Although IPv6 packets have started to flow, network engineers still tread lightly because of lingering security concerns. Here are the top six security risks in IPv6 network security today as voted by gogoNET members, a community of 95,000 network professionals.
* Lack of IPv6 security training/education. The No.1 risk today is the lack of IPv6 security knowledge. Enterprises must invest time and money in IPv6 security training upfront, before deploying. That or risk compromise and spending more time and more money on security later to plug the holes. Network security is more effective as part of the planning stage rather than after deployment. This is not an area to skimp on. According to Scott Hogg, IPv6 Security author and CTO of GTRI, "All security practitioners should learn about IPv6 now because all organizations have IPv6-capable and enabled operating systems in their environments. Failure to secure the IPv6 systems is like allowing a huge back-door to exist."
* Security device bypass via unfiltered IPv6 and tunneled traffic. Only a lack of knowledge is considered a bigger risk than the security products themselves. Conceptually it's simple, security products need to do two things recognize suspicious IPv6 packets and apply controls when they do. However in practice this is hardly possible in v4 let alone an environment that may have rogue or unknown tunnel traffic. "There are 16 different tunnels and transition methods not to mention upper layer tunnels like: SSH, IPv4-IPSec, SSL/TLS and even DNS," says Joe Klein, Cyber Security Subject Matter Expert for the IPv6 Forum and Expert Cyber Architect at SRA International. "The first step is knowing what you're looking for." The current crop of security products used today, especially those converted from v4 to v6, haven't necessarily matured enough to match the threat they're protecting against.
* Lack of IPv6 support at ISPs and vendors. Thorough testing is critical until IPv6 security functionality and stability are on par with that of IPv4. A test network and a test plan for all protocols involved must be devised to test all equipment especially new security tech from vendors. Every network is unique and requires a unique test plan however help can be found on Joe Klein's and Scott Hogg's blogs. Further complicating the issue is not having a native IPv6 connection from your provider. A tunnel connected to your interface further increases security complexity and provides an opening for man-in-the-middle and denial-of-service attacks. Demand native IPv6 from your upstream provider.
* Congruence of security policies in v4 & v6. Weak v6 security policies are a direct result of the current deficit in IPv6 security knowledge. Not only do the depth of the IPv6 security policies need to be equal to that of their IPv4 counterparts but their breadth must be wider to encompass new vulnerabilities that didn't need to be considered in an IPv4 homogeneous environment.
Sign up for CIO Asia eNewsletters.