Why IPv6 Matters for Your Security

By James Lyne, Head of Global Security Research

Internet Protocol (IP) is the system that allows devices to find and connect to each other online. IPv4 was designed in the early 1980s, a time when no one could have predicted the explosive growth of the Internet.

For years, regulators and Internet experts have warned about IPv4’s limited pool of addresses. Its successor, IPv6, has the features and solutions the modern Internet requires: greater connection integrity and security as well as the ability to support web-capable devices. But IPv6’s significant changes could also introduce security holes into your environment.

The transition to IPv6 is inevitable, but migration requires considerable effort, preparation and consideration. If done incorrectly, it can leave gaping security holes in your network systems. Without careful planning, you could accidentally run both IPv4 and IPv6, nullifying the security you set up around either protocol.

That’s why it’s vital that security solutions provide full compatibility with the new infrastructures.

What’s the problem with IPv4?

In 1981, the four billion addresses IPv4 could provide seemed ample given the relatively limited number of computers back then. Three decades later, computers and a wide variety of other devices also use network connections, from smartphones, tablets and game consoles, to TVs and even cars and fridges. Suddenly those four billion addresses in the available address pool are inadequate.

The advantages of IPv6

IPv6 offers a significantly larger pool of addresses by using 128-bit addresses: 340 undecillion (3.4×1038), compared with the 4.3 billion available in 32-bit IPv4 addresses. This extended pool provides scalability, but also introduces additional security by making host scanning and identification more challenging for attackers. Along with new addresses, IPv6 also provides a range of benefits for security, integrity and performance.

IPv6 security benefits

IPv6 can run end-to-end encryption. While this technology was retrofitted into IPv4, it remains an optional extra that isn’t universally used. The encryption and integrity-checking used in current VPNs is a standard component in IPv6, available for all connections and supported by all compatible devices and systems. Widespread adoption of IPv6 will therefore make man-in-the-middle attacks significantly more difficult.

IPv6 also supports more-secure name resolution. The Secure Neighbor Discovery (SEND) protocol is capable of enabling cryptographic confirmation that a host is who it claims to be at connection time. This renders Address Resolution Protocol (ARP) poisoning and other naming-based attacks more difficult. And while not a replacement for application- or service-layer verification, it still offers an improved level of trust in connections. With IPv4 it’s fairly easy for an attacker to redirect traffic between two legitimate hosts and manipulate the conversation or at least observe it. IPv6 makes this very hard.

This added security depends entirely on proper design and implementation, and the more complex and flexible infrastructure of IPv6 makes for more work. Nevertheless, properly configured, IPv6 networking will be significantly more secure than its predecessor.

What are the problems with IPv6?

So far, cybercriminals have paid little attention to IPv6, but already we’ve seen widespread malware with IPv6-based command-and-control capabilities. So if your server enables IPv6 by default but your firewall doesn’t, which may be the case for many, we’ll inevitably see more abuse for malicious ends.

Proper deployment and configuration is a serious issue. Trying to deploy IPv6 the same way IPv4 was done guarantees problems. IT administrators must learn a whole new approach to networking, from simple network troubleshooting to configuring firewalls and monitoring security logs. There are many opportunities for confusion and mistakes.

There’s no instant switch to change from IPv4 to IPv6, so partial adoption means using tunneling technologies to transport IPv6 over IPv4. This kind of workaround is another potential source of confusion, misconfiguration and security gaps.

As adoption of IPv6 picks up and cybercriminals spend more time and effort analyzing how to subvert its built-in security, it’s likely we’ll see more problems. As new problems are uncovered, we’ll need new methods and tools to overcome them.

What help can I expect from my security provider?

Many security products will require changes to handle new networking patterns, both as a transport medium for updates, lookups, and management and reporting systems and to ensure continued provision of scanning and protection features.

As network practices evolve and new vulnerabilities and threat vectors appear, security providers must be ready to face them. Security vendors will need to invest time and money to ensure complete support for IPv6, and must stay alert for the new dangers IPv6 will bring.

So what do I need to do?

IPv6 migration is a question of  “when,” not “if.” Services like Google and Facebook are currently available via IPv6 and several large ISPs, telecommunications and web service providers are actively migrating. Mobile operators have pushed for wider IPv6 implementation to support their high-speed networks. All businesses should consider their adoption plans, if they haven’t already.

Below are design and configuration considerations to keep in mind when planning and implementing the switch:

Be cautious when using tunneling during the initial overlap period. Tunnels provide vital connectivity between IPv4 and IPv6 components or enable partial IPv6 in parts of your network still based on IPv4, but they can also introduce security risks. Keep tunnels to a minimum and use only where absolutely necessary. Carefully check the setup of “automatic tunneling” tools. Traffic tunneling will also make network security systems less likely to identify attacks.

Look at the bigger picture. Network layout under IPv6 is very different from IPv4, so replicating your existing setup won’t provide ideal results. Redesign your network structures to get the best out of IPv6. Don’t run multiple migrations and be sure to consider the architecture of both the Internet facing and LAN resources—don’t casually get rid of your DMZ!

Confirm that your entire networking infrastructure is compatible and up to date. It’s easy to miss switches and routers in patching regimes, so update these to the latest versions of firmware and software. If these devices aren’t ready for IPv6, devise a plan. IPv6 may introduce risks at the protocol level and many organizations do not include their network infrastructure in their patching plans, which might leave them open to nasty attacks. Now’s the time to check your processes in this area.

Ensure desktop security includes data loss prevention and web security. You may need to upgrade or reconfigure your firewalls as well. Make sure your endpoint provider has the full range of controls you require to replace conventional perimeter controls.

Don’t enable IPv6 until you’re fully ready. Many platforms come with IPv6 enabled by default, but make sure it’s switched off until properly configured. Many current firewalls focus exclusively on IPv4 and will not filter IPv6 traffic at all—leaving systems completely exposed. Disable unnecessary services and check the ports and protocols used by the services you need. Running IPv6 by default could allow attackers to bypass security controls and wreak havoc.

 

Sophos protection

As use of IPv6 increases, security requirements evolve. Sophos has invested in capabilities in our endpoint products to restrict the use of IPv6 until you’re ready to use it. The switch to IPv6 may seem overwhelming, but take it step by step and make sure all your bases are covered.