Tips to Help You Prepare for IPv6

With the explosion of the Internet of Things many organizations are now in the planning stage for adding support for the IPv6 network protocol.  The reasons why organizations need to do this fall into two main categories:

• The need for more IP addresses: The US has just run out of IPv4 addresses and the rest of the world will shortly run out too. IPv6 gives many more addressing options..  An example of a sector that has added support for IPv6 is automotive, as the demand for connectivity for a majority of new cars and related devices means that a large number of IP addresses are needed.

• Better security, which some believe is the inherent result of deploying IPv6. The new protocol comes with built-in IPsec encryption, which means a more secure connection can be established with any endpoint that supports IPsec. IPv6 also supports more secure name resolution, which makes it harder for an attacker to redirect traffic between two hosts and manipulate the conversation.

However, even with its benefits, organizations still need to approach the switch to IPv6 carefully in order to maintain a strong security posture, and avoid introducing vulnerabilities to their networks.  Here are three key steps to help prepare for a successful transition:

Planning matters

The first step is planning – organizations should decide exactly where they want to deploy IPv6, and why.  Do you want to move to an IPv6-only network, or will IPv6 be an overlay on an existing network?  Will the network be extended to partners and customers, or will it be for internal use only?  The answers to these questions will help you determine the scale of the deployment, and the timing.

In many cases, small-scale IPv6 deployments are often made as experimental or test environments, sitting alongside IPv4 production networks – and the IPv6 network may not always be protected.  However, because it is accessible from the production network, it’s still vulnerable.  So a critical point to note is that if you do plan to build an IPv6 network for test purposes, make sure it is completely separated from production networks, and with security controls in place to enforce that separation to stop it becoming an attack vector.

Follow the rules

Step two is establishing the security rules for the IPv6 network.  If you have an IPv6 overlay network sitting over an IPv4 network, you will need to replicate and translate all of your existing security and network rules and policies from IPv4 across to IPv6.  There is a risk that attackers could use the IPv6 network to bypass security controls and filters designed and configured for IPv4 traffic, unless rules are strictly enforced.  After all, many existing security controls which rely on blacklisting malicious IP addresses would be ineffective without rules that govern both IPv4 and IPv6.  AlgoSec’s solutions can assist with the migration of rules and policies from environment to environment by automating the process, reducing the time taken and the security risks of miskeyed addresses or other translation mistakes.

Audit awareness

Step three is auditing.  You need to consider preparing for an in-depth security audit if the IPv6 network is not separated from your existing networks.  This means that all your security and auditing tools and processes must support IPv6 so that they can be audited in the same way that they currently are with IPv4.   You should check and verify that your solution vendor does allow you to set IPv6 policies, and to configure and monitor IPv6 traffic.

IPv6 undoubtedly offers many advantages to organizations, and ultimately all businesses will need to switch to IPv6.  As with any migration, there is the possibility of introducing security vulnerabilities, but following the three steps outlined here will help to ensure a smooth and secure transition.