automatically record the culprit.

In the world I see virtually everything will have an IPv6 address.  IPv6 plus RFID will connect my home in ways I could not comprehend a few short years ago.  Unlike some I welcome the time when this is true.  Some people, those not like me, are horrified by the idea.  We will probably never agree on things such as this.  The gap is too wide between us.  Why am I so happy to have a world like this?  Simple:

1.  I love technology (but not as much as you, ya’ see.  But I still love technology …always and forever …always and forever).
2.  This much technology so deeply integrated into our lives will require a MASSIVE amount of informaiton networking and inforamtion security.  And that’s what I do.  This means I will ALWAYS have a job.  …I guess you database types will be doing OK, too.
3.  Did I mention that I love technolgy?  I’m excited to see where we can go with this.

Other people are thinking about this.  IPv6 is the enabler.  The faster we move toward it, the faster the world I see will become a reality.  Check out what RFID is doing, too.

Colin Weaver
ITdojo

Let’s assume that an ISP is allocated a /32 by ARIN.  In the early days of IPv6 it was often said that everyone would be given a /48 by their provider.  And when I say ‘everybody’, I mean everybody, including residential households.  Each /32 allows for 65,536 /48′s and each /48 allows for 65,536 /64′s.  Because of what appears to be an almost infinitely abundant address space it seemed to make sense to keep things simple (e.g. give everybody a /48) and to eliminate the likelihood that an individual or an organization would actually run out of addresses.  Now I have always loved that a design objective for IPv6 was to create an address space that had enough addresses so we no longer had to worry about addresses.  I like the “let’s put this thing to bed for good” philosophy.  It’s tantamount to choosing quality over price; pay for something of quality and it will last a lifetime but buy something cheap and you’ll have to buy it over and over during your life, ultimately paying more than you would have for quality.  But even in my most wild and extravagant imaginings I can’t conjure uses for, much less a need for, 65,536 subnets at my house (my very own /48).  This is especially true considering the fact that each of those 65,536 /64′s support more than 18.4 quintillion hosts.  And in all seriousness, even if I could make up a way to use that many networks can you name a consumer who would have the financial resources to buy all of the gear necessary to build it?  A /48 for everybody who wants one is excessive but it also accomplishes the objective of putting the “I’m running out if IP addresses” complaint to bed forever.  And there are also some technical arguments regarding routing table size and hardware speed/efficiency that suggest it is inefficient to make prefixes smaller than /48.

I consider myself to be pretty geeky so ideas like IP-enabled milk cartons are incredibly exciting to me.  But even when I sit down and dream up crazy ways to network my home I find it difficult to come up a need for more than a few dozen subnets.  Chances are that my IP address needs would be forever satisfied with shortages never being a concern even if I had to struggle along with a /56.  A /56 gives me 256 subnets to putter about with at my house and I can’t, for the life of me, think of ways that my house would need a 257th network.  But I’m starting to push it when I suggest that the same is also true for a /60.  With a /60 I will have  16 subnets to work with.  And that seems a little too tight a space to work in for me.  With a /60 I can see highly-technical homes having subnet issues.

It has long been assumed (by me) that ISP’s would balk at the idea of giving /48′s to their client base.  If a single /48 can be carved into 256 /56′s and few to no customers are going to complain about having to solve their networking needs with a /56 it only makes sense that ISP’s would do it.  Everybody is technically satisfied and the ISP’s can hoard their other /48′s for future use.  And by “future” I mean that they would probably never use them.  The decision on whether or not your ISP was going to give you a /48, /56, /60 or even a /64 was going to be between you and the ISP; the RIR’s had nothing to do with it.

And then someone suggested that ARIN change section 6.5.4.1 of their allocation policy document from this:

6.5.4.1. Assignment address space size

End-users are assigned an end site assignment from their LIR or ISP. The exact size of the assignment is a local decision for the LIR or ISP to make, using a minimum value of a /64 (when only one subnet is anticipated for the end site) up to the normal maximum of /48, except in cases of extra large end sites where a larger assignment can be justified.

The following guidelines may be useful (but they are only guidelines):

/64 when it is known that one and only one subnet is needed
/56 for small sites, those expected to need only a few subnets over the next 5 years.
/48 for larger sites

RIRs are not concerned about which address size an LIR/ISP actually assigns. Accordingly, RIRs will not request the detailed information on IPv6 user networks as they did in IPv4, except for the cases described in Section 6.4.4 and for the purposes of measuring utilization as defined in this document.

to

LIR’s may assign blocks in the range of /48 to /64 to end sites.
All assignments made by LIR’s should meet a minimum HD-Ratio of .25.

* /64 – Site needing only a single subnet.
* /60 – Site with 2-3 subnets initially.
* /56 – Site with 4-7 subnets initially.
* /52 – Site with 8-15 subnets initially.
* /48 – Site with 16+ subnets initially.

…

LIR’s do not need to issue all 5 sizes of prefixes as long as the
HD-Ratio requirement is met.

Note:  An explanation of HD ratio can be found in RFC 3194.

Many people took exception to this suggested wording and claim that is smacks of ARIN trying to tell ISP’s how to distribute their address space. Other people feel that this makes complete sense because it is a much more conservative approach.  Most of the latter continue to suffer from the aftershocks of IPv4′s address issues and they can’t do anything other than apply their past thoughts to this new approach.

The reality is that there is so much address space available that every living soul on earth today will have long since died before we can even begin to think about putting pressure on the IPv6 address space.  So why?  Why?  Why are worrying so much about conserving when the single biggest thing it’s going to do is make routing tables larger, subnetting more prone to error and routing hardware less efficient?  There has to be an argument more compelling than, “It’s wasteful.”

As of today the wording has not been adopted and I hope it stays that way.  ISP’s are fully capable of figuring this stuff out on their own.

Cheers,

Colin Weaver