Move to IPv6 brings security challenges

Move to IPv6 brings security challenges

As IPv6 continues to gain traction, the issue of security on the new protocol has been widely discussed and debated. Some experts believe IPv6 is inherently more secure than IPv4, while others claim it opens the door for new security challenges.

The reality is probably somewhere in the middle. On the one hand, network security wasn’t as much of a concern when IPv4 was created, whereas IPv6 was built with an emphasis on security.

One of the advantages of IPv6 is that IPsec, which defines policies for secure communication in a network, is mandatory. IPsec has been available on the old protocol; it just hasn’t been required. The difference between required and optional support of IPsec is what many analysts point to as a more secure protocol with IPv6.

Another security advantage of IPv6 is that it eliminates the need for Network Address Translation (NAT). Security is more difficult to deploy with NAT because it disrupts IP layer traceability.

Security problems attributed to the new protocol often stem from a failure of personnel to realize they have IPv6 enabled devices.

The new protocol is rapidly being deployed, so it’s easy to overlook its presence on your networks. For example, the latest measurements show that Time Warner Cable has reached 17.75 percent deployment of IPv6, Comcast has achieved 34.51 percent, AT&T is at 52.42 percent, and Verizon is at 68.73 percent, according to the Internet Society, the organizer of World IPv6 Launch.

If you have IPv6 enabled on devices without your knowledge, you make it easier for hackers to avoid detection. Malware could be spread between systems using IPv6 if nobody is monitoring that channel.

Another security issue is the failure to properly upgrade security systems to be compatible with the new protocol.

IPv6 enabled devices could wreak havoc on IPv4-only networks in a number of ways. An NIDS that detects attack patterns on IPv4 may not be able to detect the same patterns on IPv6. In the same way, IPv4 firewalls may not enforce security policies in IPv6. Even if NIDS or firewalls support both protocols, they need to be configured to enforce controls and policies on IPv6 traffic.

IPv6 support could also result in Virtual Private Network (VPN) traffic leaks if VPN software is employed by dual-stacked hosts.

As with all new innovations and deployments, it’s important to invest in training and awareness to be prepared for the changes those systems and protocols bring.

Copyright 2015 – IT Training Solutions, Inc.

No Comments

Post a Comment