How to think about IPv6 Security

How to think about security when migrating to IPv6

One area which may create problems for enterprises wishing to deploy IPv6 is security. Some vulnerabilities may be the same as IPv4 while others will different. Some vulnerabilities may be introduced by additional complexity: transition mechanisms, dual-stacking, etc. Additionally, the process of migration itself introduces change and potential risk.

When large enterprises think about security, a number of areas are involved. These include:

Audits/Compliance,
Threat detection,
Risk analysis,
Root cause determination,
Encryption,
Privacy,
Confidentiality, and
Penetration testing

Will migration IPv6 impact these areas? If so, how?

A number of devices or products are used under the general heading of "security". These include:

Firewalls,
Intrusion Detection / Intrusion Prevention devices
Fraud detection
Proxy?
VPN?

Will these be impacted?

If you help us by taking this survey, then we can help by writing best practices or strategies for the issues that many organizations face.

Question Title

* 1. What kind of organization are you? We want to make sure we have a cross-section of industry as well as small and large organizations.

Financial services (include banking, stock trading, etc)

Insurance (health, property, life, casualty, etc)

Retail or manufacturing (other than technology)

State / regional / local government

Federal government

Academia (post high school)

School system (primary / secondary)

Non-profit

Vendor of hardware / software products (for your internal network only!)

ISP or telecommunications company (for your internal network only!)

Tech consulting or data center management (for your internal network only!)

Other (please specify)

Question Title

* 2. What is the size of your internal network? This applies to devices that you manage. (Not external clients or business partners)

Over 100,000 network devices (clients, servers, routers, external connections)

Over 50,000 network devices (clients, servers, routers, external connections)

Over 10,000 network devices (clients, servers, routers, external connections)

Less than 10,000 network devices (clients, servers, routers, external connections)

Other (please specify)

Question Title

* 3. Often access to the network and applications is controlled via firewalls or ACLs. These may be on the client platform itself (ex. Windows), in the network (routers), in standalone appliances or a combination. Many large enterprises also use a cascaded structure with red, green, yellow zones, a DMZ and so forth. Considering how to migrate or implement such a structure in a dual-stack or IPv6-only network will require thought and analysis.

Additionally, protocols such as IPv6 Neighbor Discovery and Router Discovery are based on ICMPv6. You may not be familiar with the new firewall rules for ICMPv6 or where to place them.

Following is a list of questions regarding firewalls. Please check all those apply to you.

If you do not use firewalls or ACLs, then please check the first box and go to the next question.

We do not use firewalls in our network

We have firewall rules (ACLs) in our endpoints (ex. Windows, RedHat, etc). This may be enforced via a "Gold Build" that is implemented in all devices

We have firewall rules (ACLs) in our routers or switches

We have firewall rules (ACLs) in other standalone equipment (ex. Checkpoint, Palo Alto, etc)

We have a naming convention for our firewall rules or will implement one for IPv6

We have a cascaded structure for our firewalls with a red, green, yellow zones, a DMZ and so forth

We have intelligent or stateful firewalls

We have a cluster controller, manager or load balancer for our firewalls

We are familiar with the new ICMPv6 messages for Neighbor Discovery, Multicast Listener Discovery, etc. and know what to look for and block.

We are NOT familiar with the new ICMPv6 messages for Neighbor Discovery, Multicast Listener Discovery, etc. and do not know what to look for and block. We would appreciate curated information / white papers / discussion of this.

I would be interested in a "Best Practices" paper for integrating IPv6 into my firewall methodologies / rules

I don't know (or I am not sure). How do I find out?

Other (please specify)

Question Title

* 4. Does your organization do a network security audits or compliance? You may also require those for vendors.

The following site presents a good explanation and checklist for a network security audit:

https://reciprocitylabs.com/network-security-audit-checklist/

A Network Security Audit is an audit of all your network systems to make sure that potential security risks are eliminated or minimized. Servers, routers, workstations, gateways, must all be checked to make sure they are secure and safe and aren’t sharing any sensitive information. Also, because users are connected to the network, there are personnel considerations to consider. Quite often, whether intentionally or unintentionally, users tend to be the biggest threat to a network’s security.

If you do not do a network security audit or require those from your vendors, please check that box. Otherwise, please select all the choices which apply to your organization.

