The first session today covered the basics of security in IPv6. IPv6 contains some features which provide it with some additional security. Some are not actually features designed into the protocol but just exist because of the nature of the IPv6 address space, for example brute force scanning of IP addresses will no longer be possible with IPv6 just because of the sheer size of the address space you will need to scan. Of course on the down side, this feature makes vulnerability scanning also impossible if it is based on scanning IP addresses. The same is true when using ULA addresses for internal private addressing (like the 10.0.0.0 in IPv4). Since the number of ULA networks is so great, each company can pick their own and there will be virtually no chance that there will be an overlap with other companies. Worms will no longer be able to spread just by counting up IP 10.0.0.0 addresses and infecting the next active device. Finally designed in features, such as IPSec or secure neighbor discovery do secure the protocol, howver, since IPSec is no easier to manage in IPv6 than it is in IPv4, it does not provide any additional security over using IPSec in IPv4.
Administrators should also actively implement certain controls to secure IPv6. Controlling the boundaries of where headers can be distributed, controlling rogue router advertisements through using IPS and filtering at the layer 2 switches, and blocking tunnels (6to4, 4to6, etc.) from any but approved tunnel endpoints will help to secure an IPv6 based network.
The final recommendation is to develop an IPv6 security policy which parallels an IPv4 policy. Everyplace where you have a policy which references IPv4 should also have a statement about IPv6 plus there should be some IPv6 specific statements to cover the IPv6 specific features.
In the Cloud session, the CTO from NASA’s Jet Propulsion Labs discussed how they use public and private clouds within their organization. They have developed a very interesting model of using both public and private clouds depending on what the use case is for the data and applications being implemented. The model allows the users to define their requirements for their application in an on-line tool and they will be given options showing which cloud based services are allowed to be used based on security level, performance, availability, cost and other factors.
Leave a Reply
You must be logged in to post a comment.