News

Six ways to secure IP V6

Sanil Nadkarni

Indian businesses must wake up and take charge of the inherit security threats that migrating to IP V6 brings.

The Indian government recently published the second version of its roadmap for the migration from IP

    Requires Free Membership to View

v4 to IP v6 to support a massive 600 million users.

With deployment of IP V6 speeding up, organizations should address the security issues in an orchestrated manner by upgrading existing infrastructure and making network and security appliances ready for IP V6.

IP V6 brings enhancements and out-of-the box features, but it also brings a different attack vector to the IT ecosystem. “We are seeing an increase in customer request[s] for IP V6 vulnerability assessment and Web development testing,” Amit Singh, a consultant in a vulnerability analysis/penetration testing advisory firm, said.

IPv6 is becoming a reality, but the protocol is far from perfect. Here are six security concerns you should be aware of when planning an IP V6 migration.

Operating systems have IP V6 enabled

Most of the latest operating systems are now shipped with IP V6 enabled, but users may not be aware they are using IP V6. Hackers can take advantage of this vulnerability and plant an arbitrary packet on the network. Therefore, companies should disable or shut the IP V6 service and block the IP V6 traffic on the gateway, unless they have a specific business requirement not to do so.

Time to upgrade the security appliances

Existing security appliances—such firewalls, intrusion detection systems and intrusion prevention systems—protect the network from attacks. However, many security appliances are not yet compatible with IP V6. Organizations should be careful to check their security appliance specs to ensure IP V6 compatibility. In addition, they can look for third-party certification that the product can handle IP V6.

ICMP and multicast risk

Most organizations have a policy to filter out Internet Control Message Protocol (ICMP) packets at the gateway. However, with IP V6, ICMP has new functionality and features such as fragmentation, neighbor discovery and stateless address auto-configuration. Although organizations use multicast traffic for multicast router discovery (which essentially discovers routers on the network) using ICMP and multicast may infect your network with DOS or smurf attacks.

Reputation-based protection does not exist

In IP V4 protocol, IP address blacklisting occurs through the reputation database, which maintains the lists of malicious websites. IP V6 does not have this database yet. It will take time and effort to create reputation databases for IP V6, leaving the door open for hackers for now.

Automatic tunneling

IP V6 coexists with IP V4 in the network. Many companies use technology such as automatic tunneling on the network when both protocols are present. Automated tunneling encapsulates the IP V6 packets into the IP v4 packets using torpedo and 6to4 mechanisms. Because packet encapsulation at the egress firewall could pose a considerable security threat to the corporate network, companies should block the traffic at the border.

Train the staff

With hackers expanding their skills on the IP V6 infrastructure, and in-house IT falling behind, training becomes pivotal. Organizations should train key staff on IP V6. Consider role-based training as part of the plan. Organizations may also want to incorporate IP V6 skills into their hiring strategy.