Stonesoft: 10 Tips for Implementing IPv6 Securely
Stonesoft shares insights for overcoming IPv6 security challenges
Helsinki, Finland – 5 June 2012 – Many organizations are being misled about the complexities surrounding IPv6 security, according to Stonesoft, a global provider of proven, innovative network security solutions. Having worked with the world’s largest sources of IPv6 traffic, Stonesoft is actively helping enterprises and public agencies implement IPv6 in a way that is secure and cost-effective. The company shares a list of 10 insights to help CISOs and network managers weed through the hype surrounding IPv6 security and prioritize their security initiatives.
“A lot of people think there isn’t much difference between securing IPv6 traffic and IPv4 – and that’s not true. This misperception is compounded by the fact that organizations aren’t sure what needs to be done when, and that vendors are making false claims about how well their products perform in an IPv6-ready network,” said Juha Luoma, FW/VPN Product Manager at Stonesoft.
Drawing on its experience with large-scale IPv6 deployments, Stonesoft shares the following tips on IPv6 security:
1. Revamp your existing network: Revamping your IPv4 network involves cleaning up, throwing out and upgrading to new. Clean up and kick out outmoded and outdated features. The upgrading consists of ensuring every aspect of your network that can be effectively ungraded to the next level is, in fact, happily humming along at that level. Starting with a clean, uncluttered slate makes it much easier – and safer – to implement IPv6 without a ton of hassle and possible problems.
2. Plan a gradual introduction: Take a cue from the Social Security Administration, which has been working with IPv6 for more than a half-decade already. The full implementation is planned for three stages over a span of another six years. You do not have to tread as slowly as the government, but gradually introducing IPv6 gives you plenty of time to ensure IPv6 is going to function with your now-state-of-the-art IPv4 infrastructure. It also keeps your budget in check.
3. Go for dual stack: Opt for dual stack mode for your IPv6 implementation. Dual stack comes with a host of benefits, although it may require router upgrades to meet the memory and power demands to support running both IPv4 and IPv6 simultaneously. In addition to being straightforward to implement, the dual stack approach allows your system to support applications that are not yet functional with IPv6. It can also help eliminate the need for tunnels, which is already being viewed as a veritable breeding ground for security issues.
4. Take care of your tunnels: The National Institute of Standards and Technology’s “Guidelines for the Secure Deployment of IPv6” suggests viewing and treating tunnels that same way you would an external link: with extreme caution. It recommends inspecting every single shard of tunnel traffic before you permit it to either enter or exit your system. This inspection consists of reviewing all IPv6 traffic, including those within the IPv4 packets, with the same scrutiny and systematic examination you give to all your traffic. Suggested tools include the usual gamut of virus protection, intrusion detection, network ingress filtering, packet filters and application proxies. Further, fortify the tunnel endpoints with even more stalwart security measures, such as authentication.
5. Mind the malicious: Malicious users are already infiltrating IPv6 quicker than they have hit other advancements. Do not forget the warnings about the dangers of router advertisements and man in the middle attacks. Some attacks can delve deep into your network before you even realize anything is amiss, making them more destructive than ever. These and similar attacks are coming from scripts that are almost too easy to use. Memorizing every type of attack and the solution to go with it would be impossible. Being aware that many already exist and many more are sure to come is crucial.
6. Upgrade to a certified firewall: Be careful about claims concerning IPv6 readiness. Without outside verification, it is likely the vendor may have just pointed a traffic generator at their product and claims it works. You must look at products that have undergone third-party certification. They can apply hands-on testing using publicly accepted evaluation methods to assure you know exactly what your firewall can handle.
7. Require authentication: Authentication is more critical and, fortunately, easier than ever before. Stonesoft recommends looking into the use of an HTTP/HTTPS proxy for users to access the Internet. Once you set up required authentication to even get online, you have reduced the threat of unwanted parties entering your party without your approval.
8. Hit the books: Know IPv6 syntax. The syntax is very similar to that used with IPv4, but with notable differences in the foundation. Knowing the syntax makes it much easier to quickly know how to deal with a security breach or implement necessary measures. Since IPv6 has technically been around for more than a decade, there is no shortage on information on the subject from several technology giants – as well as a 188-page guide from the U.S. government.
9. Hit the “off” button: Shutting off IPv6 capabilities when you are not using them may sound like a no-brainer, but it may not be as straightforward as you think. That’s because a number of programs have already been configured to work with IPv6, and just as many may already have the protocol turned on automatically by default. Check, double-check and triple-check your environment to ensure IPv6 is only enabled when it’s actually be used. Deploying a mechanism with the ability to disable IPv6 in bulk may be a wise investment.
10. Know how to kill: Even with large portions of your network disabled for IPv6, you can still face the threat of unwanted IPv6 visitors. When that becomes the case, you want to know how to kill it before it can infect others associated with your network. This is where knowing IPv6 syntax can be a lifesaver, particularly for setting up effective firewalls and traffic filters. You can create filters that let in what you want, keep out what you don’t, and help to ensure when you’re up and running with IPv6 you are actually up and running.
For more information on Stonesoft’s IPv6-ready network security solutions, please visit www.stonesoft.com.
FW/VPN Product Manager
Tel. + 358 40 776 9974
About Stonesoft Corporation
Stonesoft Corporation (NASDAQ OMX: SFT1V) delivers software based, dynamic and customer driven network security solutions that secure the information flow and simplify security management. The company’s product portfolio consists of the industry’s first transformable Security Engine, standalone next generation firewalls and intrusion prevention systems, and SSL VPN solutions. At the core lies Stonesoft’s Management Center which unifies the management of entire networks.
Stonesoft serves private and public sector organizations requiring high availability, ease of management, compliance, dynamic security and protection of their critical digital assets and business continuity against today’s rapidly evolving cyber threats. Stonesoft is a recognized researcher of advanced evasion techniques used in targeted cyber attacks to bypass security.
Stonesoft has the highest customer retention rate in the industry due to low TCO, ease of management, and overall customer excellence. Stonesoft’s customer base covers more than 4,000 mid- or large-sized organizations across various industries and geographical markets.
Founded in 1990, the company’s track record is well recognized by certifiers, industry analysts and demanding customers. The company’s corporate headquarters are based in Helsinki, Finland and North American headquarters in Atlanta, Georgia. For more information, visit www.stonesoft.com.