7 points your security team needs to know about IPv6 (but probably doesn't)

The IPv6 protocol affects the security of your network even if you haven't deployed it internally. Here are the most important points every security team needs to understand about the protocol.

IPv6 wireless network protocol
Mikko Lemola / Getty Images

If you think your security team does not have to know about IPv6 because it’s not yet deployed in your organization, think again. Your employees and networks depend on Internet Protocol version 6, the modern communications protocol for computers and networks connected to the internet, whether you’ve deployed it or not. Failure to understand IPv6 and how it works with your networks could make them vulnerable and create a risk for your organization.

Every security admin should understand the following seven key points about IPv6:

1. IPv6 is more popular than most realize

Security administrators, and most IT staff for that matter, don't realize the extent to which IPv6 has already been deployed on the Internet. Consequently, most security administrators believe that they don't need to address IPv6 security. Since they have not enabled IPv6 in their enterprise, they don’t see the need to take steps to secure it.

IPv6 is embedded and enabled by default in all modern operating systems. This includes systems in the enterprise data center and cloud environments that must meet security compliance regulations. If those IPv6-capable devices connect to an IPv6-enabled network, they will use IPv6 to make connections.

The internet core is already IPv6-enabled, and mobile wireless carrier networks use IPv6 extensively. In fact, your mobile phone likely uses IPv6 and you don't even realize it. Many residential internet services also use IPv6, and subscribers with relatively new modems and routers likely have IPv6 inside their home LAN. Over 30% of the top websites use IPv6, and Google observes over 30% of its global users are using IPv6 (higher in countries like India and the US). Many places on the internet have surpassed 50% IPv6 usage, making IPv4 the minority protocol there.

2. Employees use IPv6

Security administrators have failed to adequately address IPv6 security for their Internet-connected users. Remote employees use IPv6. Operating systems running on the end-user mobile devices are IPv6-enabled by default and use IPv6 to make connections over the internet. This is even more common today as the COVID-19 pandemic has forced work from home.

Corporate VPNs often don't have IPv6 configured. Therefore, the end-user's IPv6 traffic goes from their devices directly to the internet, bypassing any corporate security controls. This is called IPv6 VPN breakout, which has been known for many years but lost on many firewall administrators.

Maybe the organization sensed the shift to the cloud and procured a cloud access security broker (CASB) service to enforce corporate security policy. However, not all CASB vendors support IPv6. IPv6-connected end-users might be able to bypass the CASB security controls as they use IPv6 to connect to popular sites.

3. IPv6 is already in your enterprise

Most security practitioners haven't spent much time learning about IPv6. Enterprise security administrators might believe that IPv6 deployment falls on the shoulders of the network administrators. The security teams think that they don’t have to learn about or secure IPv6 until it’s finally implemented in the enterprise.

Many security admins don't understand how the IPv6 protocol functions across the internet, on the corporate WAN, or on LANs. For example, the IPv6-enabled operating systems connected to enterprise wired and wireless access networks are sending IPv6 packets and can reach each other using Link-Local IPv6 unicast and multicast communications. IPv6 is already inside the enterprise.

Security administrators need to learn about the IPv6 protocol and anticipate attacker behavior. However, good-quality IPv6 training resources are limited. There are many IPv6 books (but only one book on IPv6 security), some online training materials, and live instructor hands-on IPv6 training from a few providers. The best way to get up to speed is to be trained by an IPv6 expert using a hands-on IPv6 lab environment to simulate IPv6 attacks and learn how to protect against them.

4. IPv6 is no more or less secure than IPv4

The benefits of deploying IPv6 are derived from its humongous address space, which eliminates need for IPv4-like network address translation (NAT) and allows for greater network scalability than IPv4. IPv6's lack of NAT doesn't make networks weaker (RFC 4864). In fact, it strengthens them by reducing the anonymity that results from modifying the source address in the packet header. Native end-to-end routed protocols facilitate forensics and can increase authenticity of connections.

No inherent security is built into the IPv6 protocol, just like no security features are built into IPv4. Both protocols can use IPsec, but it is optional and not mandated for all communications. IPv4 and IPv6 both provide the routed-protocol foundation for secure application-level protocols like Transport Layer Security (TLS) and Secure Shell (SSH).

5. Vendor products lack IPv6 security features

We can all agree that proactively securing IPv6 ahead of deployment is the proper approach. However, it’s a problem if an enterprise proceeds with deploying IPv6 and later learns that its security vendor only has IPv4 features. The enterprise must halt deployment to wait for the vendor's product development schedule, rapidly replace the product with one that is IPv6-capable, or worse, leave IPv6 running unprotected.

Survey the security protection measures that are in-use to determine their level of IPv6 capability. Focus initially on the internet perimeter security systems such as firewalls, intrusion prevention systems (IPSs), malware protections, secure web gateways (SWGs), proxy servers, reputation filtering, and threat intelligence feeds. Some vendors may simply list "IPv6" on their product data sheet, which will require further investigation to determine the actual level of parity between their IPv4 and IPv6 features.

For example, it is a risk if you use a web application firewall (WAF) to protect against the Open Web Application Security Project (OWASP) Top 10 that has only IPv4 features but the web server is dual-protocol. If the WAF is required for PCI-DSS security compliance, then this might be a compliance violation. It would be better to know of the WAF's IPv6 deficiency and upgrade it or replace it with a full dual-protocol one before IPv6-enabling the web server.

Strive to achieve equal protections for IPv6 and IPv4. Ask vendors about detailed IPv6-capability in their products and services so you know where you stand and can plan for the secure deployment of IPv6.

6. Unprepared security teams can stop IPv6 deployment

If the security team is not ready for IPv6, then it can delay or halt the enterprise IPv6 adoption progress. There is a risk for the enterprise if security teams are not involved in the eventual IPv6 deployment. Imagine a boardroom setting where the CIO expresses an urgent business need to deploy a cost-saving IoT system using IPv6 that needs to be secure from the start. The CIO turns to the CISO and asks, "What are you doing about IPv6 security?" The CISO responds with either "Nothing!" or "I'll have to get back to you on that."

An example of this scenario was cited in a recent US Government Accountability Office (GAO) report on the Department of Defense (DoD) IPv6 implementation progress. The GAO's report mentioned, "The department ended the effort due to security risks and a lack of personnel trained in IPv6".

Business doesn’t want the security teams to stonewall IPv6 deployments. The enterprise security teams are critical to the successful deployment of IPv6. Engaging with the interdisciplinary IPv6 implementation teams and making security a key stakeholder in the IPv6 implementation is essential.

7. IPv6 needs to be secured from the onset, not retroactively

IPv6 is an inevitability. Enterprise security administrators must embrace it sooner rather than later. Are security teams going to wait until the Internet reaches 75% IPv6 utilization to start to learn about IPv6 and secure it? IPv6 is mainstream and most enterprise security teams are behind the technology curve.

If security teams are proactive, then they can enable IPv6 and control it rather than be fearful of something they don't understand and is largely invisible to them. Instead of trying to disable IPv6 everywhere (a completely fruitless endeavor), it is better to enable IPv6, gain visibility to it, and control it per the corporate security policies. Security teams are encouraged to plan and deploy IPv6 securely from the start rather than try to address security as an afterthought.

Copyright © 2020 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline