Decoding IPv6: Four Misconceptions that Security Execs Need to Know

IPv6. It’s big, unavoidable, exciting, and concerning… 

The Internet protocol that we’ve come to know and love (IPv4) is about to get a facelift (or, at least a serious shot of HGH). The tech community is bracing for a wild ride ahead -- guaranteed to be riddled with successes, failures, and security snafus as IPv6 is rolled out. In fact, we just saw the first DDoS attack targeting IPv6 networks earlier this month -- making this a very timely topic.

Tomorrow morning, I’ll be on a panel at the RSA Conference speaking about vulnerability management in an IPv6 world, and we’ll outline what security professionals need to think about when considering the transition to IPv6. In advance of that, allow me to clear up a few misconceptions.

  1. IPv6 is more secure. Sure, IPv6 has built-in support for IPSec, but IPv4 supported IPSec pretty well already. The real threat is the near-term transition that hundreds-of-thousands of businesses will be forced to make to a new, unproven technology. There are significant risks around misconfigurations that can lead to crippling holes in your network or even broader outages.
  2. Lack of NAT support in IPv6 puts companies at risk. The majority of technology professionals associate NAT with their firewall, so eliminating NAT from IPv6 presents a gap in security, right? Wrong. NAT isn’t a security feature, it’s meant to allow several private IP addresses to share the same global IP address -- a big benefit when IPv4 addresses started to run out. The truth is, by eliminating the need for NAT, IPv6 will help reduce network configuration headaches.
  3. IPv6 is too big to scan, making it impossible for hackers to breach an IPv6 network. Where there’s a will, there’s a way, and hackers are more than up to the challenge of breaking through IPv6 networks. People are forgetting that a blind, brute-force attack is not the only way to breach a network. IPv6 addresses follow specific patterns, and penetration testing experts and hackers are improving their odds of success by refining their scans to take advantage of these known patterns. 
  4. Carriers will manage business’ transition to IPv6. Carriers will be responsible for upgrading their own infrastructure for IPv6 support, but enterprises will be 100% responsible for enabling their Web and network content, including routers, firewalls, and web services. If your business doesn’t have a transition plan in place, get moving. The Obama Administration has mandated that all U.S. federal agencies upgrade their public-facing websites and services to support IPv6 traffic by September 30, 2012.

The landscape for IPv6 continues to change and will become more complex as rollouts increase. With a substantial increase in IP addresses, we need to rethink traditional vulnerability scanning techniques (a scan that used to take minutes, can now take months). During our panel discussion at RSA tomorrow morning, we’ll discuss how IPv6 networks challenge many pre-existing security strategies and new techniques that will help businesses implement a sound security foundation in IPv6 environments.