The Internet is running out of room and, as a result, it is about to undergo a major transition to expand the number of available addresses online. This transition is from today’s IPv4 IP protocol to the new IPv6 standard. Businesses need to know and understand this transition – because there will be new security problems in the interim period.
Even though the promise of IPv6 is one of more security, IPv4 has earned its bones over the past few decades, and we’ve familiarized ourselves with what it can and cannot do. On the other hand, we have little to no experience with IPv6 in the real world. On paper, IPv6 looks great.But, I’m sure the Titanic did too. At best, IPv6 facilitates better security, it doesn’t guarantee it.
Case in point: IPSec. Essentially, this secures IP communication by encrypting and authenticating IP packets. In IPv4, it was optional as a feature; in IPv6, it’s mandatory. Making a feature mandatory doesn’t mean it will find widespread support; the point is, IPv6 isn’t automatically more secure. It’s going to take a lot of pre-rollout preparation and an immense amount of security vigilance to get it right.
For businesses, there’s a lot to consider, and this will likely fall into the lap of the CSO. There are all sorts of pitfalls to avoid, and here are some to keep on top of at all times.
Buggy Programming. This is where things usually fall apart. In a transition this complex, on a scale this large, programmers are much more likely to make mistakes in the implementation, which could leave vulnerabilities wide open to hackers, negating the effectiveness of IPv6’s bells and whistles of security. The worst-case scenario is actually ending up with an IPv6 infrastructure that’s even more brittle than the IPv4 infrastructure before it, placing a business at even greater risk, by amplifying the attack space.
Transition Exploitation. This migration is going to take a while, and until then, businesses will be straddling a dual IPv4/IPv6 environment, each with its own specific set of security problems.This ups the workload for companies’ networking staff and increases the number of ways things could go wrong. This is where security vigilance is crucial; due to this hybrid interim, we’re going to encounter unusual situations where hackers can potentially take advance of an interaction between the protocols.
Ineffective Blacklists. While IP blacklisting has been successful in reducing the global volume of spam, there’s the concern that ISPs won’t be able to scale IP blacklisting to IPv6, given its sheer size. This represents the problem that some security techniques may not transition very well from IPv4 to IPv6, giving hackers even more room with which to mount their attacks.
DDos Attacks. Distributed denial of service (DDoS) attacks, which overwhelm a computer network or Web site to make it useless, will still pose a threat to businesses in IPv6. While IPsec can mitigate the effects of DDoS attacks to some degree, it does not prevent them, leaving resources at risk of being bombarded and brought to a complete stop. Broadcast amplification attacks, like “smurf” attacks, can do exactly that: keep you from your customer.
Evading Security Measures. Fragmentation attacks will still be a problem in IPv6, although architectural changes mitigate these attacks more efficiently. Fragmentation attacks can be used to evade, intrusion detection systems [IDS], intrusion prevention systems [IPS], and firewalls--often a business's only means for learning when they’re being attacked. Once they’re in, everything is fair game: client information, credentials, e-mails and trade secrets.
Masking Points of Origin. Spoofing attacks will still be a threat in IPv6, but the new IPsec mandate will better manage this threat for businesses. Spoofing allows hackers to conceal their identities, making it hard to track them down after an attack. It can also be used to fake an identity--to implicate an innocent person or company in an attack in which they had no real involvement. Attacks aren’t limited to those that try to steal information or destroy resources, they can actually attempt to tarnish the company’s reputation.
On June 8, World IPv6 Day, industry leaders like Facebook, Google (GOOG), Bing, Yahoo (YHOO) and Cisco (CSCO), among others, did a test run of their content over IPv6 for 24 hours. This served as an excellent benchmark for businesses, in order to gauge--at least somewhat--the impact it will have not only on their customer base, but their infrastructure.
You’re going to have to hurry: the federal government is considering the end of 2012 as the deadline for converting to IPv6. Don’t take this change lightly; we’re talking about the backbone of e-commerce, and that can make all the difference between maintaining your bottom line--or not.
Jay Bavisi is president and co-founder of the International Council of E-Commerce Consultants (EC-Council), a global organization that provides training and consulting services on issues of e-commerce and cybersecurity. Jay is a regularly featured speaker at e-commerce and cybersecurity conferences in the U.S., Asia, Europe and the Middle East. www.eccouncil.org