Have you considered how you’ll secure your IPv6 infrastructure? Even if you aren’t implementing an IPv6 network, you still need to be concerned about the transition. Here is how can you be sure your network remains protected as the industry moves towards IPv6.
There’s been a lot of noise around the transition to IPv6, beginning with government mandates as early as 2003, and building up to World IPv6 Day on June 8. While lots of organizations felt mislead by the Y2K hype more than a decade ago, the IPv6 transition has been different. The IPv6 transition has already begun and will continue over dozens of years affecting every organization differently. But one thing every organization shares is that the transition will affect us all and requires some level of preparation in order to maintain the operational integrity we expect and require from our IT infrastructure.
• The pool of available IPv4 addresses has been fully allocated to the regional Internet registries (RIRs) and is nearly depleted
• US federal government agencies and departments are being mandated to integrate IPv6 into their network infrastructures
• Companies serving the federal government, such as defense contractors, Managed Service Providers and Internet Service Providers, have become, in effect, subject to these mandates and need to transition to IPv6 to be in compliance
• Companies in industries building large-scale networks, such as major web companies and communications providers, need to implement IPv6 systems and networks to enable business growth and innovation
If you are subject to the Office of Management and Budget (OMB) or Department of Defense (DoD) IPv6 mandates or if you are in an industry that is in the process of rolling out IPv6 technology, then chances are you’ve been planning for quite some time. You may even be well down the path of defining and developing the architecture and migration strategy, and have begun the actual implementation of IPv6 systems and networks. But have you considered how you’ll secure your IPv6 infrastructure? It isn’t safe to assume that your current security controls, policies and processes will protect your IPv6 environment as well as your IPv4 environment. Most security companies have lagged networking companies in introducing full-fledged IPv6 support.
However, even if you aren’t implementing an IPv6 network, you still need to be concerned about the transition. Most operating systems and many new printers and other network devices are IPv6 enabled, offering a dual-stack configuration to support IPv6 traffic in addition to IPv4. As IPv6-enabled consumer devices such as smartphones and tablets enter your network, intended or not, you now have two potential communication channels you need to worry about. You need to know that your security controls and policies uniformly support IPv4 and IPv6.
So how can you be sure your network remains protected as the industry moves towards IPv6? Start by asking your IT security vendors the following questions:
1. Have their solutions satisfied U.S. federal government IPv6 (USGv6) test requirements, demonstrating compliance with IPv6? Designed to protect federal agencies’ investments in IPv6 technologies, the testing program ensures interoperability among all IT and networking components used to build, maintain and secure the IT infrastructure of federal agencies.
2. Can they demonstrate that their solutions work comparably with IPv4 and IPv6 traffic? For example, in the case of IPS/IDS solutions, does the product identify and block IPv6-based attacks as well as IPv4-based attacks?
3. Does their solution support a wide variety of tunneling mechanisms? Tunneling mechanisms, such as 6to4 and Teredo, are transition technologies that enable IPv6 hosts and routers to communicate over IPv4 networks. Some security tools don’t recognize such mechanisms and therefore can’t provide protection.
4. Can their solutions operate and be managed over an IPv6 network? It’s important that you are able to designate an IPv6 IP address to a vendor device and manage it via IPv6 in order to deploy it on an IPv6 network.
5. In the case of vulnerability assessment, network discovery and IPS/IDS tools, are the vendor’s security tools reliant on active vulnerability scanning? Active scanning tools may become crippled under the weight of the incredibly large number of IPv6 addresses available to search.
6. In the case of Firewall policies and access control lists (ACLs) that are configured to block all “IP” traffic, do they in fact block IPv6 traffic as well as IPv4? Some network appliances require extra configuration to deal with IPv6 and use the term “IP” to only refer to IPv4.
IPv6 will enable organizations to build larger, more efficient networks to support growth and innovation. The transition is well underway and every network is becoming an IPv6 network, whether we choose it or not. The transition needs to focus not only on operational issues, but security as well. Identifying controls, solutions and policies that support IPv6 alongside IPv4 is essential to maintaining your organization’s security standards.