Active and Passive Teredo Detection with Nessus and PVS
Quoting directly from Microsoft's web site about Teredo:
"Teredo is an IPv6 transition technology that provides address assignment and host-to-host automatic tunneling for unicast IPv6 traffic when IPv6/IPv4 hosts are located behind one or multiple IPv4 network address translators (NATs)."
Tenable Network Security has had active and passive techniques available to detect Teredo servers in both Nessus and the Passive Vulnerability Scanner for some time. Tenable's techniques for detecting Teredo servers are an excellent example of how a blended approach of active and passive network monitoring can be leveraged for realtime enterprise discovery.
This blog entry describes some of the security ramifications of Teredo as well as operational considerations for running these checks.
Security Issues with Teredo
Teredo enables IPv6 devices on your network to communicate directly with the Internet. This may allow for:
- bypassing outbound/inbound IPv4 network controls such as firewalls and router ACLs.
- avoid monitoring and/or enforcement of your outbound web proxy
- avoid monitoring and/or enforcement of your IDS/IPS
- avoid analysis of your network performance and activity with IPv4 centric solutions
Servers that establish IPv6 connectivity to points outside your local network now also become an attack point. Also, Teredo servers may be targeted directly for attack with yet to be discovered (or published) security vulnerabilities.
Teredo can be limited by blocking UDP traffic at the perimeter of the network.
Teredo Detection with the PVS
Tenable's research group offers two plugins for the Passive Vulnerability Scanner.
Analysis of UDP packets is used to identify both Teredo servers and clients that are connecting to it. Since the PVS operate 24x7, it can find all systems that make use of Teredo, even if they are used only occasionally.
Even if you do not have Teredo servers installed, these rules can identify if you have a system scanning for Teredo servers. This could be from a laptop using Teredo in a different environment, or perhaps a worm or malware agent looking for a Teredo server to ex-filtrate data from your IPv6 network.
Teredo Detection with Nessus
Nessus plugin ID #23972 "Teredo Server Detection" sends a router solicitation request on UDP port 3544. If an answer is received, the Teredo router is queried for more information which is displayed in the report.
For More Information
Teredo detection is an excellent example of Tenable's blended form of vulnerability monitoring which combines patch auditing, network scanning and network sniffing. To read more about it this concept, please consider our "Blended Security Assessments" paper available in our Vulnerability Management section of the Tenable Network Security web site.
For specific information about Teredo and IPv6 security, please consider these following links:
Related Articles
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
Cybersecurity Snapshot: NIST Program Probes AI Cyber and Privacy Risks, as U.S. Gov’t Tackles Automotive IoT Threat from Russia, China
September 27, 2024A new NIST program will revise security frameworks like NIST’s CSF as AI risks intensify. Plus, the U.S. may ban cars with Russian and Chinese IoT components. Meanwhile, the CSA adds AI insights to its zero trust guide. And get the latest on cybersecurity budgets, SBOMs and the Ghost cybercrime platform!