IPv6 Security: Not Scary, Unless It Is Ignored

While there is a lot to follow, expert observers say that there is no reason that a well-engineered and carefully monitored hybrid IPv4/IPv6 network can’t be as secure as an IPv4-only network. Indeed, it can be more secure. An IP security (IPSec) virtual private network is an important security tool that is an add-on in IPv4. It is built right into the IPv6 standard.

It is a particularly interesting area because of the different levels of security concern. Bob Hinden, a fellow at Check Point Software, first mentioned a comparatively non-technical issue when asked about IPv6 security. He said that policies — the goals and rules governing IPv4 — must be replicated on the new network: “If you have a security policy related to IPv4, you want to apply the same policy to IPv6,” he said. “The architecture is the same, though there are some incremental differences. You need security tools that can look at IPv4 and IPv6.”

Several other experts echoed the need to ensure that tools can test both schemes. In some cases, new tools need to be brought in. The need to ensure that policies and equipment are up to speed on IPv6 begs the bigger issue: It is vital that IT and security staffs are aware of the complexities of IPv6 and pay as much attention to it as they do to IPv4. It is another case of the lives of IT and security staffs growing more complex.

The reality is that there is a broad swatch of concerns, wrote David Jacoby, a senior security researcher for Kaspersky Labs, in response to emailed questions. “We will have a period when people use both IPv6 and IPv4,” Jacoby wrote. “We are actually in the beginning this period as we speak. You will have filtering devices such as proxies, firewalls, gateways and other systems that support both protocols, but might only have rules for one.”

The challenges — as the DDoS attacks prove — are immediate and pressing. “Before I joined Kaspersky, I also performed security audits,” he wrote. “We were able to penetrate networking devices using IPv6 because the only rules they had were for IPv4. I think this is quite a common problem.”

There are three ways to enable IPv4 and IPv6 to coexist. The simplest is called dual stack. As the name implies, it is the creation of totally discrete and separate networks to handle each of the addressing schemes. Incoming packets are examined and sent to the proper system. The second approach also has an evocative name: tunneling. The family of procedures focuses on wrapping an IPv6 packet within IPv4. In essence, the IPv6 packet is secreted through the IPv4 system as a passenger. The third approach is translation. In this scenario, some mix of hardware and software is attached to key elements of the system in order to transition IPv4 addresses to IPv6.

Most experts think that dual stack is the most elegant (an engineering code word for “simple and less likely to cause problems”) approach to IPv6 deployment. There seems to be some disagreement, however, over which one is inherently most secure.

Torsten Linder, a support engineer for the German security firm Paessler, said that security in the tunneling realm is “a little more problematic” than dual stack because the traffic is exposed to every network device. In dual stack scenarios, the IT department can pick and choose which devices “see” the IPv6 traffic and, therefore, have less to oversee (and worry about). In tunnels, he said, “the possibility to make a mistake is greater” than in IPv6. “In dual stack you can say, ‘Yes, this machine is to be used for IPv6.’ It can be used for one, a couple or only a few. I think it’s not so high a risk.”

Not everyone shares that view. H.D. Moore, the CSO for security firm Rapid7, suggested that dual stack deployments are complex and add vulnerabilities. He said a full-scale dual stack deployment is risky unless it is accompanied by an inventory system in place to track assets.

Which approach is the most or less secure is vital, of course. But it is not as important as understanding the bottom line, which is that any approach is safe as long as the people running things are committed to protecting IPv6 networks. Overworked, under-educated or lazy personnel who don’t properly configure IPv6 networks and otherwise shortchange security leave their organizations open to attacks.

It seems clear that the one thing that doesn’t change as IPv4 transitions to IPv6 is the need for due diligence.

ที่มา : http://www.itbusinessedge.com/cm/community/features/articles/blog/ipv6-security-not-scary-unless-it-is-ignored/?cs=49891&page=2

Leave a Reply

Your email address will not be published. Required fields are marked *