Post IPv6 Implementation and Security: Now What?

519 views

Published on

Best practices for securing IPv4 and IPv6 connectivity. Presented by Scott Hogg, GTRI, and Jay Wiley, IRS, at the Digital Government Institute's Government IPv6 & Networking Conference & Expo, August 2013.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Post IPv6 Implementation and Security: Now What?

  1. 1. 8/23/2013 1© 2013 Global Technology Resources, Inc. All Rights Reserved. Post IPv6 Implementation and Security: Now What? Scott Hogg GTRI - Director of Technology Solutions Chair Emeritus – RMv6TF CCIE #5133, CISSP #4610 Digital Government Institute Government IPv6 & Networking Conference & Expo August 21, 2013 Jay Wiley Senior Advisor, CISO IRS CISSP-ISSEP #279827
  2. 2. You Now Have an IPv6 Network • You have IPv6 deployed at your Internet edge • DNS triggers if an application makes an IPv4 connection or an IPv6 connection (Happy Eyeballs) • How do you know if a connecting is taking place over IPv4 or IPv6? We don’t want the users to know. 8/23/2013 2© 2013 Global Technology Resources, Inc. All Rights Reserved.
  3. 3. Securing Two Protocols • Need to have equal protections for IPv4 and IPv6. • You are only as strong as the weakest of the two stacks. • Running dual stack will give you at least twice the number of vulnerabilities and require twice the work to secure. • Do all of your security protections work equally well with IPv4 and IPv6? – WAFs, IPS, DPI, e-mail/web content filtering, etc. IPv4 IPv6 8/23/2013 3© 2013 Global Technology Resources, Inc. All Rights Reserved.
  4. 4. Combined IPv4/IPv6 Security Policy Any-IPv4 V4-Host-1 Source Destination Protocol Action HTTP Permit Any Any Any Deny Any-IPv6 V6-Host-1 HTTP Permit Any-IPv6 V6-Host-2 FTP Permit Any V4-Host-1 V6-Host-1 Echo- Request Permit V4-Host-3 V6-Host-3 Any HTTP Permit Rule 1 2 3 4 5 6 8/23/2013 4© 2013 Global Technology Resources, Inc. All Rights Reserved.
  5. 5. TCP/IPv6 Troubleshooting Application Layer Transport Layer Internet Layer Link Layer IPv4 IPv6 ARP ICMP IGMP TCP UDP SCTPTelnet SSH FTP TFTP DHCP DNS SMTP HTTP SSL SNMP BGP DCCP T1/E1/T3/E3 SONET SDH ICMPv6 NDP MLD Ethernet WiFi 8/23/2013 5© 2013 Global Technology Resources, Inc. All Rights Reserved.
  6. 6. IPv6 Network Management • Good engineering practices dictate that when we prepare to build something we must plan for the long-term operations. • Many organizations lack internal and external visibility to their IPv6-enabled applications. • NMSs must be able to communicate with IPv6- enabled devices. • External testing services, looking glasses, E-mail reflectors. • Administrators need a “jump-box” or remote testing platform. 8/23/2013 6© 2013 Global Technology Resources, Inc. All Rights Reserved.
  7. 7. Dual Stack OPEX Costs 8/23/2013 7© 2013 Global Technology Resources, Inc. All Rights Reserved. Cost Time
  8. 8. Summary • Strive to attain equal protections for IPv4 and IPv6 connectivity. Ask your vendors. • Consider investing in people and processes, not just technology. – People need the ability to proactively manage and reactively troubleshoot IPv6. – Your processes need to allow both protocols to be maintained. • Consider how using two IP protocols will change how you operate your IT infrastructure. 8/23/2013 8© 2013 Global Technology Resources, Inc. All Rights Reserved.
  9. 9. Resources from NWW blog http://www.networkworld.com/community/hogg • 7/24/13 - IPv6 Network Management – http://www.networkworld.com/community/blog/ipv6-network-management • 4/23/13 - Life in a Dual Stack World – http://www.networkworld.com/community/blog/life-dual-stack-world • 9/11/12 - Web Application Firewalls and IPv6 – http://www.networkworld.com/community/blog/web-application-firewalls- and-ipv6 • 7/31/12 - Dual-Stack Will Increase Operating Expenses – http://www.networkworld.com/community/blog/dual-stack-will-increase- operating-expenses • 3/4/12 - Should You Allow Inbound E-mail Over IPv6? – http://www.networkworld.com/community/blog/should-you-allow-inbound- e-mail-over-ipv6 • 1/19/12 - The Future of Firewall Policies – http://www.networkworld.com/community/blog/future-firewall-policies • 5/20/11 - Troubleshooting IPv6 Networks and Systems – http://www.networkworld.com/community/blog/troubleshooting-ipv6- networks-and-systems 8/23/2013 9© 2013 Global Technology Resources, Inc. All Rights Reserved.
  10. 10. Question and Answer Q: & A: SHogg@GTRI.com Mobile: 303-949-4865 Twitter: @scotthogg 8/23/2013 10© 2013 Global Technology Resources, Inc. All Rights Reserved. Jay.Wiley@IRS.gov Mobile: 214-364-2030 Twitter: @wiley_jay

×