Transforming IT Blog
Join us in the Transforming IT HP Blog where we will discuss reinventing IT to overcome obstacles and take advantage of Instant on Enterprise opportunities.

IPv6 Security: Your First Priority

 

By Jeff Enters

 

You might not know it, but IPv6, the next-generation Internet protocol, is probably already running on your network. And unless you’re aware of this and have taken specific steps to prepare for it, IPv6’s mere unmonitored presence is creating security vulnerabilities on your network.

 

You’re probably wondering how this is possible. Well, vendors have been making their products IPv6 compatible for over a decade. So if you've purchased any new network gear or upgraded an operating system recently, IPv6 is probably part of your IT ecosystem.

 

Many routers, switches as well as major operating systems, including Microsoft Windows 7, MacOS, and Linux, now ship with IPv6 capabilities. Most of the operating systems enable IPv6 by default. So if you're not intentionally running IPv6 on your network, you should be aware of the inherent risk.

 

 

So how does IPv6-enabled gear create a security risk?

If IPv6 is quietly running on your network, it has the ability to create an unmonitored tunnel through your corporate firewall straight onto the IPv6 public internet. Operating systems, like Windows 7, are shipping with an automatic tunneling mechanism enabled by default. That, coupled with its preference for using IPv6, gives your OS the ability to automatically bring up an unmanaged and encapsulated tunnel to the internet.  

 

Let’s say an employee, customer or contractor has a Windows 7 computer on your network, but no IPv6 security measures have been taken. A hacker can exploit that capability by directly communicating with the machine’s unprotected global IPv6 address.

 

Once a hacker figures out how to exploit an unmonitored IPv6 connection, he can gain control over the user's laptop, access any local data and create a bridge to your network where your corporate assets can be accessed.  

Just disabling IPv6 at the workstation level may seem like the easiest approach; however, there are a couple things to keep in mind:

 

  1. Microsoft recommends that customers do not disable IPv6 (Technet Blog).

  2. Disabling IPv6 will not prevent direct unmanaged IPv6 PC to PC communication on your internal network. For example, a contractor or customer can gain access to another contractor/customer’s computer, via IPv6, while they are both on your network.

 

 

Get control over IPv6 traffic

You can disable IPv6 in your hardware and OSes, but that won't necessarily block IPv6 traffic from sneaking onto your network—and just disabling IPv6 can cause performance issues with your OS and applications.

 

Early adopters have reported performance issues with Windows 7 after they've disabled IPv6; this varies widely, depending on each IT environment, but it's important to understand the impact that disabling the new protocol can have on your IPv6-enabled applications.

 

To get around this, consider leaving IPv6 enabled, even if you don't plan to implement it, and take specific actions to protect against IPv6-based security threats.

 

Here are four steps you can take to begin mitigating the security risk without having to disable IPv6:

 

  1. Start by determining what hardware and software on your network is IPv6 enabled. You need to know exactly where the protocol is and if it's running so that you can set up appropriate traffic filters.

  2. Protect the edge of your network to prevent unknown and unmanaged IPv6 ‘islands’ at the edge of your network.

  3. Configure your firewall to track IPv6 traffic—and block it—if you don't want it on your network.

  4. Upgrade your anti-virus and anti-spyware applications, along with intrusion prevention systems (IPS) and other security measures, to IPv6-capable versions.

Together, these measures should illuminate any invisible IPv6 traffic trying to sneak onto your network.  HP can help with our IPv6 Assessment services

 

 

Put security first and lay the groundwork for IPv6

As you move forward with your hardware and software purchase plans, make sure that every security product on your list can detect IPv6 traffic and protect against IPv6-based threats.

 

While many companies are still in the planning stages of IPv6 adoption (see Yanick Pouffary’s blog 5 practical reasons to plan your IPv6 transition early), attackers have already begun exploiting IPv6 vulnerabilities. So if you begin your IPv6 transition by addressing security first, you’ll not only eliminate existing network vulnerabilities, but lay the groundwork for a safe, measured journey to IPv6.

 

Have you started to phase in IPv6? Do you have any advice or anecdotes to share regarding IPv6 security precautions?

 

Learn how HP's IPv6 Consulting Services can help you ease your IPv6 transition.

 

And for more information on IPv6, visit the IPv6 Forum or the Internet Engineering Task Force (IETF).

 

 

About Jeff -

 

Jeff works in the Technology Services organization as a Technology Consultant and has 18 years of diversified experience in Voice and Data Network Engineering.  Data Network knowledge is based on extensive training and experience in design, implementation, support and assessments of large enterprise and data center networks.  He is also considered an expert in VoIP based on his experience designing, implementing and supporting VoIP installations in large enterprise and carrier environments.

Over 15 years in consulting roles provided Jeff invaluable experience in voice and data networks across all verticals, with a focus on healthcare, education, government and real estate.  Additionally, Jeff is a certified Project Manager Professional (PMP) and over his career demonstrated that he excels in efficiently and effectively managing projects and escalations.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.