Security professionals should begin learning about the emerging IPv6 protocol now or they mayend up scrambling at the last minute to update their security systems and networking equipment whenit becomes unequivocally necessary to support the protocol, according to an expert speaking aboutIPv6 security issues at RSAConference 2012.
Robert HindenRobert Hinden, a fellow with Redwood City, Calif.-based security vendor Check Point SoftwareTechnologies and the co-inventor of Internet Protocol version 6(IPv6) , will deliver a presentation next week to offer help to enterprises in understandingIPv6 security issues.
In an interview with SearchSecurity.com, Hinden explains why IPv6security issues can no longer be ignored, how IPv6 is most likely to be exploited by attackers,and what security pros must do to secure their networks in preparation for the IPv6transition.
For security pros who may not be as familiar with the evolution of IPv6, where are we todayregarding deployment within the Internet infrastructure? Are mandatory enterprise IPv6 deploymentson the horizon?
Robert Hinden: Things have been moving a lot faster in the last couple of years, since peoplefigured out the IPv4 addresses were going to be exhausted soon. That's whats driving deploymentnow.
The purpose of my talk is to give a heads up to enterprises who haven't been paying muchattention. Enterprises, especially in North America, have a lot of IPv4 addresses, and the point Iwanted them to understand is that IPv6 is built into a lot of the products they're running today.They need to think about that even if they're not running it inside their networks because there'sthe potential for unmonitored IPv6 network tunnels to be created that go outside their firewall,and malware could use IPv6 for elicit communication. It's something security pros in enterprisesneed to start paying attention to. Security pros need to lead on IPv6.
As of now, what's the most likely timeline in which enterprises will be forced to implementIPv6 to ensure connectivity with the rest of the Internet?
Hinden: I've been doing this for a long time and I've learned not to try to make datepredictions; it's hard to tell. But, I'm confident enterprises need to be paying attention to IPv6security, figuring out what they're going to do, and not make this a fire drill. You don't want tobe in a situation where you aren't prepared to implementIPv6 securely if the [IPv4 address] exhaustion accelerates, and it's much easier if it's donegradually.
As a whole, how capable are today's network security products at handling IPv6traffic?
Hinden: My impression is it's gotten much better in the last couple years. One issue I see iscustomers of security companies aren't running the more recent software for their products. Ifyou're running something that's several years old, it's not going to have these IPv6 capabilities.Some companies are reluctant to update for a variety of reasons, but it's time to do this.
How mature are the IPv6 security features in the security products offered by vendorstoday?
Hinden: It's hard for me to speak for all vendors, but certainly all the major vendors havetools that are ready for production. They're not beta anymore. This is newer code than the IPv4code that's been around for 15 years, so there are going to be bumps and there will probably bepatches, but it's ready for production.
How much education is required for network security pros who haven't dealt with securing IPv6before?
Hinden: That's one of the big things that's missing today. The protocols are here, thevendors have products they can run, but enterprise staff needs to learn about IPv6, in general, andthen about the specific security differences and how to handle them. That's the point of my talk atRSA, to raise awareness of this and encourage people to start doing that.
For enterprise network security professionals going to RSA to learn about IPv6 capabilitiesin security products, what should be the key questions enterprises ask the vendors?
Hinden: As they go around the show floor, I think they should ask the vendors not only whatproducts they have, but also how they manage it. Do you use the same management interface? How haveyou tested your products? A good way to determine how mature a vendor's product is by asking ifthey can run their products with IPv4 turned off. Though I don't think most enterprises are goingto do that for a long time.
What concerns you most about IPv6 security?
Hinden: It's twofold: One is that with the [IPv4 to IPv6]transition solutions, it's possible to create unauthorized tunnels into the enterprise. Thereare tunneling technologies included in Windows Vista and Windows 7 that allow tunneling through aNAT; it's basically IPv6 under UDP under IPv4, making it possible to create a tunnel outside anenterprise that may go unnoticed. A user may do this purposely or he or she might turn on anapplication that creates an IPv6 tunnel the "get me back to my PC"-type products like to do this and all of the sudden you have this tunnel going through your NAT device. If that's your firewallthen you may have a tunnel going through it that you would normally block. If you're not lookingfor it and you don't have any IPv6 rules set up on your firewall, you may not see things leavingyour network.
The other is IPv6 as a covert channel for malware; malware that may use IPv6 as a way ofcommunicating inside the enterprise. If you're not looking for this traffic, it could go host tohost outside of the normal protections an enterprise deploys. You can't stop what you can't see andthat's the message here. It's time for enterprises to start looking at the security of IPv6, andmake sure their security tools have IPv6 support in them now. You may have vendors that support itand you may not have turned it on. It's time to [turn it on]. This is an issue you don't want tohave.
There are a number of transition mechanisms being employed to ensure interoperability betweenIPv4 and IPv6 dual-stack nodes, transition and tunneling paradigms but those mechanisms appearto be a key security concern among experts. What's your take?
Hinden: Say you're trying to decide whether to let a particular protocol through your firewall.You can't look at the same fixed place for the relevant info as you would for IPv4. There's moresurface area, if you will, that needs to be examined. You need to have software security tools thatunderstand the different security mechanisms of IPv6 and know how to parse them so you can look atthe packet, find the relevant info and apply your relevant rules to it. Conceptually it's easy it's all defined in the IPv6 RFCs but you need to have special tools that can do this. When youwork with your vendors, make sure they know how to do this.
Some say widespread IP address scanning by attackers is not feasible with IPv6, but othershave said attackers will likely have success exploiting known IPv6 distribution patterns or knownranges of assigned addresses. What's your reaction?
Hinden: With standard addresses, the prefix will come from your ISP, and then the rest isrelated to each device's MAC address. It's hard to predict what MAC addresses are going to be usedinside an enterprise. So that's still really hard. With addresses that are manually assigned, suchas to routers on a subnet, if you assign those addresses sequentially, it is easier for someone toguess what those addresses would be. So as long as you think about the way you assign addresses anddon't assign them sequentially, then it's a lot harder to guess what the addresses are.
Editor's note: Robert Hinden's RSA Conference 2012 session, "Deploying IPv6 Securely" isslated for Wednesday, Feb. 29, 2012, at 9:30 a.m. PT in Moscone Center room 307.
Follow @ericparizo
View all of our RSA2012 Conference coverage.
0 comments:
Post a Comment