AusCERT 2013: Companies unaware of IPv6 security risk even if they’re not using it

Software vendors’ proactive approach to IPv6 has created a glaring security hole for companies that think they haven’t activated the next-generation Internet addressing protocol yet, Cisco Systems consulting security engineer Stefan Avgoustakis has warned.

Speaking to attendees at AusCERT 2013 security conference, Avgoustakis said many companies believed that because they hadn’t explicitly enabled IPv6 across their network infrastructure, that they were free from security risks from the protocol.

However, with all modern desktop and mobile operating systems already running dual IPv4 and IPv6 stacks capable of tunneling IPv6 packets across IPv4 networks, companies could inadvertently fall victim to hacks targeting IPv6 and not even realise it.

“In conversations with customers a lot of them are focusing on the readiness of their infrastructure to run both IPv6 and IPv4,” he told CSO Australia. “But a lot of these organisations are already running IPv6 without knowing it. And if the infrastructure and security controls you have in place are not able to detect that – and enforce policy on that – it is creating potential security risks.”

Even in organisations that have spelled out their IPv6 migration strategies – such as federal government agencies, most of which laid down IPv6 plans last year under an Australian Government Information Management Office (AGIMO) mandate—many “are missing out on the obvious things, and the things that are not really known to them. We try to get them focused on those, too.”

A lot of these organisations are already running IPv6 without knowing it. And if the infrastructure and security controls you have in place are not able to detect that – and enforce policy on that – it is creating potential security risks

While IPv6-enabled devices may send out feelers to see if the infrastructure has IPv6-enabled DNS and other services running, they will generally fall back to IPv4 when there is no response. If a malicious hacker were able to infiltrate the network through other means and insert an IPv6-capable listener or gateway on the network, it could spoof an in situ IPv6 implementation and create an unmonitored subchannel from which to probe other IPv6 and IPv4-enabled devices on the network.

“You can have all sorts of security risks,” Avgoustakis said, “such as having a fake gateway or redirecting traffic to a fake DNS server— and all of the security implications that follow out of that.” Another common myth about IPv6 was that spoofing would be impossible because the fact that IPSec (IP Security) encryption and authentication was mandated as part of the protocol. However, Avgoustakis said, while IPv6-capable devices are required to have the ability to support IPSec where requested, they are not required to use it at all times.

“If you are not enabling IPSec, IPv6 will just run over an HTTP or UDP route,” he explained. “We are seeing hackers becoming much more intelligent when it comes to reconnaissance. They target, for example, multicast— because therein lies information that they need as to which devices are on the network.”

The revelation that IPv6 is quietly waiting to be exploited comes as a shock to many customers—but existing solutions are able to remediate the risk. For example, Windows 7’s built-in firewall can inspect and block IPv6 traffic. “It’s just a matter of knowing that, and enabling that security mechanism,” Avgoustakis said.

“Some of these myths live out there, and we try to debunk them by showing customers they still have to do what they were doing in IPv4, but in a different way. They want to know how they can not only secure it, but how they can then transition to IPv6 at the point where they need to do this. This all creates awareness and helps to fuel the conversation. But we can only do so much.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags AusCERT 2013IPv6 security

More about CiscoCiscoCSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place