Tuesday, October 15, 2013

Is IPv6 Coming To Your Network?

A year or so ago, I recommended a couple of things to a Network Security Guy (and a friend of mine). First off, have a look at R. I think I dealt with that one (Choosing Python over R) earlier today.  But this guy also believed that Intrusion Detection/Prevention systems are highly effective. Probably because he implemented one years ago that met the needs of the times. Evolve, plz.

I didn't then, and certainly don't now (attacks only get better), have any confidence in IDS/IPS, and also recommended that he have a look at Evader. Apparently, a year down the road, he had done neither of these things. So be it--this was just a breakfast conversation with a friend, and really none of my business.

Today, I had a conversation with another Network Security Guy (and another friend of mine) who had a serious need to vent. For reasons unknown (but it seems likely that some senior manager had read some scare-piece about IPv4 number exhaustion), a mandate had come down from on high, that IPv6 Would Be Implemented in 2014. Behind the firewall.

Heavy sigh, and all that. But what this guy, who was in more of a managerial position, was concerned about was that it was going to thrash his tentative 2014 hardware budget planning, which was already late. Well, yes. It surely will thrash his hardware budget planning; IPv6-capable network infrastructure requires more horsepower, and economies of scale are not yet present.

Here is the FUBAR bit, and I felt bad about dropping this one him, because I had worked with one of his Evil Minions on setting up some basic defenses, years back.

  • Yes, your hardware will cost more 
  • IDS/IPS systems will be even less effective that they were under IPv4
  • Internal network scans will no longer be effective
  • Pretty much nothing of your current notions of VPN security will (or should) survive
This is off the top of my head. I could get creative, and start thinking about, for example, PBX and video-conferencing systems.

IPv6 is coming, but there is already sufficient pain. It is likely that every aspect of your network security posture will have to reevaluated, via whatever risk-analysis methodology you prefer. What is certain is that a valid reason for deploying IPv6 almost perfectly does not resemble management by proclamation.

We know that waiting until the last moment will only make it worse, and that proclamations lead to FAIL. So, please, start thinking (rationally) about it now. You are far more likely to be ready when you have a real roll-out date.

No comments:

Post a Comment

Thanks for your comment; communities are not built without you.

But note than comments on older posts usually go into a modertion queue. It keeps out a lot of blog spam. Weird links to Web sites hosting malware, marketing nonsense, etc.

I really want to be quick about approving comments in the moderation queue. When I think I won't manage that, I will turn moderation off, and sweep up the mess as soon as possible.

If you find comments that look like blog spam, they likely are. As always, be careful of what you click on. I may have had moderation off, and not yet swept up the mess.