IPv6: The security risks to business

IT security professionals say the security holes that will open up in many business organisations as the world moves over to internet protocol version six (IPv6) constitute a substantial security concern

Predictions about when the world will end are about as consistent as the predictions about when IPv4 internet addresses will finally run out, but some IT security professionals say that is really the least of our worries.

A much bigger concern, they say, should be the security holes that will open up in many business organisations as the world moves over to internet protocol version six (IPv6).

This is an important aspect of the changeover that has been lost in all the hype around how IPv4 is about to run out of IP addresses assigned to each internet-connected device because of the explosion of internet users, devices and web services.

IPv6 will solve this problem because it provides over four billion times more addresses than IPv4, but in solving that problem, it could expose businesses to cyber attacks as hackers use IPv6 to bypass security controls and filters designed and configured for IPv4 traffic.

Although the move to IPv6 could be completed as soon as 2011 in China, this will take at least two more years in the US and elsewhere, so the security threat is a much more immediate and pressing problem than ensuring networks are ready for IPv6 traffic.

IPv6 attacks likely to increase with adoption

The number of IPv6 attacks is relatively small, but as we see a wider adoption to IPv6, we are much more likely to see an increase in attacks as well as a greater focus from attackers, says Raj Samani, chief technology officer, EMEA, McAfee.

Danger lurks where companies are adopting IPv6 because of its greater speed and efficiency without ensuring that their network defences are updated accordingly, says James Lyne, director of technology strategy at security firm Sophos.

But perhaps an even bigger danger is where companies are using IPv6 without being aware of it, because the latest versions of most network hardware devices and operating systems are IPv6-enabled by default.

"Any business that is using Windows Server 2008, Windows 7 or even Mac OS X and a growing number of applications, including Skype, could be using IPv6 without even knowing it," says James Lyne.

Security researchers have already seen widespread malware with IPv6-based command-and-control capabilities. Given the relative lack of attention paid to IPv6, this technique can bypass existing protection such as non-IPv6 enabled firewalls completely.

IPv6 uses a completely different scheme of IP addresses, which effectively means that the concept of a network border no longer exists as it is possible to have a single IP address that will work anywhere in the world.

The hierarchy has been redesigned, says Lyne, so the danger is that businesses will implement IPv6 in much the same way they did IPv4.

"All they will succeed in doing is solving the problem of too few IP addresses, while opening up a host of security vulnerabilities and without getting any of the benefits such a massive performance gains from IPv6's ability to handle much bigger data packets," he says.

Without careful planning, Lyne warns that businesses could end up accidentally running IPv4 and IPv6 in parallel, effectively nullifying security measures they have put around either protocol.

Security advantages of IPv6

Lyne is critical of supporters of IPv6 for selling IPv6 only in terms of additional IP addresses and performance gains, instead of the inherent security benefits, such as internet protocol security (IPsec) which was originally developed for IPv6 and back-engineered for use with IPv4.

"IPsec, which is optional in IPv4, is an integral and mandatory part of IPv6, making man-in-the-middle attacks much more difficult for hackers," he says.

Encryption is also mandatory, which automatically ensures a higher level of data protection than IPv4. Unlike its predecessor, IPv6 was built from the ground up to be capable of end-to-end encryption.

The encryption and integrity checking used in current VPNs is a standard component in IPv6, available for all connections and supported by all compatible devices and systems.

IPv6 is also much stronger from a security point of view for mobile devices, says Lyne, because each device gets a consistent IP address which enables businesses to define a security policy for each device that will apply wherever that device is used.

The abundance of IP addresses makes it possible to allocate businesses their own blocks of IP addresses, which in turn delivers another security benefit. With such blocks of IP under their control, says Lyne, businesses can apply security policies to all corporate IP addresses, making the process much more manageable.

The availability and abundance of global IPv6 addresses enable a business to create specific services for targeted users, ranging from customers, partners or employees from remote sites.

"Each service can be guarded by fine-grained security and access policy containers, thus simplifying the implementation and maintenance of external facing services," says Qing Li, chief scientist and senior technologist at Blue Coat Systems.

Security challenges of IPv6

While having a large number of IP addresses will benefit companies from a management point of view, it will also benefit cyber criminals. Not only will criminals be able to switch IP addresses frequently - making it difficult to track and trace them - but many existing security controls that rely on blacklisting malicious IP addresses will cease to be effective.

This is a problem, says Lyne, as he estimates around 90% of web filtering tools used by business today rely on blacklists. Once the world has moved to IPv6, criminals will be able to rotate IP addresses very quickly, which will severely challenge the effectiveness of blacklisting, and even grey- and whitelisting, he says.

Not only is older technology a potential security threat, so too is an older skill set.

"It is important to remember however, that the majority of security professionals and networking engineers are most familiar with protecting IPv4 networks and aware of the signs so as we move across to IPv6 a real risk is the relative skills shortage," says McAfee's Raj Samani

Blue Coat's Qing Li points out that many IT managers have not had the opportunity to develop working knowledge of the technology nor have they gone through a transition like this in the past.

"As a result, there is a potential to create security holes during the transition process. The most likely place for this to occur is in the creation of usage and security policies for IPv6. Not all of the existing corporate policies and rules that are implemented in IPv4 environments can simply be translated syntactically for IPv6 environments. Instead, they need to be rewritten. The lack of operational expertise makes it more likely that an IT manager will inadvertently create a security hole while writing those new policies," he says.

