With IPv4 quickly running out of addresses, IPv6 adoption is a must. But the implementation of IPv6 is creating security issues for SMBs. By Martin Sinderman
June 04, 2012
With IPv4 quickly running out of addresses, IPv6 adoption is a must. But the implementation of IPv6 is creating security issues for SMBs.
By Martin Sinderman
The adoption of Internet Protocol version 6, or IPv6, raises security issues for both SMBs and larger enterprises. Channel partners, meanwhile, are in a good position to help their customers avoid these issues.
Demand generated by the growth in the number of devices requiring IP addresses—such as computers, handhelds, VoIP phones, and video monitoring systems, to name a few—has strained the capacity of reigning protocol IPv4. In fact, many experts are now projecting that IPv4 will run out of IP addresses within the next year or so.
Weighing in with 128-bit address space (vs. IPv4’s 32 bits), IPv6 can accommodate this demand. While adoption has been slow, most of the business world, including SMBs, is starting to implement IPv6 on specific critical platforms—and running into some security issues, reports Dave Shackleford, founder of Roswell, Ga.-based Voodoo Security LLC, a security assessment company, and senior vice president, research, and CTO of Boston-based IANS, a research firm.
IPv6 is built to be more flexible than IPv4 in the types of data it will accommodate, according to Shackleford, “which provides an almost unlimited opportunity for tunneling other protocols and traffic.” Most existing intrusion-detection systems and other types of infrastructure security aren’t up to the challenge, he notes, “and that provides attackers with more channels through which to do all sorts of things.”
Meanwhile, because most new products from major manufacturers are IPv6 enabled, virtually all SMBs have computers that are IPv6 activated, often unbeknownst to system administrators, says Scott Hogg, director of technology solutions for Global Technology Resources Inc. (GTRI), a Denver-based IT solutions provider.
“They could have some IPv6 packets on their network and not realize it,” says Hogg. These packets could be vehicles for system attacks, malware transmission, and/or establishing covert data channels, he says, “and they won’t be picked up by any firewall or other intrusion-prevention systems that aren’t IPv6 capable.”
Channel pros can help their SMB clients deal with these problems by first conducting an inventory of their current IPv6 capabilities. “You typically start with devices at the Internet’s perimeter, where the network connects to the Internet, because these are the first devices likely to encounter IPv6,” said Hogg, adding that devices deep inside the network, such as IP phones, are some of the last things to worry about.
Shackleford advises that you check your client’s systems to determine if they are IPv6 enabled by default, “and if that’s the case, and you are not using it, disable it.” Going forward, make sure that any intrusion-prevention systems are brought up to IPv6 speed.
“When you are making purchase decisions, question vendors closely and make sure their products have been rigorously tested and are 100 percent compatible with IPv6,” Shackleford advises, “so you don’t buy something that’s going to shoot you in the foot two or three years from now, should you decide on wholesale implementation of IPv6.”