IPv6 is the next-generational internet protocol, designed to give us more IP addresses. Back in the day when no one dreamed that toasters would one day be connected to the Internet, the idea that the number of IP addresses in the world would run out was silly. Today, the growing number of connected devices means we need more IP addresses, and IPv6 is the way to achieve that. Unfortunately for network administrators, it's a new technology stack that hasn't yet been fully scrutinized by security experts.
While the most secure system is one that does exactly what you want it to do, with adequate monitoring and no additional back doors or unused functionality, IPv6 doesn't exactly fall into that category yet. It has not been fully adopted and many companies haven't worked out what monitoring and support is required. In arecent survey by Ipswitch, Inc. two thirds of network administrators reported that only one in five of their networked devices were IPv6 ready. But sticking your head in the sand is not a good approach to network security.
Quick facts
The IPv6 threat
"There are some specific new attack vectors using IPv6 such as manipulation of route headers, rogue router advertisements, NDP spoofing, but on the whole the security concerns of IPv6 aren't something that should be a roadblock with the right monitoring infrastructure," said Chris Smithee, Network Security manager at Infrastructure monitoring firm Lancope.
Matthew Levine, director of Engineering at Akamai Technologies, agreed that any potential security pitfalls of IPv6 can be overcome.
"In reality, IPv6 is not inherently less secure than IPv4, but it presents the opportunity for risks because it is different," he explained. "For example, current firewall configurations may be IPv4 specific, such that adopting IPv6 would create more exposure than desired. There are some security concerns around IPv6 in IPv4 tunneling. The fundamental issue is that such a tunnel can potentially bypass a firewall that doesn't 'understand' IPv6. Whether you want to use IPv6 or not, you should ensure your firewall handles it properly."
The bury-your-head-in-the-sand approach is a concern for John Curran, president and CEO of ARIN, the American Registry for Internet Numbers, which is the non-profit responsible for managing the IP addresses, including IPv6, in the U.S., Canada, and parts of the Caribbean.
"Any network facing service or capability that you aren't using should be turned off; that's just good security hygiene," he said. "Every service or capability you expose to the network increases your attack surface. Attack surface is the amount of functionality an attacker could exploit to compromise any computer. Ideal security means you want to present the absolute minimum attack surface without compromising functionality."
Levine agreed. "As a general security principle, it is a good practice to switch off anything that is not required," he said. "That said, the world is moving to IPv6, so while it may not be required today, it will be required soon. There's no question that it will happen. The only question is how long it will take.
But, while switching off IPv6 is an option today, it just means prolonging the inevitable.
"IPv4 addresses have been fully depleted from the Internet Assigned Numbers Authority (IANA) free pool and the regional Internet registries (RIRs) are quickly running out of their addresses," said Curran. "The public Internet is moving to be both IPv4 and IPv6, so you will need to be ready for that regardless of whether you run IPv6 internally."
While the most secure system is one that does exactly what you want it to do, with adequate monitoring and no additional back doors or unused functionality, IPv6 doesn't exactly fall into that category yet. It has not been fully adopted and many companies haven't worked out what monitoring and support is required. In arecent survey by Ipswitch, Inc. two thirds of network administrators reported that only one in five of their networked devices were IPv6 ready. But sticking your head in the sand is not a good approach to network security.
Quick facts
The IPv6 threat
"There are some specific new attack vectors using IPv6 such as manipulation of route headers, rogue router advertisements, NDP spoofing, but on the whole the security concerns of IPv6 aren't something that should be a roadblock with the right monitoring infrastructure," said Chris Smithee, Network Security manager at Infrastructure monitoring firm Lancope.
Matthew Levine, director of Engineering at Akamai Technologies, agreed that any potential security pitfalls of IPv6 can be overcome.
"In reality, IPv6 is not inherently less secure than IPv4, but it presents the opportunity for risks because it is different," he explained. "For example, current firewall configurations may be IPv4 specific, such that adopting IPv6 would create more exposure than desired. There are some security concerns around IPv6 in IPv4 tunneling. The fundamental issue is that such a tunnel can potentially bypass a firewall that doesn't 'understand' IPv6. Whether you want to use IPv6 or not, you should ensure your firewall handles it properly."
The bury-your-head-in-the-sand approach is a concern for John Curran, president and CEO of ARIN, the American Registry for Internet Numbers, which is the non-profit responsible for managing the IP addresses, including IPv6, in the U.S., Canada, and parts of the Caribbean.
"Any network facing service or capability that you aren't using should be turned off; that's just good security hygiene," he said. "Every service or capability you expose to the network increases your attack surface. Attack surface is the amount of functionality an attacker could exploit to compromise any computer. Ideal security means you want to present the absolute minimum attack surface without compromising functionality."
Levine agreed. "As a general security principle, it is a good practice to switch off anything that is not required," he said. "That said, the world is moving to IPv6, so while it may not be required today, it will be required soon. There's no question that it will happen. The only question is how long it will take.
But, while switching off IPv6 is an option today, it just means prolonging the inevitable.
"IPv4 addresses have been fully depleted from the Internet Assigned Numbers Authority (IANA) free pool and the regional Internet registries (RIRs) are quickly running out of their addresses," said Curran. "The public Internet is moving to be both IPv4 and IPv6, so you will need to be ready for that regardless of whether you run IPv6 internally."
Guest Post by : Yogendra Singh Negi [ Network Security ]
0 Comments