Q&A: Things to consider when it comes to IPv6 and security (Part II)by Steve Ragan - Jun 8 2011, 09:00
Previously, The Tech Herald spoke to Commtouch for their opinions on IPv6, including potential issues and things to keep in mind when preparing for a deployment. In Part II of this series, James Lyne, the Director of Technology Strategy at Sophos, has tackled the same questions.
The Tech Herald (TTH): What are the top five security problems that IPv6 has the potential to create?
James Lyne (JL): We all have to go back to networking school.
IPv6 is not just an expansion of addresses - it fundamentally changes the way networking works. Many administrators have learned IPv4 and having to shift to a new doctrine could lead to mistakes and accidental exposure of the network.
IPv6 has design flaws or security issues that have not been spotted yet.
When IPv4 was first adopted there were lots of challenges at the protocol level - enabling attacks to down systems with a few simple packets. IPv6 seems much more robust, but until it's truly used in earnest there is a risk of new undiscovered issues.
Accidental use of IPv6.
Many people already have IPv6 floating around their network and they do not even use it! IPv6 features some transition mechanisms designed to make it easier to run the new technology before every network transitions. This means that IPv6 traffic could be tunneling out of your network right now.
While this in itself might not seem a bad thing, your security restrictions and policies could apply to IPv4 while leaving a wide open gate for attackers to wander through with IPv6.
Security controls and processes not updated to be IPv6 ready.
Many technologies are still not IPv6 ready, or are progressively maturing to cater to IPv6. As all of the use cases are not yet clear, some technologies that have been invested in will still have more work to do.
More use of encryption.
IPv6 has 'VPN' capabilities built in ready for use and some features to get more traffic encrypted. This is great for privacy, but could challenge some network security as more traffic can't be monitored. This may significantly change how security is delivered in the future.
TTH: What can administrators do to address these problems?
JL: Education and understanding the risks is key.
Create a plan to migrate and understand the steps involved. Do this as soon as possible so that you can migrate in reasonable timeframe, understanding the risks rather than at the last minute when forced to do so.
Block IPv6 where it is not yet needed or intended. It is better to disable it than allow its use with no management or thought.
TTH: What should administrators consider when deploying IPv6? What are some of the best practices you recommend?
Note: The examples James listed are here in this whitepaper. In addition, he added, “Most of all keep it simple and only use what you need!” Below are the main points of the whitepaper for reference.
Be cautious when using tunneling during the initial overlap period.
- For example, tunnels can cut through your perimeter firewall rules, but might be less restricted than your firewall. This could allow attackers to connect to resources inside the “hard shell” of your network without your knowledge.
Remember to look at the bigger picture.
- Network layout under IPv6 is very different from that under IPv4, so simply replicating your existing setup will not provide ideal results. You need to significantly redesign your network structures to get the best out of IPv6 (detailed guides are available from vendors such as Cisco and Microsoft).
Check that your entire networking infrastructure is compatible and up to date.
- It’s easy to miss switches and routers in patching regimes, and you may need to update these to the latest versions of firmware and software. Check that these devices are ready for IPv6; if they aren’t, have a plan to make them so over time.
Make sure all your security solutions are up to the job.
- More use of IPSec is a great idea and fully supported by IPv6, but the end-to-end encryption may interfere with some perimeter-level security processes. Protection may have to migrate closer to the desktop level, so ensure desktop security includes Data Loss Prevention (DLP) and Web security.
Don’t enable IPv6 until you’re fully ready.
- Many platforms come with IPv6 enabled by default, but make sure it’s switched off until properly configured. Many current firewalls focus exclusively on IPv4 and will not filter IPv6 traffic at all — leaving systems completely exposed.
TTH: How will reputation-based defenses be hurt by the flood of available space on IPv6?
JL: Reputation as we know it today just is not going to work. The bad guys will be able to rotate IP addresses at such a rate that reputation services won't be useful. However, reputation services can evolve to work even in the IP6 world.
Most users are still going to use domain name system (DNS) names to access services (particularly as IPv6 addresses are so long and cumbersome), for which reputation can still be used. IPv6, if deployed correctly could also feature more of a concept of identity and has a better hierarchy design - this could allow better policies to block/allow than were realistic with the mess that was IPv4.
TTH: What are your predictions for dual stack networks, and how do you think criminals will leverage this to target organizations and users?
JL: Cyber criminals hack to make money or make a point. They will go to the weak spot and use it ruthlessly. The security risks outlined above could be such a weak point for the bad guys and we can expect as deployments increase they will test all of our deployments for mistakes that let them in.
While I strongly advocate testing and understanding IPv6 to progressively move, users must protect their IPv6 stack as much as their IPv4 and be cautious not to casually allow the hackers access through a side channel.
TTH: What are some of the things Sophos is doing to strengthen defenses as IPv6 is deployed?
JL: Sophos is investing in its products to make sure they offer more capabilities as IPv6 is deployed. We already have some control capabilities to restrict use of IPv6 where administrators are not ready.
We will extend these capabilities alongside the increasing deployment of IPv6. Our announced Astaro plans will also help build a position to deal with such threats as we enter in to network security more directly.