How to think about IPv6 Security

How to think about security when migrating to IPv6

One area which may create problems for enterprises wishing to deploy IPv6 is security.  Some vulnerabilities may be the same as IPv4 while others will different.  Some vulnerabilities may be introduced by additional complexity: transition mechanisms, dual-stacking, etc.   Additionally, the process of migration itself introduces change and potential risk.
 
When large enterprises think about security, a number of areas are involved.  These include:
 
  • Audits/Compliance,
  • Threat detection,
  • Risk analysis,
  • Root cause determination,
  • Encryption,
  • Privacy,
  • Confidentiality, and
  • Penetration testing

Will migration IPv6 impact these areas?  If so, how?

A number of devices or products are used under the general heading of "security".  These include:

  • Firewalls,  
  • Intrusion Detection / Intrusion Prevention devices
  • Fraud detection
  • Proxy?
  • VPN?  

Will these be impacted?

If you help us by taking this survey, then we can help by writing best practices or strategies for the issues that many organizations face.
1.What kind of organization are you?  We want to make sure we have a cross-section of industry as well as small and large organizations.
2.What is the size of your internal network?  This applies to devices that you manage.  (Not external clients or business partners)
3.Often access to the network and applications is controlled via firewalls or ACLs.  These may be on the client platform itself (ex. Windows), in the network (routers), in standalone appliances or a combination.  Many large enterprises also use a cascaded structure with red, green, yellow zones, a DMZ and so forth. Considering how to migrate or implement such a structure in a dual-stack or IPv6-only network will require thought and analysis.

Additionally, protocols such as IPv6 Neighbor Discovery and Router Discovery are based on ICMPv6.  You may not be familiar with the new firewall rules for ICMPv6 or where to place them.

Following is a list of questions regarding firewalls.  Please check all those apply to you.

If you do not use firewalls or ACLs, then please check the first box and go to the next question.
(Required.)
4.Does your organization do a network security audits or compliance?  You may also require those for vendors.

The following site presents a good explanation and checklist for a network security audit: 

https://reciprocitylabs.com/network-security-audit-checklist/

A Network Security Audit is an audit of all your network systems to make sure that potential security risks are eliminated or minimized. Servers, routers, workstations, gateways, must all be checked to make sure they are secure and safe and aren’t sharing any sensitive information. Also, because users are connected to the network, there are personnel considerations to consider. Quite often, whether intentionally or unintentionally, users tend to be the biggest threat to a network’s security.

If you do not do a network security audit or require those from your vendors, please check that box.  Otherwise, please select all the choices which apply to your organization.
(Required.)
5.Does your organization do threat detection for IPv4 on your network?

Threat detection may be different for IPv6 because more and different interfaces are available as well as protocols such as multicast are more heavily and differently used.

You may also consolidate threat detection with other organizations.

If you do not do threat detection, please check that box.  Otherwise, please select all the choices which apply to your organization.
(Required.)
6.Does your organization do penetration testing for your IPv4 network?

Penetration detection may be different for IPv6 because more and different interfaces are available as well as protocols such as multicast are more heavily and differently used.

If you do not do penetration testing, please check that box.  Otherwise, please select all the choices which apply to your organization.
(Required.)
7.IP addresses may also be used inside TLS certificates in the Alternate Subject Name or ID field. 

Does this apply to you?  
(Required.)
8.Many organizations are risk averse.    This is understandable because they serve important business, government or other functions.  Mitigating risk often involves change control or labs set up to emulate various aspects of the production environment.

An IPv6 migration, since it involves potentially touching most, if not all network devices, may also involve a degree of risk, if done without a great deal of thought, research, testing and planning.

We have some ideas of how to work together to provide this.  Please check the following options / ideas for risk mitigation.
9.IPv6 transition mechanisms (used by your own organization or your ISP) may introduce additional complexity to your network.  Any time there is more complexity, there is a possible security risk.

Please answer the following questions about IPv6 transition mechanisms.  Select all that apply.
Current Progress,
0 of 9 answered