Security will not come naturally with IPv6
The next generation of Internet Protocols has some security features built into it, but IPv6 is not inherently more secure than the current IPv4 now in use, said Brett Thorson, network and security architect at Excivity and a security adviser to the North American IPv6 Task Force.
Agencies should plan now to enable IPv6 on public-facing servers
IPv6 can be used to block, shield and hide data on your network, and the hackers already are learning to take advantage of this.
“This is what black hats are doing right now: They are planning their attacks for IPv6,” Thorson said today at the Next Generation Internet Conference in Washington hosted by the Digital Government Institute.
Although IPSec security is included in all IPv6 products, it is not enabled by most users, Thorson said. And when it is used, its effectiveness can vary because there are multiple ways to implement it.
However, the transition to IPv6 also offers opportunities for improving security. Greenfield installations can allow planners to design secure architectures, and features such as the ability of longer IP addresses can provide unique identifiers that can help identify every individual, device and process on a network, said Dale Geesey, principal with Auspex Technologies.
“There are a lot of challenges associated with the transition,” Geesey said. Meanwhile, IT administrators and network architects have several years to plan before IPv6 traffic and applications becomes a reality on government networks.
Agencies have enabled their network backbones to handle IPv6 traffic, but little, if any, use is being made of the new protocols. But as the existing pool of IPv4 address space is depleted over the next two years, growth in the public side of the Internet will increasingly come with new IPv6 addresses, said John Curran, president of the American Registry for Internet Numbers, one of five regional Internet registries. Three quarters of the available IPv4 address space has been allocated, and less than 11 percent remains available, he added. (Another 14 percent is unavailable for a variety of reasons.)
IT administrators will not necessarily have to transition their internal networks to IPv6, since they can continue to use IPv4 addresses, but public-facing servers will need to be enabled to use the new protocols as outside traffic increasingly is using IPv6, Curran said.
Many operating systems and other software now are enabled to accept IPv6 traffic by default, which can create problems if administrators are not aware of this and monitoring the traffic. Ignoring the protocols because a network that is not yet using IPv6 can be dangerous, Thorson said. “IPv6 is eventually going into your network whether you know if or not.”
Security has traditionally been added on after the fact in networks, devices and applications, and this has proved to be inefficient, ineffective and expensive. The increasingly complexity, size and speed of development for networks, applications and services will make it more important than ever that security be built in from the beginning, Geesey said.
Standards for IPv6 compliance are just now being completed and products conforming to the government’s IPv6 profile are not expected to begin arriving in agencies until July of next year. How and how well many security products such as logs, firewalls, antivirus, intrusion detection and other monitoring, blocking and filtering devices will handle IPv6 packets is an unknown. One vendor’s approach to handling IPv6 was to simply drop the packets, Geesey said.
Some features in IPv6 can make security management easier in theory, but how well any one feature on any single device will work and play with other applications in a network is not easy to guess.
“You need a person to sit there and turn one thing on at a time and see what happens,” Thorson said.
Agencies need to use the next two years to make it clear what they need and expect in IPv6 conformance and security, Geesey said.
“You have an opportunity to come to vendors and service providers and say this is what I need,” he added. “Vendors will respond. A $70 [billion] to $80 billion IT budget speaks.”