Is your enterprise ready to block IPv6 threats?

Analyst Blog

Jan. 23, 2013, 6:10 a.m.
Michela Menting , Practice Director

The IPv4 – IPv6 debate has almost exclusively focused on when the internet addresses will actually run out. Vendors and technical standards organizations have done most of the groundwork to facilitate a smooth transition. Further than that however, many businesses have not really thought about the implications of this transition. And they should be because the transition will not be automatic. For enterprise security especially, action is necessary. In fact, failure to act will leave the corporate network vulnerable to all kinds of malware and cyber threats.

Although inherently more secure than IPv4, IPv6 is still not an impenetrable technology. But the problem is not with the technology itself: it’s with the lack of action by companies. Many devices, operating systems and applications already have IPv6 turned on by default, including Windows Server 2008, Windows 7, Mac OS X, Skype among other common programs. The issue is that many enterprise security solutions are simply not filtering IPv6 traffic at all. IPv6 malware is already out there, including sophisticated toolkits using command and control and denial of service attacks. For cybercriminals, this lack of attention by many companies is a boon. An IPv4-only intrusion detection system will miss all this malicious traffic completely, while IPv6 machines are transmitting malware within corporate networks by default.

For this reason, addressing IPv6 security should be a priority. IPv6 has a number of highly useful security features which enterprises can take advantage of such as IPSec, Secure Neighbor Discovery capabilities, Privacy Addresses, and Unique Local Addresses (ULA). Although it may seem like there are a number of new challenges in IPv6 security, many of these can be deployed in a similar fashion to IPv4. But this involves a proactive approach now.

Enterprises need to understand the implications of IPv6 readiness, and big part of that is network and endpoint security. To this end, a number of vendors offer some comprehensive solutions that aim to help companies with IPv6 readiness.

Infoblox offers automated network solutions which are IPv6-enabled, for both hardware and software components. The company enables provisioning of IPv6 addresses from internal and external IPv6 devices, accommodating both IPv6 and IPv4 in a dual stack solution. In the same vein, Dyn and Bluecat Networks offer similar IPv6 migration solutions.

IPv6 malware will only increase, and looking into the security requirements now can help prevent future corporate breaches.