Will IPv6 Create a Malware Free-for-All?
Keeping your business network secure has never been more challenging. Global cyber crime costs businesses a collective $100 billion each year, and revenue from cyber crime could grow to $120.1 billion annually by 2017.
Today's top virus protection products for business do a great job of filtering out malware, but too many companies, especially smaller businesses, fail to put these tools in place. Now, IPv6 may open up new ways for malware to compromise unprotected networks.
What Is IPv6?
Every device that connects to the Internet has an IP address. An IP address plays the same role as a telephone number that appears on caller ID. When any connected computer, mobile phone, tablet or other device seeks out online access, the IP address identifies the device to the server or Internet service provider (ISP). For one device to send data to another on the Web, the data packet must record the IP addresses of both devices.
IPv4 created about 4.29 billion 32-bit IP addresses that could be assigned to different devices.Unfortunately, all of the IPv4 addresses in the world have been assigned, which prompted the creation of IPv6. Internet experts created IPv6 the way telephone companies create more area codes. IPv6 uses 128-bit addresses, which exponentially increases the number of available IP addresses — and provides Internet-connected devices with more IP addresses to choose from.
Why Are Experts Worried About IPv6 Security?
Many devices have already deployed IPv6 addresses — whether or not IT staffs realize it. Unfortunately, many network professionals, businesses and everyday users are unaware of the IPv6 security risks. These include:
Backdoors in security products. Many of today's security products haven't matured to meet the IPv6 threat. They may not recognize suspicious IPv6 packets, meaning they can't apply controls like sandboxing when those packets enter the network.
Lack of vendor and ISP support. Many ISPs don't provide native IPv6 connections. Instead, they create a tunnel to a device's interface that opens up a vulnerability to attackers. Also, too many vendors have failed to thoroughly test their products in a wide range of network environments. Furthermore, they don't work with their customers on equipment testing.
Weak security policies. Security policies for IPv6 don't match the sophistication of IPv4 security policies. IPv6 introduces new vulnerabilities that weren't a problem in a homogenous IPv4 environment. For example, instead of using address resolution protocol (ARP), which is IPv4's way of mapping an IP address to a physical machine, IPv6 uses neighbor discovery protocol (NDP) to allow nodes on a link to broadcast their presence to other devices. NDP has different security issues network security engineers aren't familiar with.
Bugs in code around networking software libraries, NICS and TCP/UDP. Much of the code in these areas doesn't yet support IPv6. This lack of support may make VoIP, SIP and virtualization vulnerable to attack.
Lack of IPv6 security training. Many operating systems started bundling IPv6 capabilities into their software some time ago, so most companies already operate using an IPv6-capable OS. The lack of training could place IT staff in a position of reacting to attacks on the fly — and reactivity in network security always costs more than proactivity.
What Can Companies Do to Improve IPv6 Security?
Before purchasing any virus protection security product, talk to the company about the product's IPv6 capabilities. Avoid services from companies that say IPv6 is just like IPv4 in terms of security. Then, consider providing IPv6 security training for IT staff and network engineers. The SANS Institute provides high-quality courses related to IPv6 essentials.
The most important way to protect a network from IPv6 vulnerabilities is to create a test network and a test plan for each protocol involved in data packet transmission.
Additionally, businesses should contact their upstream ISPs and demand native IPv6 connections. Learn how to adapt perimeter security tools like firewalls, access control lists, VPNs and intrusion prevention systems for IPv6 packets. Many products can support both, but not all of them can.
Companies that haven't prepared for IPv6 yet aren't necessarily inviting immediate malware invasion. However, they're leaving a big backdoor open, which could end up being costly.