There has been a lot of discussion lately about the potential for IPv6 to create security issues. While there are definitely some security risks of IPv6 deployment, a carefully considered implementation plan can help mitigate against security risks.
As we approach World IPv6 Launch tomorrow, I thought it prudent to share the below described incident that iDefense recently observed. This incident illustrates the disruptive capability of IPv6 in action and also prompted me to think about what IT professionals need to do to help make sure their network infrastructure is ready for the impending launch of IPv6.
During a recent incident, attackers compromised an organization’s network and were able to activate the IPv6 protocol on the organization’s routers. In this case, as in many enterprises, network and security engineers were not fully monitoring IPv6 traffic within their networks. By using IPv6, the attackers that caused this incident flew completely under the radar and were able to transmit their stolen data unnoticed.
Cases such as these present one of the greatest risks to organizations, but have gone mostly unreported. They also call to light how important it is for administrators to actively monitor IPv6 traffic in their networks just as robustly as IPv4 traffic to better understand specific IPv6 attack vectors and traffic characteristics.
Even if an organization is not planning to implement IPv6, it is in their best interest to deal with IPv6 traffic exposures as soon as possible, as they may already have devices, operating systems and transitional configurations in place on their networks that can make them susceptible to cyber criminals.
The following are some best practices for handling the transition to IPv6 no matter what your migration plan is:
- Begin monitoring networks for IPv6 traffic now.
- If you’re not monitoring for IPv6, turn off IPv6 everywhere to ensure that there are not any unknown paths through an organization’s network. This includes turning off IPv6 interfaces and tunneling protocols.
- Begin thinking about what is required to build the security that organizations need to use IPv6 within the application layer.
- Do an IPv6 pilot on a small portion of the network, potentially using a transitional technology.
- Develop a plan to transition an entire network to IPv6 incrementally.
- Execute the plan once it’s ready but execute quickly once committed to avoid vulnerabilities.
- Acquire and test IPv6-aware monitoring and assessment tools.
Has your organization started actively planning for the launch of IPv6?
Written by Rick Howard, General Manager, iDefense at Verisign