20 August 2014

Prevent Protect Pursue

Robin Adams - The Logic Group

14 | posts 66,781 | views 0 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Are you prepared for World IVP6 day?

07 June 2011  |  6266 views  |  0

As I ask the question I can hear the thud of exasperation from overworked network administrators. Surely not another awareness day or preparatory day for the masses; haven’t network administrators enough work to handle.

 

Well, I suspect they do, however World IPv6 Day does have a serious intent. World IPv6 Day is scheduled for June 8th and a number of notable sites such as Google, Facebook and the like will be enabling their web services to be served over IPv6 for a test period of 24 hours.

 

Why? Well the internet is running out of network addresses; in fact they pretty well have and IPv6 is the solution. When IP was first developed, 4.3 billion addresses seemed sufficient; but with the number and diversity of devices looking to connect ever increasing (think of the proverbial internet enabled fridge or power smartmeter) this is far too small. IPv6 provides far more addresses, 3.4 x 10 to the power of 38 to be exact. However IPv6 is far more than simply a greater address range, it is the next generation of IP and has significant changes from the current IPv4 protocol stack.

 

So why do I raise this event on a security blog – surely it’s a network issue? Well, the World IPv6 Day is an indication of what will be coming downstream with regards to new technology and implementations. As has been learnt from the past, these tend to lead to new vulnerabilities and weaknesses which hackers are quick to exploit.

 

Operating systems and network devices are already IPv6 enabled and have been for some time, so they are capable of working with the new protocols. As the switchover gains momentum, then issues will start to arise and a security manager will have to be on their toes, and not just rely on updated standards.

 

Looking at the new PCI DSS v2.0 you will search in vain for a direct reference to IPv6 and why should it? PCI DSS requires that a merchant or service provider builds a secure network (irrespective of the protocol stack in use) and that an annual risk assessment is carried out. For those people who look deeply at the standard, the wording for control 1.3.8 did subtly change from an explicit usage of Network Address Translation (NAT) to the requirement that private IP addresses and routing information should be prevented from being disclosed to unauthorised external bodies. This I would suggest was partly brought about by an awareness of the design of an IPv6 based network.

 

If I was performing a PCI DSS audit I would expect that IPv6 would appear, for an organisation, within this year’s list of potential threats and risks. I include that, even if there are no plans for IPv6 internally, as it could still potentially impact the traffic at the firewalls, both ingress and egress. Are you sure, for example that no internal servers are running IPv6 protocols stacks which are reached by tunnelling over IPv4? Is it explicitly excluded within your configuration guides for hardening of servers and network devices?

 

So what are the likely issues, where will we see vulnerabilities? My own guess is it will be based around zero-day vulnerabilities as new systems are used in anger, immaturity of security products, the complexity of supporting a mixed environment for a period of time and the development by the hacker community of specific IPv6 tools to take advantage of the new features.

 

In the longer term the benefits of IPv6 are that security was included within the design, rather than a later add-on as per IPv4, but of course that will only be a benefit if people use it and configure it properly. Let’s hope this is the case.

 

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Robin

New Requirements for Point to Point Encryption

18 October 2011  |  5097 views  |  0  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security

Are compromised certificates the root of all Evil?

15 September 2011  |  4123 views  |  1  |  Recommends 0 TagsSecurityRisk & regulationGroupInformation Security

Comparing Mobile and Contactless Payments

25 July 2011  |  6414 views  |  3  |  Recommends 0 TagsCardsPaymentsGroupInformation Security

Assessing Risk? Ask a pigeon.

14 July 2011  |  5756 views  |  0  |  Recommends 1 TagsSecurityRisk & regulationGroupInformation Security

The PCI SSC Publish Virtualisation and Cloud Advice

23 June 2011  |  5008 views  |  0  |  Recommends 0 TagsSecurityRisk & regulationGroupInformation Security
name

Robin Adams

job title

Director of Security Fraud Risk Mgmt

company name

The Logic Group

member since

2010

location

Fleet

Summary profile See full profile »
Robin Adams, Director of Security, Fraud and Risk Management is a Qualified Security Assessor (QS...

Robin's expertise

Robin's blog archive
2011 (8)2010 (6)

Who is commenting on Robin's posts