How to Protect Upgraded IPv6 Networks

Be aware that the protocol presents different security concerns than its predecessor.

As organizations make the move to IPv6, their lack of experience with the protocol and varying levels of support among security wares can create vulnerabilities. What's more, many network devices come with IPv6 enabled.

IPv4 and IPv6 have some fundamentally different security concerns, and IPv6 should not be considered better than its predecessor from a security perspective. Follow these pointers to guard against the security risks inherent in IPv6 implementations.

1. Recognize the risks of dual-stack configurations.

In a dual-stack configuration, a device simultaneously supports IPv4 and IPv6. Firewall rule sets and other security controls that stop unwanted IPv4 traffic are unlikely to be effective at stopping any IPv6 traffic, so organizations typically need parallel security technologies to address IPv6 traffic.

Without these technologies, IPv6 is at high risk of being used to compromise or otherwise misuse a device, creating potential security compromises that can't be stopped or detected.

2. Disable and block IPv6 where it's not needed.

A general security practice is to disable all unnecessary network protocols. However, even if an agency has a policy against using IPv6, it may find that some devices are enabled for IPv6 use anyway.

Newer hardware often comes with IPv6 automatically enabled by default. And given the increasing popularity of bring-your-own-device
initiatives, it's likely that some of those devices will have IPv6 enabled. Disable IPv6 on government-owned devices when it's not needed and block all unwanted IPv6 traffic on wireless and guest networks.

3. Limit the permitted forms of IPv6 tunneling.

Tunneling encapsulates IPv6 packets within IPv4 packets. Each permitted form of IPv6 tunneling presents an additional attack vector and can conceal traffic from security examination.

Configure firewalls to permit only the forms of IPv6 tunneling that the IT department authorizes and block all others. Also, architect all IPv6 tunnels so that their internal contents are examined by firewalls, anti-malware software, intrusion detection systems, and other network security controls.

4. Compensate for the loss of Network Address Translation.

Network Address Translation (NAT) is a commonly used IPv4 network technology that, as a side effect of its function, provides a layer of protection in front of IPv4-enabled devices by concealing them from direct contact with external networks. Unfortunately, because there's no counterpart to NAT in IPv6 devices, those that were previously protected by NAT may now be directly exposed to attack.

This is particularly true on home networks where there are no other perimeter security controls in place. To mitigate this, ensure that any device running IPv6 is protected by a host-based or network-based firewall, at a minimum, that blocks unwanted incoming traffic.

5. Verify the IPv6 capabilities of security and administration tools.

Many existing host and network security and administration tools may not provide full-fledged support for IPv6. If allowing IPv6 use, manually verify that each tool can robustly handle IPv6 activity. For example, does local logging software support the logging of IPv6 addresses or just IPv4 addresses? Is the agency's security and information event management software able to reconcile multiple IPv6 addresses assigned to a single device into a single record?

Evaluate tools to ensure they work properly before deploying IPv6.

Sep 17 2013