IPv6 is coming and most security vendors are not prepared. Most have spent so much time preparing to be “cloud-ready” or building virtual appliances, that they’ve had their head in the sand about IPv6. Who can blame them? Most of us have avoided even thinking of the eventual shift off IPv4. This creates problems in our environments, as our legacy security applications and products could become obsolete with a move to IPv6 support. IPv6 creates three problems for security vendors.
The first problem is basic networking. How does a security vendor’s appliance work on an IPv6 network? This is fairly straightforward. Most security appliances run on Windows, Linux, BSD, or Unix, and these operating systems all have an IPv6 stack. As vendors begin porting their user interfaces and setting up scripts to allow for IPv6 addresses, and the logic to determine incorrect subnets and gateways, this will be their first step into IPv6. As these vendors jump over this hurdle, they will begin marketing and selling their “IPv6 Security” offering. This, however, doesn’t really protect consumers as they move to a fully integrated IPv6 network. The second problem is executing software with IPv6 traffic.
Vulnerability scanners will change fundamentally, and the days of scanning a /24 or a /23 are over. With IPv6, along with routing and switching enhancements, enterprises will begin using larger and larger broadcast domains. Trying to scan millions of IP addresses and detect nearly a hundred thousand vulnerabilities is not practical, just as trying to detect IDS/IPS threats and blocking websites by using IPs is no longer practical with IPv6. Vendors will need to rethink how their technology executes and how it interoperates with IPv6. Some vendors are working that way, but they are far behind the enterprise in adoption of IPv6. This is scary for many companies, as this cost to begin inspecting and securing IPv6 will be passed down to consumers in new hardware, virtual appliances, support costs and other expenses.
The third problem security vendors will face is protecting against IPv6 threats. While it may be easy to retrofit existing code to protect against older attacks what about the new attacks? The entire industry slowed the pace of IPv6 adoption, because the entire concept is difficult and complex. It’s not easy to conceive the negative impacts of jumbograms, stateless address autoconfiguration, and beable to move networks without renumbering. How will these concepts be used to tunnel around proxies, avoid data loss prevention technologies, slip through IDS, and other security controls vendors are selling? The truth is, they don’t know. It’s a scary time for most vendors, and the longer they prolong understanding these concepts, the more exposed consumers will be. So if we are at the mercy of the vendors, what can we do?
Simple. We push them forward. Ask your vendors questions. Some good ones to ask include:
- What are they doing to prepare for IPv6?
- How are they prepared to protect IPv6 native networks?
- Will IPv6 support impact the delivery of their software and services?
If we keep asking these questions, they will have no choice but to prepare for the impending migration.