Active and Passive Teredo Detection with Nessus and PVS
Quoting directly from Microsoft's web site about Teredo:
"Teredo is an IPv6 transition technology that provides address assignment and host-to-host automatic tunneling for unicast IPv6 traffic when IPv6/IPv4 hosts are located behind one or multiple IPv4 network address translators (NATs)."
Tenable Network Security has had active and passive techniques available to detect Teredo servers in both Nessus and the Passive Vulnerability Scanner for some time. Tenable's techniques for detecting Teredo servers are an excellent example of how a blended approach of active and passive network monitoring can be leveraged for realtime enterprise discovery.
This blog entry describes some of the security ramifications of Teredo as well as operational considerations for running these checks.
Security Issues with Teredo
Teredo enables IPv6 devices on your network to communicate directly with the Internet. This may allow for:
- bypassing outbound/inbound IPv4 network controls such as firewalls and router ACLs.
- avoid monitoring and/or enforcement of your outbound web proxy
- avoid monitoring and/or enforcement of your IDS/IPS
- avoid analysis of your network performance and activity with IPv4 centric solutions
Servers that establish IPv6 connectivity to points outside your local network now also become an attack point. Also, Teredo servers may be targeted directly for attack with yet to be discovered (or published) security vulnerabilities.
Teredo can be limited by blocking UDP traffic at the perimeter of the network.
Teredo Detection with the PVS
Tenable's research group offers two plugins for the Passive Vulnerability Scanner.
Analysis of UDP packets is used to identify both Teredo servers and clients that are connecting to it. Since the PVS operate 24x7, it can find all systems that make use of Teredo, even if they are used only occasionally.
Even if you do not have Teredo servers installed, these rules can identify if you have a system scanning for Teredo servers. This could be from a laptop using Teredo in a different environment, or perhaps a worm or malware agent looking for a Teredo server to ex-filtrate data from your IPv6 network.
Teredo Detection with Nessus
Nessus plugin ID #23972 "Teredo Server Detection" sends a router solicitation request on UDP port 3544. If an answer is received, the Teredo router is queried for more information which is displayed in the report.
For More Information
Teredo detection is an excellent example of Tenable's blended form of vulnerability monitoring which combines patch auditing, network scanning and network sniffing. To read more about it this concept, please consider our "Blended Security Assessments" paper available in our Vulnerability Management section of the Tenable Network Security web site.
For specific information about Teredo and IPv6 security, please consider these following links: