Open Source IDS/IPS Native Security Rule Migration from IPv4 to IPv6 and their effectiveness and comparison

Abstract

Internet Protocol Version 6 has become the new trend in Internet as its predecessor Internet Protocol Version 4 started its exhaustion since 2011. With the rising traffic of IPv6 all devices building the Internet has been upgraded or rebuilt to support the 128-bit address. But as the number insists there are numerous addresses in the space. Because of that and as it is still young to production environment there are huge number of security vulnerabilities in IPv6. Even though there are great quantity of vulnerabilities, we cannot avoid using IPv6 because of the addressing issue arising for newly connected devices and services. Therefore, we have to use IPv6 with precautions and the best precaution we have today is to deploy an Intrusion detection or prevention system in the network. When dealing with IPS/IDS solutions there are good competitive players in commercial network security world but almost all costs in huge amounts. Therefore, the best solution is to develop a suitable Free and Open Source Software to act as an IPS or IDS. This thesis aims on developing such a system with totally free and cost effective way. For this objective, main issue was there are no good single IDS application that totally supports every security feature. In IPv4, one of the best IDS/IPS FOSS systems is Security Onion Linux based Distribution, it is maintained by a company called Security Onion Solutions and currently it has a high number of user based community. Security Onion runs under an Ubuntu/Debian based environment and it makes the users more attracted to Security Onion as, handling Ubuntu operations are easy than other Linux operating systems. Also because of its big community, problems arising while operations can be easily solved. Security Onion has a fully effective detection rule base due to its community. Therefore, this thesis aims at enabling Security Onion with IPv6 and fine tuning it. Security Onion uses Snort as one of its IDS engines and I will be targeting Snort for the ease of development and as it is already supporting IPv6. Even though Snort has the support, other components in Security onion specially the applications used to process alerts and do the reporting are yet not available in IPv6 mode. Also because of the lack of IPv6 detection rules new rules based on ICMPv6 was created. But for logging and reporting new system is introduced in the thesis using log analyzing tool ELK stack based on ElasticSearch and Kibana. During the process many problems were faced as most of the components pre-installed in Security Onion is not supporting IPv6 and as the developers are also masking IPv6 addresses to 0.0.0.0 to avoid detection of other traffic. As its flexibility in handling big data many specific visualization charts and graphs can be created in Kibana allowing fully user made graphing. Therefore, when Analyzing dual stack systems ELK stack was every efficient and cost effective as it detects threats belonging to both versions. Keywords: IPv6 IDS/IPS, ELK stack, Security Onion, ICMPv6, Snort rules