Security vendors step up IPv6 certifications

IPv6 readiness for networking products and applications in your network can be difficult to assess. Vendors such as Sourcefire are turning to US based ICSA Labs for certification against US based the USBv6 profile.

Vendors have known for some years that IPv6 certification would be a market requirement for their products and a number of governments have published transitional strategies for their agencies and suppliers.

As early as 2007 the Australian government released ‘A Strategy for the Implementation of IPv6 in Australian Government Agencies’ outlining a timeline for IPv6 adoption which was subsequently updated in 2009.

The current requirement states agencies must have their IPv6 ready hardware and software in place by end 2011, and have all systems IPv6-enabled by end of 2012.

However, the document is less specific about exactly what IPv6 certification requires, or even what ‘IPv6-enabled’ might actually mean to Australian Federal Government networks and agencies. Is being able to ping6 key router infrastructure enough? What does “agencies will be ready to securely send and receive IPv6 packets of information” mean in a practical sense? From where to where?

Do all applications need to be tested on an IPv6 network or is it enough to implement dual-stack IPv4/IPv6 networks leaving all applications on IPv4?

Security is even muddier.

“Agencies should ensure that that IPv6 related security threats and risks are considered as part of the regular Threat and Risk Assessments of their networks. Elements of many of these tasks are ongoing, but their planning and commencement should be undertaken by end-December 2009.” Some may assume this requires the implementation of RA Guard software and a significant investment in end point dual-stack monitoring.

What about any security implications of running a dual-stack network? Should the default IPv6 state of most modern operating systems be altered from on to off?

The good news is that testing vendors are attempting to help companies test and monitor IPv6 networks and applications, even when those applications are in the cloud.

California based company Mu Dynamics offers a comprehensive suite of automated testing solutions and test content aimed at testing and validating IPv4 and IPv6 products and services for conformance, security and resiliency. Essentially the Mu Dynamics’ offering is a testing solution which enables network equipment manufacturers, service providers and government agencies to automate their pre-certification testing and leverage the same tests as government-sanctioned certification labs in IPv4 and IPv6 environments.

Compuware Corporation have also released the industry’s first free IPv6 Website Performance Comparison testing tool which allows organisations to compare the speed of their IPv4 and IPv6 enabled web applications. Enterprises who move applications into the cloud to take advantage of an IPv6 cloud enabled service can now test any impact of an IPv6 environment on their applications.

In the US, the National Institute of Standards and Technology (NIST) have been more specific on what IPv6-compliance means. Released as a draft 2007, Version 1 of the USGv6 Profile was published in July 2008 following industry and government consultation. Shortly afterwards the USGv6 Testing Program was developed and, following a number of drafts, became operational in November 2009.

The USGv6 Profile is lengthy and technical document, making self certification for vendors and customers very time consuming. It lists 12 functional categories for IPv6 capability and defines a number of profiles which include Host, Router (both internal and external facing) and Network Protection Device (which include IPS and firewalls). Functional categories are broken into multiple requirements.

Testing labs to the rescue.

ICSA Labs, an independent division of Verizon Business with offices in Pennsylvania, provides independent 3rd party product assurance for end users and enterprises. ICSA Labs has provided vendor-neutral testing and certification for hundreds of security products and solutions for many of the world's top security product developers and service providers.

ICSA Labs provides services in three areas:

• Consortium Operations, Security Product Testing, and Certification Programs

• Custom Testing Services

• Accredited Government Testing Services

One of the initial companies to provide security products for ICSA Labs testing was IPS vendor Sourcefire. A bold move which has proven successful, Sourcefire has recently announced the completion of testing with ICSA Labs of the Sourcefire 3D® System, successfully satisfying U.S. federal government IPv6 test requirements (USGv6).

“ICSA Labs’ validation that we meet the USGv6 requirements ahead of the federal government’s move to IPv6 in 2012 demonstrates Sourcefire’s commitment to our customers and to meeting their changing security needs,” said Marc Solomon, Senior Vice President of Marketing at Sourcefire. “This independent confirmation of our IPv6 support is especially important now that the pool of available IPv4 addresses is fully allocated and nearly depleted.”

The Sourcefire 3D® System is one of the first IT security solutions verified by ICSA Labs to meet the US federal government’s requirements for hosts on an IPv6 network.

“The goal of the federal government’s IPv6 test program is to ensure interoperability among all IT and networking components used to build, maintain and secure the IT infrastructure of federal agencies,” said Brian Monkman, Perimeter Security Programs Manager at ICSA Labs. “As one of the first IT security vendors to participate in our testing, Sourcefire customers will benefit from the company’s ongoing commitment to security IPv6.”

Read more on Network security strategy