Mitigating IPv6 Security Threats

After years of work in mitigating threats to the current version of networking protocols (Internet Protocol version 4- IPv4), network defenders can implement defense in depth by leveraging an array of capabilities like Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems, Security Information and Event Managment (SIEM) tools and Unified Threat Management (UTM) tools. Capabilities have evolved in IPv4 security that enable all those functions to be hosted on singled Deep Packet Inspection (DPI) platforms. In the IPv4 world, the threats are still real and still require this defense in depth approach, but savvy network defenders have DPI and other tools at the ready to help mitigate these threats.

But something new is coming. The next generation Internet Protocol, known as IPv6 is replacing IPv4. There are many new features of IPv6 which will aid in network administration and hold the potential of significantly enhancing the functionality of communications systems. But there are two dangers that require the attention of network administrators:

1) covert attack channels and
2) security monitoring.

Both these dangers can be …

1) covert attack channels and
2) security monitoring.

Both these dangers can be mitigated, but only by CIO/CTO action.

The threat of covert channels is a surprising one. If you have bought network devices over the last several years you might not know it but they are perfectly capable of running IPv6. If you work in the federal space you have been mandated to buy equipment that is IPv6 capable so your entire infrastructure might be made up of equipment that can run this protocol. Hackers have engineered tools that let them establish IPv6 network communications on IPv4 networks using this IPv6 capability. The result, new avenues of attack are opened up, and new covert channels for data extraction are established that current IPv4 networking monitoring devices have a hard time catching.

I’d also like to make an assertion now, one that I hope you can disprove: If your network has devices capable of running IPv6 and you assume that is not being used, the odds are that unauthorized users are already exploiting you. Common hacker practices are to use IPv6 to run Internet Relay Chat (IRC) channels over unsuspecting IT enterprises. Others use that as the covert channel to control tools and there is a very good chance that is happening in your nets today. So, my assertion: If you have not consciously taken steps to mitigate this threat of a covert IPv6 channel in your IPv4 network, you are being used right now.

Another challenge is that even if your IPv6 implementation is intentional, there are few monitoring and event management tools available to security professionals for managing the security posture of the network. Just because a device was built to contribute security for IPv4 does not means it can help security with IPv6, in fact in most cases legacy security devices will not work with IPv6.

My recommendations:

Get smart on IPv6. You have some experts in your enterprise, but it is time to dive deep into the details yourself, if you have not done so already.
Look for capabilities that can detect and mitigate the use of covert IPv6 networks on your IPv4 systems. I know of only one (Assure6).
Plan now for an enhancement in your security tool suite to include new platforms that are IPv6 capable. Understand that the threat is waiting and when you add IPv6 equipment you have to add security monitoring/defense/DPI.

Link to original post