IPv6 is coming soon, whether information security professionals like it or not. So it’s best to be prepared rather than ignore or resist the process.
On June 6, dubbed World IPv6 Launch Day by the Internet Society, major ISPs, home networking equipment manufacturers, and web companies around the world will enable IPv6 for their products and services. In addition, the US government has targeted September 30 for all agencies to support IPv6.
In fact, a Network World survey found that 72 percent of IT departments are planning to upgrade their websites to support IPv6, and most intend to have IPv6 running on their internal networks by 2013.
Advocates of IPv6 stress that in addition to dramatically increasing the supply of IP addresses, the IPv6 protocol will embed the IPSec standard, which provides data integrity, confidentiality, and authenticity to IP-based communication.
While many tout the security benefits of IPv6, others continue to have concerns about the transition period.
Probably the biggest concern is the vulnerabilities that will be introduced by the operation of the IPv4 and IPv6 protocols at the same time during the lengthy transition, which some estimate will take a decade.
“Most general-purpose operating systems implement and enable by default native IPv6 support and a number of transition-co-existence technologies,” explained Fernando Gont of the UK Centre for the Protection of National Infrastructure in a recent paper submitted to the Internet Engineering Task Force. “In those cases in which such devices are deployed on networks that are assumed to be IPv4-only, the aforementioned technologies could be leveraged by local or remote attackers for a number of (illegitimate) purposes.”
Gont explained that network intrusion detection system might be configured to detect attack patterns for IPv4 traffic, but be unable to detect those patterns when using IPv6 transition technology. Also, a firewall might enforce a security policy in IPv4, but be unable to enforce the same policy in IPv6.
During the transition to IPv6, many organizations are unsure about which security products and vendors support IPv6 and when that support will be available.
“The challenge that companies face is that IPv6 is a separate protocol and requires significant R&D to bring products up to IPv6 capability. There hasn’t been a uniform effort in the security industry to do that,” observed Patrick Bedwell with Fortinet in an interview with Infosecurity.
During this year’s RSA Conference in San Francisco, Robert Hinden with Check Point Software and Danny McPherson with VeriSign cited transition and tunneling technology as one of the three main IPv6 security challenges. The other challenges include the use of IPv6 as a convert channel for malware and the vulnerabilities in the basic IPv6 mechanisms.
“It’s easy to create IPv6/IPv4 tunnels to carry traffic outside of an enterprise….You can’t stop what you can’t see,” they explained in their RSA presentation.
Blue Coat Systems recently warned about IPv6 “shadow networks,” which are created by setting up endpoints on IPv6-enabled devices. These shadow networks can run undetected over corporate IPv4 networks.
These endpoint devices, such as IPv6-enabled desktops, smartphones, and tablets, may be publically addressable and operate outside of traditional security configurations. Employees sometimes use these shadow networks to conduct file sharing, download video, access pornography, and get around other network activity usually restricted by company policies, Blue Coat warned.
In addition, cybercriminals are beginning to use IPv6 shadow networks as a back door for penetrating corporate networks and providing communication links to already embedded malware and compromised computers that have been forced into botnets, Blue Coat noted.
While the threats are significant, there are a number of steps security professionals can take to ensure a secure transition to IPv6. According to Doug Montgomery, manager of the Internet and Scalable Systems Research Group at the National Institute of Standards and Technology, chief among these are applying rigorous oversight; leveraging an accredited IPv6 test program; and deploying IPv6 in increments. He also tells security professionals not to be daunted. The transition to IPv6 will pose security challenges for years to come. With World IPv6 Launch Day coming up next week, the time for security professionals to step up and meet those challenges is now.