Page 2 of 3
Infoblox's Liu added that the transition opens new opportunities for channel partners to conduct assessments for customers, looking at all their external-facing gear in terms of what is ready for IPv6 and what needs to be upgraded or replaced in order to enhance security.
“With IPv6 coming online, it's a chance to look at the internal network once again and look beyond the firewall,” he said. “In a few years, IPv6 will be more widely deployed at the customer prem, and we will be moving away from private addressing. Once we move into an environment where we’ve got global unicast addresses on internal networks, this will bring about more scrutiny to the threats at the perimeter of the network.”
The opportunity for assessments makes sense to Bob Hinden, a Checkpoint “fellow” and co-inventor of IPv6.
“You want to make sure that all of your security devices have the proper versions that support IPv6,” Hinden told CRN. “We have many customers who are very conservative about upgrading, but this transition is a very good reason to upgrade,” he said, adding that customers can “then take the next step of creating rules in [their] firewall to ensure consistency with the preferred security policies.”
One potential vulnerability involves the encapsulation of IPv4 traffic over IPv6.
“Encapsulation standards are all over the map,” said Carl Herberger, vice president of security at Radware. “This situation causes problems with security inspections because if I can send an attack that exploits Version 4 vulnerabilities through a Version 6 inspection module, I’ve got a pretty high chance of success because the Version 6 inspection module will not be able to read it. And we haven't been able to resolve this problem yet.”
However, some disagree with this view, pointing to variables in firewall deployment.
“I don't think it's going to be that difficult to address the encapsulation issue,” responded Hinden. “It's about how you deploy the firewall. Security technology has gotten good at going beyond the transport layer. So if you didn't do deep packet inspection or application control or URL control, then this provides another set of things that you need to know about when you're doing those things.”