Security experts urge organizations to test IPv6 compatibility across security products and gateways as networks undergo upgrades
If your IT department hasn’t thought about an IPv6 strategy yet, you’re behind the curve. While IPv6 was designed mainly to address the exhaustion of IPv4 addresses, it’s creating several challenges for IT departments in terms of ensuring the end-to-end stability and performance of enterprise IP networks and the Internet as a whole.
Q1 Labs, a provider of security intelligence solutions, is urging organizations to look at how Security Information and Event Management (SIEM) systems as well as IPS and IDS are configured as organizations move to IPv6-based networks.
“Not all security software and appliances are set up to deal with fully IPv6 or hybrid environments straight off the bat,” explains Chris Poulin, CSO for Q1 Labs.
Poulin, who spent eight years in the U.S. Air Force managing global intelligence networks and developing software, believes that many organizations still don’t fully appreciate the IPv6 problem. Internet Protocol Version 6 (IPv6) is designed to succeed Internet Protocol version 4 (IPv4) and was ratified by the Engineering Task Force (IETF) in 1998. The outgoing IPv4 has a theoretical hard limit of 4.3-billion addresses, which is quickly filling up, especially with the growth in smart phones and tablets expected to hit a billion units by the end of the year.
Even though the new protocol has a 128-bit address range (340-undecillion limit) and additional features, adoption of IPv6 is still sluggish. “The move is a significant project for any IT department and security needs to be on the check-list of things to test before making the move,” Poulin urges. “SIEM is actually a good place to test if IPv6 security procedures are feasible and working correctly.”
IPv6 security risks include bugs in code, protocol weaknesses and poor implementations by security and network vendors due to minimal familiarity with the new standard. “Attacks using an IPv6 tunnel on a hybrid network are examples of new threats that might be missed unless organizations start to prepare now for the inevitable change,” Poulin said. “The current pace of change is relatively slow, but it is likely to speed up as large service providers and trading platforms move to IPv6 over the next few years, which could mean that IT departments are suddenly dumped with a project to move with minimal notice — it would be wise to start checking now before the call comes,” Poulin added.
Some believe that IPv6 strategies should even be a board-level concern. “Many believe that the move to IPv6 should be a board-level risk management concern, equivalent to the Y2K problem or Sarbanes-Oxley compliance,” Ram Mohan, EVP and CTO at domain registrar, Afilias wrote in a SecurityWeek column. “During the late 1990s, technology companies worldwide scoured their source code for places where critical algorithms assumed a two-digit date,” Mohan added. “This seemingly trivial software development issue was of global concern, so many companies made Y2K compliance a strategic initiative. The transition to IPv6 is of similar importance. As more companies start to wake up to IPv6, this kind of compliance project will become more widespread.”
“CIOs who have not planned IPv6 transition plans as part of their strategic agenda must act now, or risk the entire enterprise online,” Mohan concluded.
“Even if you aren’t implementing an IPv6 network, you still need to be concerned about the transition,” according to Marc Solomon, SVP of Marketing at Sourcefire. “As IPv6-enabled consumer devices such as smartphones and tablets enter your network, intended or not, you now have two potential communication channels you need to worry about,” he added. “Identifying controls, solutions and policies that support IPv6 alongside IPv4 is essential to maintaining your organization’s security standards.”
Related Reading: Is IPv6 Part of Your Risk Management Framework?
Related Reading: No IPocalypse, but the IPv6 Transition Still Presents Risks
Related: Why Everyone Needs to Care About IPv6
Related Reading: World Takes IPv6 for a Test Drive: Is your Organization Prepared for the Risks?
