Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Advice On Secure Implementation of IPv6

Stonesoft Networks : 07 June, 2012  (Technical Article)
Stonesoft offers 10 pieces of advice on securely implementing IPv6 in the workplace as the new protocol comes on stream
Advice On Secure Implementation of IPv6
Many organisations are being misled about the complexities surrounding IPv6 security, according to Stonesoft, a global provider of proven, innovative network security solutions. Having worked with the world’s largest sources of IPv6 traffic, Stonesoft is actively helping enterprises and public agencies implement IPv6 in a way that is secure and cost-effective. The company shares a list of 10 insights to help CISOs and network managers weed through the hype surrounding IPv6 security and prioritise their security initiatives.

“A lot of people think there isn’t much difference between securing IPv6 traffic and IPv4 – and that’s not true. This misperception is compounded by the fact that organisations aren’t sure what needs to be done when, and that vendors are making false claims about how well their products perform in an IPv6-ready network,” said Ash Patel, country manager for UK and Ireland at Stonesoft.

Drawing on its experience with large-scale IPv6 deployments, Stonesoft shares the following tips on IPv6 security:

1. Revamp your existing network: Revamping your IPv4 network involves cleaning up, throwing out and upgrading. Clean up and kick out outmoded and outdated features. The upgrading consists of ensuring every aspect of your network that can be effectively ungraded to the next level. Starting with a clean, uncluttered slate makes it much easier – and safer – to implement IPv6 without a ton of hassle and possible problems.

2. Plan a gradual introduction: Take a cue from the Social Security Administration, which has been working with IPv6 for more than a half-decade already. The full implementation is planned for three stages over a span of another six years. You do not have to tread as slowly as the government, but gradually introducing IPv6 gives you plenty of time to ensure IPv6 is going to function with your now-state-of-the-art IPv4 infrastructure. It also keeps your budget in check.

3. Go for dual stack: Opt for dual stack mode for your IPv6 implementation. Dual stack comes with a host of benefits, although it may require router upgrades to meet the memory and power demands to support running both IPv4 and IPv6 simultaneously. In addition to being straightforward to implement, the dual stack approach allows your system to support applications that are not yet functional with IPv6. It can also help eliminate the need for tunnels, which is already being viewed as a veritable breeding ground for security issues.

4. Take care of your tunnels: The National Institute of Standards and Technology’s “Guidelines for the Secure Deployment of IPv6” suggests viewing and treating tunnels that same way you would an external link: with extreme caution. It recommends inspecting every single shard of tunnel traffic before you permit it to either enter or exit your system. This inspection consists of reviewing all IPv6 traffic, including those within the IPv4 packets, with the same scrutiny and systematic examination you give to all your traffic. Suggested tools include the usual gamut of virus protection, intrusion detection, network ingress filtering, packet filters and application proxies. Further, fortify the tunnel endpoints with even more stalwart security measures, such as authentication.

5. Mind the malicious: Malicious users are already infiltrating IPv6 quicker than they have hit other advancements. Do not forget the warnings about the dangers of router advertisements and man in the middle attacks. Some attacks can delve deep into your network before you even realise anything is amiss, making them more destructive than ever. These and similar attacks are coming from scripts that are almost too easy to use. Memorising every type of attack and the solution to go with it would be impossible. Being aware that many already exist and many more are sure to come is crucial.

6. Upgrade to a certified firewall: Be careful about claims concerning IPv6 readiness. Without outside verification, it is likely the vendor may have just pointed a traffic generator at their product and claims it works.  You must look at products that have undergone third-party certification. They can apply hands-on testing using publicly accepted evaluation methods to assure you know exactly what your firewall can handle.

7. Require authentication: Authentication is more critical and, fortunately, easier than ever before. Stonesoft recommends looking into the use of an HTTP/HTTPS proxy for users to access the Internet. Once you set up required authentication to even get online, you have reduced the threat of unwanted parties entering your party without your approval.

8. Hit the books: Know IPv6 syntax. The syntax is very similar to that used with IPv4, but with notable differences in the foundation. Knowing the syntax makes it much easier to quickly know how to deal with a security breach or implement necessary measures. Since IPv6 has technically been around for more than a decade, there is no shortage on information on the subject from several technology giants – as well as a 188-page guide from the U.S. government.

9. Hit the “off” button: Shutting off IPv6 capabilities when you are not using them may sound like a no-brainer, but it may not be as straightforward as you think. That’s because a number of programs have already been configured to work with IPv6, and just as many may already have the protocol turned on automatically by default. Check, double-check and triple-check your environment to ensure IPv6 is only enabled when it’s actually be used. Deploying a mechanism with the ability to disable IPv6 in bulk may be a wise investment.

10. Know how to kill: Even with large portions of your network disabled for IPv6, you can still face the threat of unwanted IPv6 visitors. When that becomes the case, you want to know how to kill it before it can infect others associated with your network. This is where knowing IPv6 syntax can be a lifesaver, particularly for setting up effective firewalls and traffic filters. You can create filters that let in what you want, keep out what you don’t, and help to ensure when you’re up and running with IPv6 you are actually up and running.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo