Securing The Perimeter With IPv6

Major network and security vendors have raced against the clock to inject support for a new IP-addressing scheme--Internet Protocol version 6--into flagship firewall lines to help federal agencies meet a looming White House deadline.

Federal IT buyers have embraced new IPv6 firewalls, mostly to check off a box during the procurement process and stay out of trouble with the Office of Management and Budget (OMB), which is demanding support for IPv6 by June 2008. For the most part, agencies aren't yet focused on IPv6's future potential to improve encryption and authentication and to boost government efforts to deploy videoconferencing, streaming audio and true peer-to-peer applications.

What agencies are focusing on are the migration challenges they face in absorbing IPv6-supported firewalls and other networking gear. Those challenges, though, are creating opportunities for service providers steeped in knowledge of IPv6 and those familiar with issues around the transition to IPv6 from its predecessor, IPv4.

In addition, government IT officials will look to VARs to help clear up lingering confusion over the new protocol and to clarify exactly what it is IPv6 will accomplish beyond satisfying the OMB.

IPv6 is an advanced IP addressing scheme hatched more than a decade ago. Government and industry groups then predicted that the number of networked devices requiring IP addresses--everything from firewalls to cellphones--would quickly outstrip the number of addresses available under IPv4. That shortage has yet to materialize, since IP addresses remain plentiful, except in populous Asia, which is saturated with electronic devices.

Absent an immediate need for rapid commercial adoption of IPv6, the OMB mandate has shaped the protocol's evolution and forced vendors to incorporate IPv6.

"Lack of IPv6 support is going to be an ongoing liability that's only going to get worse," says Michael Warfield, senior researcher at IBM Internet Security Systems' X-Force Threat Analysis Service. "It won't be that IPv6 support opens doors. Instead, lack of IPv6 compatibility may well begin to slam them shut."

In terms of what IPv6 will provide agencies immediately in the way of new functionality or applications, the short answer is "not much."

"It's important to note that IPv6 will not have the vast impact that was originally prognosticated," Whiteley says. "Really, IPv6 is needed for one of two reasons: Either your organization is running out of IPv4 address space or you're mandated to support IPv6 for federal government interconnection."

NEXT: Long-term gains

What government agencies can expect, though, are long-term gains from the updated protocol.

"Right now, there are not a lot of things you can do with IPv6 that you can't do with IPv4," says Tim LeMaster, director of systems engineering for the public sector at Sunnyvale, Calif.-based Juniper Networks, which has added IPv6 support to its firewall products. "By and large, most of those feature sets will be added later."

Organizations and vendors promoting IPv6 promise that the protocol will further IP security authentication and encryption protocols that secure data in individual IP packets and data streams. Also, IPv6 will make it easier to deploy software and will boost mobile-computing efforts by supporting devices that move between networks. To move in that direction, agencies will probably get by with "dual-stacked" firewalls that support both IPv4 and IPv6--and for quite some time. Such firewalls encapsulate data packets in IPv4 and then format the packets with the IPv6 address structure. "Most agencies simply need a perimeter device that can tunnel IPv4 traffic in an IPv6-outbound packet," Whiteley explains. Because IPv6-supported firewalls are now widely available, agencies likely won't run into trouble finding the right equipment. Cisco, Check Point Software Technologies and other major vendors now offer IPv6 firewall solutions. IPv6-enabled firewalls can also be configured using open-source Linux and Berkeley Software Distribution, or BSD, operating systems. "The majority of commercial firewalls already support IPv6," Warfield says. "In most cases, it's just a matter of turning on the functionality and configuring it." Before buying new IPv6-enabled products, however, agencies must determine whether firewalls and other components that make up an existing networking infrastructure already support the new protocol. "Most of our customers are looking to purchase new network and security devices that support the IPv6 standard," says David Arbeitel, CTO of Lumeta, a Somerset, N.J.-based network change-management firm that caters to the federal government. "In fact, many already have purchased devices that can be enabled to support IPv6 and don't know it." Indeed, the OMB last June demanded that agencies maintain full inventories of networking gear--a wise move, according to Arbeitel. "You must know which devices don't need to be replaced. You must also know which devices could be accidentally IPv6-enabled--a situation that could result in an unwanted tunnel into your IPv4 network," he says. "A firewall that's erroneously configured to support IPv6, with no new rules specific to the IPv6 environment, could pose a potential security risk." In addition, agencies should know the specifics of a firewall vendor's support for the IPv6 protocol. "Most vendors have offered IPv6 as a software feature, and it runs on the operating system embedded on each router, switch or firewall," Whiteley says. "However, more aggressive vendors have committed to IPv6 in hardware." A vendor's commitment to IPv6 support in firewall hardware--dedicated processors, co-processors or application-specific integrated circuits--puts agencies at lower risk for performance problems, because software-based IPv6 implementations pose potential traffic bottlenecks, Whiteley adds. Software-based IPv6 support on a firewall's operating system can also bog down the software and get in the way of basic functions, says Juniper's LeMaster. "Support for IPv6 in the software allows flexibility but can impact performance, since the CPU is handling many other processes." Juniper, in fact, is among the vendors that started with a software-based IPv6 firewall solution but eventually moved support for the standard to the hardware level. While exploring the many available IPv6 firewall options, thoroughly taking inventory of network infrastructures and working with service providers on configuration and compliance matters are all incredibly important tasks. Industry experts and vendors agree that it's now time for agencies to move beyond a mere drive to meet the OMB deadline. "Most of the emphasis has been on compliance with the IPv6 directive and not necessarily on true IPv6 network protection in a 'defense-in-depth' government network environment," says Tom Hance, vice president of federal operations at Sunnyvale, Calif.-based Fortinet, which offers subscription-based security services that make use of IPv6 firewalls. "Just passing the data per the mandate is not adequate." Industry pundits agree on something else: Once the deadline is met and agency infrastructures are freshly injected with IPv6, IT officials should begin to think about how to maximize new capabilities and best position themselves for success.