Mais conteúdo relacionado Semelhante a Post IPv6 Implementation and Security: Now What? (20) Post IPv6 Implementation and Security: Now What?1. 8/23/2013 1© 2013 Global Technology Resources, Inc. All Rights Reserved.
Post IPv6 Implementation and Security:
Now What?
Scott Hogg
GTRI - Director of Technology Solutions
Chair Emeritus – RMv6TF
CCIE #5133, CISSP #4610
Digital Government Institute
Government IPv6 & Networking Conference & Expo
August 21, 2013
Jay Wiley
Senior Advisor, CISO
IRS
CISSP-ISSEP #279827
2. You Now Have an IPv6 Network
• You have IPv6 deployed at your Internet edge
• DNS triggers if an application makes an IPv4
connection or an IPv6 connection (Happy Eyeballs)
• How do you know if a connecting is taking place
over IPv4 or IPv6? We don’t want the users to
know.
8/23/2013 2© 2013 Global Technology Resources, Inc. All Rights Reserved.
3. Securing Two Protocols
• Need to have equal protections for IPv4 and IPv6.
• You are only as strong as the weakest of the two stacks.
• Running dual stack will give you at least twice the
number of vulnerabilities and require twice the work to
secure.
• Do all of your security protections work equally well with
IPv4 and IPv6?
– WAFs, IPS, DPI, e-mail/web content filtering, etc.
IPv4 IPv6
8/23/2013 3© 2013 Global Technology Resources, Inc. All Rights Reserved.
4. Combined IPv4/IPv6 Security Policy
Any-IPv4 V4-Host-1
Source Destination Protocol Action
HTTP Permit
Any Any Any Deny
Any-IPv6 V6-Host-1 HTTP Permit
Any-IPv6 V6-Host-2 FTP Permit
Any
V4-Host-1
V6-Host-1
Echo-
Request
Permit
V4-Host-3
V6-Host-3
Any HTTP Permit
Rule
1
2
3
4
5
6
8/23/2013 4© 2013 Global Technology Resources, Inc. All Rights Reserved.
6. IPv6 Network Management
• Good engineering practices dictate that when we
prepare to build something we must plan for the
long-term operations.
• Many organizations lack internal and external
visibility to their IPv6-enabled applications.
• NMSs must be able to communicate with IPv6-
enabled devices.
• External testing services, looking glasses, E-mail
reflectors.
• Administrators need a “jump-box” or remote testing
platform.
8/23/2013 6© 2013 Global Technology Resources, Inc. All Rights Reserved.
7. Dual Stack OPEX Costs
8/23/2013 7© 2013 Global Technology Resources, Inc. All Rights Reserved.
Cost
Time
8. Summary
• Strive to attain equal protections for IPv4
and IPv6 connectivity. Ask your vendors.
• Consider investing in people and processes,
not just technology.
– People need the ability to proactively manage
and reactively troubleshoot IPv6.
– Your processes need to allow both protocols to
be maintained.
• Consider how using two IP protocols will
change how you operate your IT
infrastructure.
8/23/2013 8© 2013 Global Technology Resources, Inc. All Rights Reserved.
9. Resources from NWW blog
http://www.networkworld.com/community/hogg
• 7/24/13 - IPv6 Network Management
– http://www.networkworld.com/community/blog/ipv6-network-management
• 4/23/13 - Life in a Dual Stack World
– http://www.networkworld.com/community/blog/life-dual-stack-world
• 9/11/12 - Web Application Firewalls and IPv6
– http://www.networkworld.com/community/blog/web-application-firewalls-
and-ipv6
• 7/31/12 - Dual-Stack Will Increase Operating Expenses
– http://www.networkworld.com/community/blog/dual-stack-will-increase-
operating-expenses
• 3/4/12 - Should You Allow Inbound E-mail Over IPv6?
– http://www.networkworld.com/community/blog/should-you-allow-inbound-
e-mail-over-ipv6
• 1/19/12 - The Future of Firewall Policies
– http://www.networkworld.com/community/blog/future-firewall-policies
• 5/20/11 - Troubleshooting IPv6 Networks and Systems
– http://www.networkworld.com/community/blog/troubleshooting-ipv6-
networks-and-systems
8/23/2013 9© 2013 Global Technology Resources, Inc. All Rights Reserved.