Many organizations approach new technologies with a ‘wait and see’ attitude – letting others go through the growing pains and then adopting the technology once it’s mature. This is true in the case of IPv6, which has been going through its growing pains since the 90s. However, unlike other technologies, if you have ignored IPv6 to date, that doesn’t mean that it doesn’t already exist on your network.
Windows XP, Mac OSX and UNIX all support IPv6 and will enable it by default going forward. Not only is IPv6 enabled, but some operating systems like Windows go a step further and create a connection to the public Internet over your existing IPv4 connection to tunnel IPv6 data out. Any malicious user that knows this public IPv6 address could compromise the workstation over IPv6 using any Windows bug, and can obtain secured access to your IPv4 network through that machine. This means that ignoring IPv6 can have dire consequences.
While you can quickly block the majority of IPv6 tunnelling methods by blocking “Protocol 41” (not port 41!) on your firewall, this is a patch solution at best. As users demand IPv6 connectivity, the workarounds to obtain it without official permission will simply increase.
The best approach is simple – start to embrace and understand IPv6. Enable basic and very restricted access on your network to the IPv6 Internet, so you can control the default access method (rendering tunnelling useless) and enforce corporate security models.
Since IPv6 and IPv4 can coexist but don’t interact on the same network, you can also take this opportunity to rebuild your IPv6 virtual network topology without touching any of your physical infrastructure.
IPv4 and IPv6: Rules to Live By
As you start to investigate and roll out IPv6, remember these key rules:
- There is no private addressing in IPv6. NAT was an IPv4 patch to prolong the address space and has no place in supporting pure IPv6 networks.
- In IPv6, everyone is accessible on the public Internet by default. Simply hiding behind a NAT as a ‘security’ policy is no longer acceptable. Figure out what you need to allow through your new IPv6enabled firewall and block the rest.
- Think about internal LAN security. There are new risks in IPv6 that you need to consider. For example, compromised machines can pretend to be routers and collect all local traffic from your users if you don’t proactively block this from happening.
- Approach your network design from scratch. You don’t have to do anything the same way in IPv6 as you did in IPv4. This is your fresh start!
What about you? Do you think that ignoring IPv6 can lead to a compromised network? Feel free to share your comments below.