22 December 2014

44975

Retired Member

707Posts 2,220,122Views 868Comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Are you prepared for World IVP6 day?

07 June 2011  |  6348 views  |  0

As I ask the question I can hear the thud of exasperation from overworked network administrators. Surely not another awareness day or preparatory day for the masses; haven’t network administrators enough work to handle.

 

Well, I suspect they do, however World IPv6 Day does have a serious intent. World IPv6 Day is scheduled for June 8th and a number of notable sites such as Google, Facebook and the like will be enabling their web services to be served over IPv6 for a test period of 24 hours.

 

Why? Well the internet is running out of network addresses; in fact they pretty well have and IPv6 is the solution. When IP was first developed, 4.3 billion addresses seemed sufficient; but with the number and diversity of devices looking to connect ever increasing (think of the proverbial internet enabled fridge or power smartmeter) this is far too small. IPv6 provides far more addresses, 3.4 x 10 to the power of 38 to be exact. However IPv6 is far more than simply a greater address range, it is the next generation of IP and has significant changes from the current IPv4 protocol stack.

 

So why do I raise this event on a security blog – surely it’s a network issue? Well, the World IPv6 Day is an indication of what will be coming downstream with regards to new technology and implementations. As has been learnt from the past, these tend to lead to new vulnerabilities and weaknesses which hackers are quick to exploit.

 

Operating systems and network devices are already IPv6 enabled and have been for some time, so they are capable of working with the new protocols. As the switchover gains momentum, then issues will start to arise and a security manager will have to be on their toes, and not just rely on updated standards.

 

Looking at the new PCI DSS v2.0 you will search in vain for a direct reference to IPv6 and why should it? PCI DSS requires that a merchant or service provider builds a secure network (irrespective of the protocol stack in use) and that an annual risk assessment is carried out. For those people who look deeply at the standard, the wording for control 1.3.8 did subtly change from an explicit usage of Network Address Translation (NAT) to the requirement that private IP addresses and routing information should be prevented from being disclosed to unauthorised external bodies. This I would suggest was partly brought about by an awareness of the design of an IPv6 based network.

 

If I was performing a PCI DSS audit I would expect that IPv6 would appear, for an organisation, within this year’s list of potential threats and risks. I include that, even if there are no plans for IPv6 internally, as it could still potentially impact the traffic at the firewalls, both ingress and egress. Are you sure, for example that no internal servers are running IPv6 protocols stacks which are reached by tunnelling over IPv4? Is it explicitly excluded within your configuration guides for hardening of servers and network devices?

 

So what are the likely issues, where will we see vulnerabilities? My own guess is it will be based around zero-day vulnerabilities as new systems are used in anger, immaturity of security products, the complexity of supporting a mixed environment for a period of time and the development by the hacker community of specific IPv6 tools to take advantage of the new features.

 

In the longer term the benefits of IPv6 are that security was included within the design, rather than a later add-on as per IPv4, but of course that will only be a benefit if people use it and configure it properly. Let’s hope this is the case.

 

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

Do you KYC well!

23 July 2014  |  1184 views  |  0  |  Recommends 0 TagsSecurityPayments

My thoughts on Digital and Branchless banking

21 July 2014  |  1911 views  |  0  |  Recommends 0 TagsMobile & onlinePayments

War of the Plastic cards with Mobile wallets

21 July 2014  |  1985 views  |  2  |  Recommends 0 TagsMobile & onlinePayments

7-day account switch: customer empowerment or indifference

18 June 2014  |  1934 views  |  1  |  Recommends 0 TagsRisk & regulationRetail banking

On Reinventing Money.

03 June 2014  |  1301 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who is commenting on Retired's posts

Pramod kumar
Rasvan Stanescu
Andrei Charniauski
Sian Bentley
Tony Wenzel
Jorge Yui
Ketharaman Swaminathan
Mark Pavan
Matt Scott
Geoffrey Barraclough
Thad Peterson
Marinka Ryan