Also, in the traditional IPv4 infrastructure it is common to find network address translation (NAT) devices, which obscure an internal network's structure, but a NAT that performs the same type of duty is rarely found in IPv6 networks.

"Consequently, IT managers have been mostly managing private addresses that will eventually be translated into a single public address. Now the IT staff is faced with public address management at a grand scale and must figure out how to prevent internal users from creating secure tunnels to the outside, which may create corporate liability," says Li.

Avoid the security pitfalls of IPv6

Lyne says the switch over to IPv6 is an important opportunity to avoid the mistakes that were made with the implementation of IPv5 and SSL. Stricter IP address allocation processes that require proof that applicants represent a legitimate business, for example, could help address the problem of rapid IP address switching. But, he says, in the absence of any single recognised internet authority, there is the risk that IPv6 implementation will lack co-ordination and, like IPv4 and SSL, will be determined organically and therefore lack the joined-up thinking required to ensure it is done in a way that makes the protocol as secure as it can be, with as few vulnerabilities as possible that can be exploited by criminals.

One of the challenges IPv6 poses to security suppliers is that they will have to re-write firewalls, but again, without any single organisation setting the agenda for how IPv6 will be deployed, says Lyne, the exact approach and requirements of doing this will be constantly changing as the situation evolves. This inability of security suppliers to anticipate how IPv6 will work in practice, is likely to create further opportunities for cyber criminals.

 

The lack of ownership by any single organisation is also one of the biggest reasons, says Lyne, that IPv6 adoption has been relatively slow, despite its speed, efficiency and security advantages over IPv4. But while the business world has been standing still, the cyber criminal world has been moving forward to apply the speed and efficiency benefits to their botnets or networks of hijacked computers. "Cyber criminals have long being capitalising on the fact that few people are filtering IPv6 traffic or even know how to," says Lyne.

While the mandatory encryption of IPv6 traffic is a good thing that will reduce the seriousness of data breaches that occur, it is a double-edged sword, as it also presents a challenge to government organisations who, once the transition to IPv6 is complete, will find their network traffic monitoring capabilities severely diminished.

The way ahead for IPv6 users

In the transition period, Lyne advises businesses turn off IPv6 until they are thoroughly prepared for the security implications of the new protocol and have updated all security filters and controls in their networks. Only switch IPv6 on, he says, once the controls are in place.

In terms of the technical concerns linked to IPv6 attacks facing companies, CIO'S should look out for rogue IPv6 devices, built-in ICMP and multicast, rogue IPv6 traffic and tunnels, says McAfee's Raj Samani.

There is no instant switch to the new protocol, says Lyne, so partial adoption means using tunnelling technologies to transport IPv6 over IPv4, and this kind of workaround is another potential source of confusion, misconfiguration and security gaps.

It is important businesses understand if their web security solution can rate and analyse IPv6 content because, without that ability, users will be vulnerable to attacks.

"The larger malware attack surface created by IPv6 also demands a real-time defence. In IPv4, we are already seeing very dynamic malware attack with the malware deliverable changing URLs more than 1,500 times in a single day, and we expect this trend to accelerate with the adoption of IPv6 and increase in number of available addresses," says Blue Coat's Qing Li.

He believes waiting a week or even 24 hours to analyse requests and update databases will leave users exposed to malware.

To truly protect their users, businesses need a web security defence that can analyse requests as they are made and deliver immediate protection when a new threat is discovered. Since individual users in a business may now be assigned a global IPv6 address and can create encrypted tunnels, it is important for the IT manager to have visibility into this encrypted traffic to eliminate security threats.

Business has been largely ignoring the inevitable transition to IPv6 since the early 1980s, and although IPv6 will not be the dominant standard tomorrow, businesses need to start planning today for the skills and hardware they will need to make the transition securely, says Lyne.

Businesses need to be more proactive on this issue, he says and challenge network hardware suppliers now about their strategies for IPv6. "Businesses should also ensure that any hardware they buy from now is IPv6 compatible, so when the time comes, they are ready.

"We are going to have to do this, so we may as well make use of the opportunity to apply the lessons learned from IPv4 and make serious advances in terms of security," says Lyne.

The transition to IPv6 is not something to be taken lightly and will require considerable effort, preparation and consideration because if done incorrectly or incompletely, the transition to IPv6 could leave gaping security holes in corporate networks.

The corporate perspective on IPv6

  • The Corporate IT Forum says members are taking a "wait and see" approach to IPv6 to ensure that the software and hardware are mature before implementation.
  • An IT head in the food distribution sector commented that he expects issues to be resolved by the time the company considers IPv6 in detail. A security and architecture manager in the hospitality industry says he does not percieve IPv6 to pose a significant threat due to any inherent risks in the standard.
  • One area starting to raise concerns, however, is risk due to a lack of comprehensive support for IPv6 security. Members are questioning whether the support in firewalls, ISPs, application proxies and the like is mature enough to be able to trust their own countermeasures to be doing a good enough role protecting the enterprise.
  • Fundamentally all bolt-ons are vulnerable and IPv6 is just that. One IT manager from the professional services sector is more concerned that organisations will become lazy due to IPv6 being perceived as more secure than IPv4.
  • With this level of complacency, it is unsurprising IPv6 has seen little press or uptake to date, says the Corporate IT Forum.

Next Steps

 Barclays Bank deploys Infoblox IP address management to reduce network downtime

The power of web 3.0 - how to prepare

EU cybersecurity agency ENISA flags security fixes for new web standards

White paper: IPV6 on AIX 5L

White paper: IP version 6, opportunities and challenges

Read more on IT risk management