World IPv6 Launch Day: A Security Risk?
Make sure your network has visibility and controls for IPv6 in place before enabling the protocol by default, experts say.
When World IPv6 Launch Day dawns on June 6th, IPv6 services will be enabled on thousands of sites around the world and left on. As the 32-bit IPv4 address space has been exhausted, there is a need for global carriers to move to the larger 128-bit address space that IPv6 provides. But will your organization be ready for the new security issues raised by IPv6?
In an interview with eSecurity Planet, Chief Security Officer Danny McPherson of VeriSign cautioned that IPv6 is both an opportunity and a potential security risk. VeriSign is responsible for two of the 13 root DNS servers that sit at the heart of the Internet's core infrastructure, as well as the .com and .net Top Level Domains -- and as such, the company holds a critical role to play in the safety and security of the Internet.
Although IPv6 is already available as an addressing system on a large number of devices, the new security challenges derive from a lack of IPv6 security visibility, McPherson said.
"A lot of security devices and controls for Internet infrastructure don't have the same functional parity as IPv4," McPherson said. "So what happens is that you now have systems out there that are listening and accessible with the exact same content as IPv4, but you don't have the same visibility and control to protect those resources."
So how should an enterprise organization navigate the IPv6 transition? McPherson emphasizes that visibility and controls for IPv6 should be in place on the network before IPv6 is enabled by default.
"If you don't have that visibility into IPv6, you should probably consider explicitly disabling IPv6 on your systems until you can take a very concerted approach to enabling IPv6 in a secure manner," McPherson said.
Currently, there is no standard plug-and-play method for ensuring IPv6 security. That said, McPherson said that the upshot of having the World IPv6 Launch event is that there is more interest in IPv6 and vendors are beginning to build better technologies as adoption grows.
"At VeriSign we've had various aspects of IPv6 enabled for the better part of a decade," McPherson said. "What we've realized is that more networking equipment vendors are now beginning to provide better IPv6 capabilities out-of-the-box," McPherson said.
Auditing IPv6 Security
Determining whether or not an IPv6 deployment is secure is a somewhat different process than IPv4. Since the address space of IPv6 is so much larger than IPv4, scalability is a significant hurdle to overcome. McPherson noted that while many IPS and firewall technologies today support IPv6, the bigger question for him is if they can support IPv6 at scale. To compensate for vendor shortcomings, VeriSign has had to over-invest in their IPv6 infrastructure in order to achieve Internet scale.
With IPv4, it was also possible for a security professional to scan an entire subnet and see what was happening. With IPv6, that's no longer possible as the subnets are vastly larger. So what McPherson recommends is that security professionals couple active measurement and access control to the infrastructure with scanning.
"So anytime something is attached to a port, you need to figure out why and who was given access to that port," McPherson said. "The minute that port becomes active you need to understand and know what every reachable device is from that port."
VeriSign conducts this IPv6 auditing by way of custom-built network access control tools. Access control is strictly managed to make sure that explicit control is granted to devices on the network. For VeriSign, it's a mix of intelligence that ensures that all access is well understood in terms of who is using what and when.
IPv6 data packets also provide additional headers, known as Extension Headers, that can potentially make it easier to manage access.
"Some Extension Headers should never leave the local access network and some shouldn't go beyond a scope domain," McPherson said. "It's important that you have explicit policies in place for Extension Headers that mimic your overall security policy."
Although VeriSign has not seen any significant attacks at scale against IPv6, that's likely to change in the future.
"As the target density gets richer, IPv6 will get attacked," McPherson said.