This is the third post of a five part series based on an interview with Latif Ladid president of the IPv6 Forum, discussing the enterprise challenges and issues relating to enterprise deployment including: pain points, security, best practices and future predictions. Read part one here, part two here.
When it comes to IPv6 and security, one thing seems to certain — many organizations haven’t yet fully grasped the network implications around the technology.
It is an industry misconception that there are complexity issues around IPv6, offers Ladid. That said, security should not be seen as an obstacle when it comes to any network migration. What IPv6 security does entail, according to Ladid, is a major rethink of the network and perimeter.
The old way of protecting the network was much like the old European cities like Paris, with a large gated fence around the perimeter. But this type of security ultimately failed because most of the actual threats were happening from within the town.
IPv6 firewalls are out there, notes Ladid — the challenge is in determining which vendor provides IPv6-capable solutions that offer effective end-to-end protection and authentication. And in order to reap the full benefits of IPv6 — built-in IP security (IPSec), the ability to create large scale encrypted networks, denying packets for transition techniques not in use — fully understanding the security issues and vulnerabilities around IPv6 will ensure a more successful deployment, he notes.
Thinking about IPv6 security — or any IT security for that matter — involves ongoing training and education on the part of the network manager.
“It’s a massive educational process and beating down the naysayers. But that’s pretty normal when it comes to new technologies,” he says. “You have to have global addresses and this is where IPv6 is going to be major. We read in the press that security gets a bad rap with it comes to IPv6: that it’s not secure, and why move from v4 which is very secure. But that’s an insult. When you come to a new version you’d expect better features, and indeed there are when it comes to IPv6.”
With this in mind, network managers preparing to that IPv6 transition process should first look at revamping the existing network. This includes a security audit process along with reviewing the network to ensure that all updates, patches and upgrades are in place prior to moving ahead with the IPv6 refresh.
Ladid also recommends going the dual stack route for the network, which both ensures IPv4 compatibility and the ability to support applications currently not IPv6 available.
And if the old Paris represents IPv4 thinking, IPv6 involves a new paradigm — it’s an “always-on” connected world and IPv6 security and privacy simply can’t be implemented in this manner, he explains. “The only way to get a secure network is to put a firewall around it. And this is the old traditional way to doing it. We are moving to a distributed security. And this is where you have multiple sites, not only for enterprise but also for people.”