Stonesoft shares insights for overcoming IPv6 security challenges
Helsinki, Finland - 5 June 2012 - Many organizations are being misled about the
complexities surrounding IPv6 security, according to Stonesoft, a global
provider of proven, innovative network security solutions. Having worked with
the world's largest sources of IPv6 traffic, Stonesoft is actively helping
enterprises and public agencies implement IPv6 in a way that is secure and cost-
effective. The company shares a list of 10 insights to help CISOs and network
managers weed through the hype surrounding IPv6 security and prioritize their
security initiatives.
"A lot of people think there isn't much difference between securing IPv6 traffic
and IPv4 - and that's not true. This misperception is compounded by the fact
that organizations aren't sure what needs to be done when, and that vendors are
making false claims about how well their products perform in an IPv6-ready
network," said Juha Luoma, FW/VPN Product Manager at Stonesoft. .
Drawing on its experience with large-scale IPv6 deployments, Stonesoft shares
the following tips on IPv6 security:
1. Revamp your existing network: Revamping your IPv4 network involves cleaning
up, throwing out and upgrading to new. Clean up and kick out outmoded and
outdated features. The upgrading consists of ensuring every aspect of your
network that can be effectively ungraded to the next level is, in fact, happily
humming along at that level. Starting with a clean, uncluttered slate makes it
much easier - and safer - to implement IPv6 without a ton of hassle and possible
problems.
2. Plan a gradual introduction: Take a cue from the Social Security
Administration, which has been working with IPv6 for more than a half-decade
already. The full implementation is planned for three stages over a span of
another six years. You do not have to tread as slowly as the government, but
gradually introducing IPv6 gives you plenty of time to ensure IPv6 is going to
function with your now-state-of-the-art IPv4 infrastructure. It also keeps your
budget in check.
3. Go for dual stack: Opt for dual stack mode for your IPv6 implementation. Dual
stack comes with a host of benefits, although it may require router upgrades to
meet the memory and power demands to support running both IPv4 and IPv6
simultaneously. In addition to being straightforward to implement, the dual
stack approach allows your system to support applications that are not yet
functional with IPv6. It can also help eliminate the need for tunnels, which is
already being viewed as a veritable breeding ground for security issues.
4. Take care of your tunnels: The National Institute of Standards and
Technology's "Guidelines for the Secure Deployment of IPv6" suggests viewing and
treating tunnels that same way you would an external link: with extreme caution.
It recommends inspecting every single shard of tunnel traffic before you permit
it to either enter or exit your system. This inspection consists of reviewing
all IPv6 traffic, including those within the IPv4 packets, with the same
scrutiny and systematic examination you give to all your traffic. Suggested
tools include the usual gamut of virus protection, intrusion detection, network
ingress filtering, packet filters and application proxies. Further, fortify the
tunnel endpoints with even more stalwart security measures, such as
authentication.
5. Mind the malicious: Malicious users are already infiltrating IPv6 quicker
than they have hit other advancements. Do not forget the warnings about the
dangers of router advertisements and man in the middle attacks. Some attacks can
delve deep into your network before you even realize anything is amiss, making
them more destructive than ever. These and similar attacks are coming from
scripts that are almost too easy to use. Memorizing every type of attack and the
solution to go with it would be impossible. Being aware that many already exist
and many more are sure to come is crucial.
6. Upgrade to a certified firewall: Be careful about claims concerning IPv6
readiness. Without outside verification, it is likely the vendor may have just
pointed a traffic generator at their product and claims it works. Â You must look
at products that have undergone third-party certification. They can apply hands-
on testing using publicly accepted evaluation methods to assure you know exactly
what your firewall can handle.
7. Require authentication: Authentication is more critical and, fortunately,
easier than ever before. Stonesoft recommends looking into the use of an
HTTP/HTTPS proxy for users to access the Internet. Once you set up required
authentication to even get online, you have reduced the threat of unwanted
parties entering your party without your approval.
8. Hit the books: Know IPv6 syntax. The syntax is very similar to that used with
IPv4, but with notable differences in the foundation. Knowing the syntax makes
it much easier to quickly know how to deal with a security breach or implement
necessary measures. Since IPv6 has technically been around for more than a
decade, there is no shortage on information on the subject from several
technology giants - as well as a 188-page guide from the U.S. government.
9. Hit the "off" button: Shutting off IPv6 capabilities when you are not using
them may sound like a no-brainer, but it may not be as straightforward as you
think. That's because a number of programs have already been configured to work
with IPv6, and just as many may already have the protocol turned on
automatically by default. Check, double-check and triple-check your environment
to ensure IPv6 is only enabled when it's actually be used. Deploying a mechanism
with the ability to disable IPv6 in bulk may be a wise investment.
10. Know how to kill: Even with large portions of your network disabled for
IPv6, you can still face the threat of unwanted IPv6 visitors. When that becomes
the case, you want to know how to kill it before it can infect others associated
with your network. This is where knowing IPv6 syntax can be a lifesaver,
particularly for setting up effective firewalls and traffic filters. You can
create filters that let in what you want, keep out what you don't, and help to
ensure when you're up and running with IPv6 you are actually up and running.
For more information on Stonesoft's IPv6-ready network security solutions,
please visit www.stonesoft.com.
Contact:
For more information, please contact:
Juha Luoma
FW/VPN Product Manager
Stonesoft Corporation
Tel. +358 40 776 9974
E-mail: juha.luoma(AT)stonesoft.com
About Stonesoft Corporation
Stonesoft Corporation (NASDAQ OMX: SFT1V) delivers software based, dynamic and
customer driven network security solutions that secure the information flow and
simplify security management. The company's product portfolio consists of the
industry's first transformable Security Engine, standalone next generation
firewalls and intrusion prevention systems, and SSL VPN solutions. At the core
lies Stonesoft's Management Center which unifies the management of entire
networks.
Stonesoft serves private and public sector organizations requiring high
availability, ease of management, compliance, dynamic security and protection of
their critical digital assets and business continuity against today's rapidly
evolving cyber threats. Stonesoft is a recognized researcher of advanced evasion
techniques used in targeted cyber attacks to bypass security.
Stonesoft has the highest customer retention rate in the industry due to low
TCO, ease of management, and overall customer excellence. Stonesoft's customer
base covers more than 4,000 mid- or large-sized organizations across various
industries and geographical markets.
Founded in 1990, the company's track record is well recognized by certifiers,
industry analysts and demanding customers. The company's corporate headquarters
are based in Helsinki, Finland and North American headquarters in Atlanta,
Georgia. For more information, visit www.stonesoft.com.
This announcement is distributed by Thomson Reuters on behalf of
Thomson Reuters clients. The owner of this announcement warrants that:
(i) the releases contained herein are protected by copyright and
other applicable laws; and
(ii) they are solely responsible for the content, accuracy and
originality of the information contained therein.
Source: Stonesoft Oyj via Thomson Reuters ONE
[HUG#1617609]
