Article

The IPv6 transition: How to ensure cybersecurity

by Richard W. Walker, Contributor

With the pressure on federal IT managers to make the transition to IPv6, security experts advise the you shouldn't neglect the security lessons learned from IPv4's long run. The protocols may be different but many of the tried-and-true security techniques and technologies are largely the same and managers must make sure that they are incorporated into the new protocol, according to government IT security experts.

    Requires Free Membership to View

The size of the government IT infrastructure is vast and some agencies…are almost not getting started because of the size of the problem. So we've been trying to convey the message: Just get started

Doug Montgomery
Manager of the Internet and Scalable Systems Research Group, NIST

"We've had 20-plus years to hone, refine and develop the security protection techniques for IPv4 networks," said Doug Montgomery, manager of the Internet and Scalable Systems Research Group at the National Institute of Standards and Technology, which is spearheading the federal government's program to support a secure transition to IPv6. Under a new Office of Management and Budget mandate, agencies must upgrade external servers to use IPv6 by end of fiscal year 2012.

"If you're somewhat casual about the deploying a v6 native service into your enterprise without doing the equivalent security services on par with v4, it won't make you feel any better later if someone gets access to your network over a different protocol," he said. For government agencies, "any service that you turn on in an operational network is mission critical from the second you enable it. If [a hacker] tries to attack your network over v6, you need the security on the v6 side to be on par with v4."

With this principle in mind, Montgomery offered some common-sense tips for the transition to IPv6:

Apply rigorous oversight. Make certain your vendors and contractors provide IPv6 security at a level that is equivalent to that of IPv4. "That's really the most important message to convey to government managers," said Montgomery. For example, if you're doing port-based filtering in IPv4 then you should be doing port-based filtering in IPv6 in a very similar way, he said, adding that while "there are minor differences in how port-based filtering is encoded in IPv6, it's almost second-order details."

Leverage an accredited IPv6 test program. Ask vendors to demonstrate product security under NIST's USGv6 Profile and Testing Program. Many vendors are just getting up to speed on IPv6 products and services. "For many vendors, this will be code that is either recently completed or, as practical matter, not operationally tested all that much," Montgomery said. "Asking vendors to use an accredited test lab and submit a report is key," he said.

Don't be daunted. "Don't let the size of the task stop you from making progress," Montgomery said. "The size of the government IT infrastructure is vast and some agencies…are almost not getting started because of the size of the problem. So we've been trying to convey the message: Just get started."

Deploy IPv6 in increments. Take a few steps at a time. Choose one site or one service in your agency, deploy and be vigilant about security, and ramp up from there.

Don't lose sleep over dual stacking. According to NIST's new Guidelines for the Secure Deployment of IPv6 (SP 800-119) (.pdf), managers should plan for "a long transition period" with the co-existence of dual systems supporting both IPv6 and IPv4 for supporting legacy applications, services and clients. However, a dual protocol environment can require more complex configurations to install new equipment or to change existing equipment. As a result, "attacks against upper-layer protocols could use either the IPv4 or IPv6 stack to reach the client," said Shirley Radack, editor of the Information Technology Laboratory Bulletin in NIST's Computer Security Division.

This is a cause for concern for some managers. But Montgomery's advice to managers is not to worry. "If your level of trust or comfort isn't up to the point of dual stacking your existing production servers and you want to architect the v6 services so they run on a separate server, that's fine, as long as it's transparent to the external user," he said. "All that's being asked for [under government mandates] is that [a site] be transparent to the outside users when they go to 'www.agencyname.gov.' How you architect that on the backside can be a function of your security and network architecture--and in some ways you're level of comfort."

When all is said and done, the road ahead for secure IPv6 deployment is pretty straightforward for government managers. "It's one of those things where we just need to get the ball rolling and make some progress," Montgomery said.

About the author:
Richard W. Walker is a freelance writer based in the Washington, D.C., area who has been covering issues and trends in government technology for more than 10 years.

This was first published in March 2011

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.