Many organisations are being misled about the complexities surrounding IPv6 security, according to security firm Stonesoft
A number of high-profile technology companies have set 6 June as the date for turning on the protocol and make the permanent transition from IPv4.
“A lot of people think there isn’t much difference between securing IPv6 traffic and IPv4 – and that’s not true," said Ash Patel, country manager for UK and Ireland at Stonesoft.
This misperception, he said, is compounded by the fact that organisations are not sure what needs to be done and when. He said suppliers are making false claims about how well their products perform in an IPv6-ready network.
According to Stonesoft, there are 10 steps organisations can take to ensure IPv6 security:
1. Revamp your existing network. Revamping your IPv4 network involves cleaning up, throwing out and upgrading. Clean up and kick out outmoded and outdated features. The upgrading consists of ensuring every aspect of your network that can be effectively ungraded to the next level. Starting with a clean, uncluttered slate makes it much easier – and safer – to implement IPv6.
2. Plan a gradual introduction. Gradually introducing IPv6 will give organisations plenty of time to ensure IPv6 is going to function with existing IPv4 infrastructure and help keep the budget under control.
3. Go for dual stack. Opt for the dual-stack mode for the IPv6 implementation. Dual stack comes with several benefits, although it may require router upgrades to meet the memory and power demands to support running both IPv4 and IPv6 simultaneously. The dual-stack approach enables an organisation to support applications that are not yet functional with IPv6. It can also help eliminate the need for tunnels, which is already being viewed as a potential source of security vulnerabilities.
4. Take care of your tunnels. The National Institute of Standards and Technology’s “Guidelines for the Secure Deployment of IPv6” suggests viewing and treating tunnels in the same way you would an external link – with extreme caution. It recommends inspecting every single shard of tunnel traffic before you permit it to either enter or exit your system. This inspection consists of reviewing all IPv6 traffic, including those within the IPv4 packets, with the same scrutiny and systematic examination you give to all your traffic. Suggested tools include: virus protection, intrusion detection, network ingress filtering, packet filters and application proxies. Further, fortify the tunnel endpoints with even stronger security measures, such as authentication.
5. Mind the malicious. Malicious users are already infiltrating IPv6. Do not forget the warnings about the dangers of router advertisements and man-in-the-middle attacks. Some attacks can delve deep into a network before they are discovered, making them more destructive than ever. These and similar attacks are coming from scripts that are easy to use. Memorising every type of attack and the solution to go with it would be impossible. Being aware that many already exist and many more are sure to come is crucial.
6. Upgrade to a certified firewall. Be careful about claims concerning IPv6 readiness. Without outside verification, it is likely the vendor may have just pointed a traffic generator at their product and claims it works. You must look at products that have undergone third-party certification. They can apply hands-on testing using publicly accepted evaluation methods to ensure organisations know exactly what their firewall can handle.
7. Require authentication. Authentication is more critical and, fortunately, easier than ever before. Look into the use of an HTTP/HTTPS proxy for users to access the internet. Just by setting up required authentication to get online, an organisation can reduce the threat of unwanted third parties.
8. Know IPv6 syntax. The syntax is very similar to that used with IPv4, but with notable differences in the foundation. Knowing the syntax makes it much easier to quickly know how to deal with a security breach or implement necessary measures. Since IPv6 has technically been around for more than a decade, there is no shortage on information on the subject from several technology giants – as well as a 188-page guide from the US government.
9. Hit the “off” button. Shutting off IPv6 capabilities when you are not using it may seem obvious, but it may not be that easy because a number of programs have already been configured to work with IPv6, and just as many may already have the protocol turned on automatically by default. Check, double-check and triple-check your environment to ensure IPv6 is enabled only when it is used.
10. Know how to kill. Even with large portions of a network disabled for IPv6, there is still the threat of unwanted IPv6 visitors. When that happens, organisations should know how to kill it before it can infect others associated with the network. This is where knowing IPv6 syntax can be useful, particularly for setting up effective firewalls and traffic filters. Organisations can create filters that let in what they want, keep out what they do not.
IPv6 tutorial: Understanding IPv6 security issues, threats, defenses