Prepare security networks for IPv6: Internode

IT managers should be working on new security policies now, urges Internode's Mark Newton

With the death rattle of internet protocol version 4 (IPv4) getting louder, a key proponent of the protocol's successor has warned IT managers not to take a "lock down" approach to migration.

The global internet registry, Internet Assigned Numbers Authority, has warned that the last global allocation of IPv4 addresses ran out in February. Regional internet registries are likely to follow suit with Australia's provider, APNIC, set to run out first.

Its successor, IPv6, is already widely supported by both networking hardware and software but is yet to receive adoption en masse by many companies.

With a migration to the new protocol ultimately inevitable, Mark Newton, network engineer at Internode, has warned managers not to take the "lock down" approach to the protocl.

"It is going to be a core critical part of the internet infrastructure," he said. "It’s not in the same class as some of the other things that corporate IT managers might lock down such as banning Facebook. IT managers really need to start getting their teeth into it and work out ways to allow it, rather than just blocking it."

From his experience, local enterprises are starting to deploy IPv6 due to increased publicity.

“It’s being stymied in the past by lack of hardware or software support but that’s largely a solved problem now. The iApocalypse publicity earlier this year focused attention on it and we’ve seen a big upsurge since then."

Internode currently has 500 customers currently involved in an IPv6 trial first opened in 2008, up 150 per cent since February 2011. It is currently in the process of migrating to a production-ready dual stack environment for the protocol which will be offered as standard to users along with its remaining stock of IPv4 addresses.

"It’s still geeks and techies who are upgrading but these are the same guys who thought three months ago it would be on their to-do list and are now actually getting into it," Newtown said.

However, for companies still looking to change, Newtown warned of new threat models that enterprises needed to be aware of.

“What an organisation needs to do is make sure their security policy isn’t specific to IPv4," he said. "While IPv6 doesn’t bring in new threats as such, it does provide new ways of exploiting old threats. When an organisation writes a security policy, it’s best to write it so that the network protocol is agnostic. Then you can use the same policy to control a service regardless of whether it’s implemented or comes on in IPv4 or IPv6."

Newton warned exploitation vectors could be lurking in the network under lax security policies; security managers might have closed off avenues of attack on IPv4 or IPv6 but not both.

The first step for security managers to get IPv6 running on the network was to ensure the firewall supports the protocol as well as using a local ISP that supports IPv6 too.

"You should also install IPv6 on your internal routers and switches. Some enterprises may already be running IPv6 and not knowing about it because it is turned by default in most operating systems these days."

While he acknowledged that only four per cent of end user client devices use IPv6 at present, this was not to say more devices support it.

“We’re getting close to 100 per cent of devices supporting IPv6 if it is capable of running in the environment that the device is placed into. Windows, Mac OS, Unix and Linux supports it. Even the iPhone will use IPv6 if it is available," he said.

In addition to security measures, Newton said the incoming IPv6 was an opportunity for security managers and vendors to think about ways they approach networks as this was a reset point where, to an extent, the internet had started over.

"A lot of the decisions that we might have been living with over the last 20 years, we get to look at them and say `do we want to keep doing things this way or do we want to make policy changes to make sure that things will be done the right way rather than the wrong way in future'."

The National Broadband Network (NBN) rollout could also offer an advantage for Australia to be more IPv6 ready than some other countries.

"As the NBN comes along it’s going to force every single household that is connected to the internet to buy a new modem," he said. "That's because your Asymmetric Digital Subscriber Line (ADSL) modem won’t work on the new network and as long as we can make sure the device vendors support IPv6 out of the box, then we'll be well prepared."

Newton is scheduled to present at the upcoming security conference AusCERTin May.

IDG Communications is an official media partner for AusCERT 2011.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags securityinternodeipv6Mark Newton

More about CERT Australiaf2FacebookIDGIDG CommunicationsIDG CommunicationsIDG CommunicationsInternodeLinuxNIC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place