01 November 2014

44975

Retired Member

699 | posts 2,185,116 | views 831 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Are you prepared for World IVP6 day?

07 June 2011  |  6318 views  |  0

As I ask the question I can hear the thud of exasperation from overworked network administrators. Surely not another awareness day or preparatory day for the masses; haven’t network administrators enough work to handle.

 

Well, I suspect they do, however World IPv6 Day does have a serious intent. World IPv6 Day is scheduled for June 8th and a number of notable sites such as Google, Facebook and the like will be enabling their web services to be served over IPv6 for a test period of 24 hours.

 

Why? Well the internet is running out of network addresses; in fact they pretty well have and IPv6 is the solution. When IP was first developed, 4.3 billion addresses seemed sufficient; but with the number and diversity of devices looking to connect ever increasing (think of the proverbial internet enabled fridge or power smartmeter) this is far too small. IPv6 provides far more addresses, 3.4 x 10 to the power of 38 to be exact. However IPv6 is far more than simply a greater address range, it is the next generation of IP and has significant changes from the current IPv4 protocol stack.

 

So why do I raise this event on a security blog – surely it’s a network issue? Well, the World IPv6 Day is an indication of what will be coming downstream with regards to new technology and implementations. As has been learnt from the past, these tend to lead to new vulnerabilities and weaknesses which hackers are quick to exploit.

 

Operating systems and network devices are already IPv6 enabled and have been for some time, so they are capable of working with the new protocols. As the switchover gains momentum, then issues will start to arise and a security manager will have to be on their toes, and not just rely on updated standards.

 

Looking at the new PCI DSS v2.0 you will search in vain for a direct reference to IPv6 and why should it? PCI DSS requires that a merchant or service provider builds a secure network (irrespective of the protocol stack in use) and that an annual risk assessment is carried out. For those people who look deeply at the standard, the wording for control 1.3.8 did subtly change from an explicit usage of Network Address Translation (NAT) to the requirement that private IP addresses and routing information should be prevented from being disclosed to unauthorised external bodies. This I would suggest was partly brought about by an awareness of the design of an IPv6 based network.

 

If I was performing a PCI DSS audit I would expect that IPv6 would appear, for an organisation, within this year’s list of potential threats and risks. I include that, even if there are no plans for IPv6 internally, as it could still potentially impact the traffic at the firewalls, both ingress and egress. Are you sure, for example that no internal servers are running IPv6 protocols stacks which are reached by tunnelling over IPv4? Is it explicitly excluded within your configuration guides for hardening of servers and network devices?

 

So what are the likely issues, where will we see vulnerabilities? My own guess is it will be based around zero-day vulnerabilities as new systems are used in anger, immaturity of security products, the complexity of supporting a mixed environment for a period of time and the development by the hacker community of specific IPv6 tools to take advantage of the new features.

 

In the longer term the benefits of IPv6 are that security was included within the design, rather than a later add-on as per IPv4, but of course that will only be a benefit if people use it and configure it properly. Let’s hope this is the case.

 

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

7-day account switch: customer empowerment or indifference

18 June 2014  |  1853 views  |  1  |  Recommends 0 TagsRisk & regulationRetail banking

On Reinventing Money.

03 June 2014  |  1246 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Operational Lessons for New Boutique Asset Managers

27 May 2014  |  630 views  |  0  |  Recommends 0 TagsRisk & regulation

Trading System Failures Cannot Be Our Norm

21 May 2014  |  1488 views  |  0  |  Recommends 0 TagsRisk & regulationInnovation

Around the Clock Tweeting

15 May 2014  |  1959 views  |  0  |  Recommends 0 TagsMobile & onlineRetail banking
name

Retired Member

job title

company name

member since

2014

location

Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who is commenting on Retired's posts

Rasvan Stanescu
Sian Bentley
Tony Wenzel
Jorge Yui
Ketharaman Swaminathan
Mark Pavan
Vishal Chaturvedi
Matt Scott
Geoffrey Barraclough
Thad Peterson
Marinka Ryan
Alexander Peschkoff