We do not do a network security audit or require those from our vendors

We do regular network security audits

We have external auditors do network security audits

We require network security audits from our vendors

We allow BYOD (Bring Your Own Device)

I would be interested in a paper or Best Practices document on how IPv6 impacts network security audits

I don't know (or I am not sure) How can I find out?

Other (please specify)

Question Title

* 5. Does your organization do threat detection for IPv4 on your network?

Threat detection may be different for IPv6 because more and different interfaces are available as well as protocols such as multicast are more heavily and differently used.

You may also consolidate threat detection with other organizations.

If you do not do threat detection, please check that box. Otherwise, please select all the choices which apply to your organization.

We do not do threat detection for our IPv4 network

We do regular threat detection for our IPv4 network

We have external vendors which provide threat detection services

We consolidate or share threat detection information with other organizations

I would be interested in a paper or Best Practices document on how IPv6 impacts threat detection

I don't know (or I am not sure) How can I find out?

Other (please specify)

Question Title

* 6. Does your organization do penetration testing for your IPv4 network?

Penetration detection may be different for IPv6 because more and different interfaces are available as well as protocols such as multicast are more heavily and differently used.

If you do not do penetration testing, please check that box. Otherwise, please select all the choices which apply to your organization.

We do not do penetration testing for our IPv4 network

We do regular penetration testing for our IPv4 network

We have external vendors which provide penetration testing services

I would be interested in a paper or Best Practices document on how IPv6 impacts penetration testing

I don't know (or I am not sure) How can I find out?

Other (please specify)

Question Title

* 7. IP addresses may also be used inside TLS certificates in the Alternate Subject Name or ID field.

Does this apply to you?

We use TLS certificates with embedded IP addresses

I don't know (or I am not sure). How can I find out?

Other (please specify)

Question Title

* 8. Many organizations are risk averse. This is understandable because they serve important business, government or other functions. Mitigating risk often involves change control or labs set up to emulate various aspects of the production environment.

An IPv6 migration, since it involves potentially touching most, if not all network devices, may also involve a degree of risk, if done without a great deal of thought, research, testing and planning.

We have some ideas of how to work together to provide this. Please check the following options / ideas for risk mitigation.

We have change control at our organization

We have an official scale for level of risk of the proposed change

We have one or more labs for network / application migration / testing

I would like to see a white paper or webinar on multiple types of migration planning scenarios for an IPv6 migration ("inside-out", "outside-in", "sandbox", DMZ, etc

I would like to use a third party lab environment with common environment IPv6 migration / address planning / security issue scenarios. I may be willing to pay some nominal amount to use this.

Other (please specify)

Question Title

* 9. IPv6 transition mechanisms (used by your own organization or your ISP) may introduce additional complexity to your network. Any time there is more complexity, there is a possible security risk.

Please answer the following questions about IPv6 transition mechanisms. Select all that apply.

We plan to dual-stack our network (provide both IPv4 and IPv6 access)

We plan to provide IPv6 access only (as much as possible)

We plan to provide IPv4 access only (as much as possible)

We have not decided our strategy on dual or single stacking

We plan to use IPv6 transition mechanisms within our organization (DNS64, etc)

Our ISP uses IPv6 transition mechanisms (Carrier-grade NAT, etc)

I don't know, how do I find out?

I would like more information on this topic

How to think about IPv6 Security

How to think about security when migrating to IPv6

Question Title

* 1. What kind of organization are you? We want to make sure we have a cross-section of industry as well as small and large organizations.

Question Title

* 2. What is the size of your internal network? This applies to devices that you manage. (Not external clients or business partners)

Question Title

Question Title

Question Title

Question Title

Question Title

* 7. IP addresses may also be used inside TLS certificates in the Alternate Subject Name or ID field. Does this apply to you?

Question Title

Question Title

* 9. IPv6 transition mechanisms (used by your own organization or your ISP) may introduce additional complexity to your network. Any time there is more complexity, there is a possible security risk. Please answer the following questions about IPv6 transition mechanisms. Select all that apply.

* 7. IP addresses may also be used inside TLS certificates in the Alternate Subject Name or ID field.

Does this apply to you?

* 9. IPv6 transition mechanisms (used by your own organization or your ISP) may introduce additional complexity to your network. Any time there is more complexity, there is a possible security risk.

Please answer the following questions about IPv6 transition mechanisms. Select all that apply.