Agents of misfortune

Countering every new network vulnerability is a new patch. With every new cyberattack comes a countermeasure.

Such is the world of cybersecurity, both for the defenders of computers and networks and for those who would compromise those systems. But coming soon to government networks is a new and weighty variable: IPv6.

The fledgling Internet Protocol Version 6 has some inherent security advantages over today's IPv4, but they will require a change in the way government agencies protect their networks.

"You can't lurch from crisis to crisis," said Christopher Michael, technology strategist for CA Inc.'s security management solutions for federal agencies.

"To really defend yourself, you need continuous security," he said. "That means having automated tools able to do your patching and provide you with situational awareness. It means being able to pull all the pieces together in one consistent view and manage."

Introduction of IPv6 will add some default in-transit encryption, but it comes at a cost for computer networks.

"It adds complexity, and complexity is the absolute deadly enemy of security," Michael said.
Helping agencies stay secure despite the increased complexity could result in ripe business opportunities for systems integrators and IT security companies.

Federal civilian and defense IT security spending is expected to increase from $5.1 billion in 2006 to $6.3 billion by 2011, according to market research firm Input Inc., Reston, Va. Some of that spending is sure to involve IPv6 issues, industry experts said.

The fact that the transition to IPv6 from today's IPv4 could take 10 or more years is one of the main factors adding to network security complexities. The vulnerabilities for the two protocols will be different, and IT managers will have to address both, Michael said.

What's at stake

IPv6 comes with transitional tools that will make things easier for agencies living in a dual IPv6/IPv4 world.

Security issues can arise from potential misuse of some of the bridges between IPv6 and IPv4. Users within an organization could deploy such bridges without the knowledge of the IT department.

"Rogue groups or people just fooling around could set these things up, and you could actually have a little IPv6 network running within your agency environment without anybody even knowing about it," Michael said.

In Microsoft XP, for example, all it takes is one simple command to enable IPv6. Microsoft XP, Windows Server 2003, Microsoft Vista and Longhorn Server use Teredo, also known as Shipworm, a method of encapsulating IPv6 inside IPv4 packets.

Because Teredo is designed to bore through an IPv4 network, through firewalls and past intrusion detection systems. it creates a potential for misuse.

"There's a good chance that's happening now on networks without anyone even knowing about it," Michael said.

IPv6 has advantages that help balance out such potential security headaches, however.
Some security features that are optional under today's protocol are standard under IPv6, said Dug Song, a security engineer for Arbor Networks Inc., Lexington, Mass.

Ipv6 offers capabilities "that are optional today and not widely deployed, like having content automatically encrypted at the content layer in transit over the wire," Song said.

All IPv6 implementations will by default support the feature, he said.

"It opens the possibility for a much higher degree of encrypted traffic on the network as opposed to everything running in the clear," Song said.

Another of Ipv6's potential security improvements is the much larger IP address base that it offers. With more IP addresses, random-scanning worms and similar attacks have a much lower chance of success.

"We're already seeing a trend away from mass, auto-routing attacks, and I think IPv6 will help with that trend," Song said. "Certainly, if your address is hidden among many more millions of addresses that are empty, it takes much, much longer for a host that is choosing at random to find you."

Transition tension

Translation issues between IPv6 and IPv4 could be the biggest security headache for agencies and systems integrators, Song said.

Many Web site security policies, for example, rely on the IPv4 switch address for authorization. A military Web site may authorize access only by computers from a particular military network, and a firewall or other access control may be in place to enforce access restrictions. But some IPv6-to-IPv4 translation mechanisms can let users intervene to alter the address attached to the resulting message. Unless the target site has filters in place around those tunnel endpoints, a breach can occur.

"That's actually something that's come up already," Song said.

Expanding the IP address base is one of the most important features of IPv6 and a major reason that the Defense Department has mandated adoption of the protocol in 2008. The vastly larger base provides the means to give any device, even those traditionally thought of as a network device, its own IP address.

With all those devices in offices and on battlefields talking directly to each other, the old security model of a network with a protected perimeter begins to look outdated.

"When there are so many interactions that cross agencies, in the spirit of sharing more information, the definition of a network has certainly blurred over the years," said John Landwehr, director of security solutions and strategy at Adobe Systems Inc.

That blurring of networks and an ever-growing list of devices on networks will lead to new security challenges, he said.

"Our approach to security: certainly securing the network and securing who can access wireless as well as wired access points, improves the overall security of the system significantly," Landwehr said. "We go a step beyond that to recommending to our customers to secure the content itself over a secure network."

So if an agency has a Portable Document Format file, a computer-aided design format file or a Microsoft Office file that has personal information such as health care data or Social Security numbers, measures should be taken to make ensure that only only those with proper authorization see them.

"If that content goes over a secure IPv6 session and ends up on somebody's laptop, you want to make sure if that content then gets accidentally or maliciously forwarded to somebody that shouldn't have it, that they can't access it," Landwehr said.

Caught in the web

Another security issue that is sure to become more challenging under IPv6 is the increased use of Web applications.

Five years ago, the most prevalent attacks were denial-of-service attacks, but lately that has diminished dramatically.

"I would have to say more than 90 percent of the attacks we're seeing today are at the application layer," said Paul Henry, vice president with Secure Computing Corp. of San Jose, Calif. "Primarily, the attacks are against Web-based apps; a lot of it is over Hypertext Transfer Protocol. They are the primary threat vector today, and the vehicle of choice for moving them is spam."

Several browser-based exploits present a threat by allowing, with no user interaction, the installation on PCs of root back doors.

Secure Computing's tools protect against those threats with application layer defenses, Henry said. Even with the increase in the number of Web applications and the attacks on them, some of Ipv6's inherent features likely will help with security, he said.

"With IPv6, you're able to trace a packet literally across the entire Internet," he said "That would have a major, major impact from a security perspective, because it would remove a great deal of the ability of the bad guys to remain anonymous. IPv6 could have an immediate impact on spam, and it would have immediate impact on worms."

As the transition to the new protocol begins in 2007 and heats up in 2008, agencies, systems integrators and IT security innovators need to be prepared.

Much of that preparation should focus on training, said Jonathan Reeve, senior product marketing manager for EMC Corp.'s Smarts software line. Thorough training will be required because IT experts will need to know how to do everything in a dual IPv4/IPv6 world.

"There's going to be a substantial period of time where you have to be concerned about both IPv4 and IPv6 from a security perspective," Reeve said. "If you have a given set of IT operations staff, there's going to be a lot of pressure for them to step up and do a lot more.

"It's going to be very important that you have a management tool that can really automate the discovery of the IPv6 and understand what you have out there so you can free up the operation staff to focus on the other things," Reeve said.

One thing civilian agencies, and the systems integrators that work with them, can count on is that the Defense Department is going to end up doing a lot of the initial work when it comes to IPv6, said Jeff Doyle, senior network architect of Juniper Networks.

"They're going to be doing end-to-end encryption and identification, and all that work is going to filter out to everyone else," he said. "That is a huge plus, because security as it exists now, for any kind of Internet protocol, is just really awful."

Staff Writer Doug Beizer can be reached at dbeizer@postnewsweektech.com.