« The Role of a SIEM in an Overall Enterprise Security Plan | Main | »

31 May 2011

IPV6 is on a blink of eye to be a reality on our daily lives. Is it ready for our world?

Well, IPV4 addresses are almost depleted, right?

Sort of, it´s clear that we will  be out of IPv4 addresses in 2011, some actual almost "live" info I received mentioned that we had left only 12/8’s and 11/256’s by the end of 2010.

Due to the fact that we´re out of IPV4 addresses (unless ARIN decides to make Microsoft and others to return the larger unused IPV4 pools they have), IPV6 deployment is on its way, although this is a process that may take several years to complete.

For a example of a joint task force for a massive IPV6 field test, check out the "IPV6 day effort" at

http://isoc.org/wp/worldipv6day/

 

In the meantime, the deployment raises considerable new issues, being security one of the most
compelling.

That are some issues that must be addressed by companies and vendors. On this post I´m addressing some of these security threats. The ones I´m aware of.

 

  • IPV6/PV4 Dual Stack

We´ll need for sure to handle dual stack 6to4 during the migration to IPV6.
An IPV6-IPV4 dual stack increases for sure the potential for security vulnerabilities. Two infrastructures, two protocol stacks, applications will need to handle both. Well, you got the idea...

 

  • Routing

I heard from a friend some time ago, that routing will be an easier task on IPV6 than it was on IPV4...Specialists say that my friend is wrong...

BGP routing on IPV6 will require more space and bandwidth from routers. If your equipment is running low today due to large routing tables...Well, it´s time to consider an upgrade.

 

  • NAT

There´s no NAT on IPV6...If you use NAT as security measure, time to think on something else (like IPV6 P-NAT).

 

  • IPV6 Tunneling

It´s hard to manage and secure dynamic 6to4 tunnels and a lot of hackers are using it as a new vector of attacks to bypass firewalls and IPSs.

 

There are a specific consideration that I have (it´s a personal feeling) rather than a true statement.

I believe that we´ll begin to see a lot of "old based  attacks" like Ping of Death, Smurf, Teardrop and others due to the fact that the IPV6 stack were not "further tested".

But it´s just a feeling...Let´s wait to see if I´m right or not. 

 

Some important aspects to consider when planning a migration to IPV6.

 

  • Execute a careful planning of your new IPV6 network - Aspects like DHCP, DNS, automatic configuration, link-local can really expose your network now;
  • Block any dynamic tunnel communication;
  • Are your security defenses IPV6 ready?;
  • Have you ever considered a 802.1x architecture? It may be be a good idea;

 

Conclusion

IPV6 is a more secure and robust protocol than IPV4, It has IPSEC enabled by default capabilities (not different from the optional IPSEC for IPV4) but still have concerns around it. More than it, the time to support both IPV6/IPV4 networks are coming and the security issues around this must be taken in count. Seriously

So, it´s better to be cautious and consider a very secure network perimeter to secure your IPV6 network.

Regards

Posted by on 31 May 2011 at 03:36 PM in IT Security, Network Security |

Tags: 6to4, firewall, IPV6, NAT, security, tunnel

| |

Comments