As enterprises transition from IPv4 to IPv6 networks, new IPv6-enabled networks are creating loopholes that pose...
IPv6 security risks.
As the number of IPv6-capable endpoints grow, IPv6 traffic is appearing on the existing corporate IPv4 network ahead of the transition plan of many enterprises. Employees can potentially share files and download video at will on these new -- and often unmonitored -- networks, and these vulnerabilities can be accessed by hackers.
IPv6 networks are running undetected on the existing corporate IPv4 enterprise network by way of tunneling, said Scott Hogg, chair of the Rocky Mountain IPv6 Task Force. "Some devices and computer operating systems [including Mac, Windows Vista and Windows 7] may try to tunnel the IPv6 packets across the IPv4-only corporate IT network to get to the IPv6 Internet."
This IPv6 latent threat on an existing IPv4 network can result in compliance risks and bandwidth issues for the enterprise. Trends like bring your own device (BYOD) are contributing to the risk. Many endpoints and devices are now IPv6-ready and as the number of outside devices brought to work increases, so does the risk to the IPv4 enterprise network.
"Most enterprises are still focused on IPv4 networks, but IPv6 networks could be running that [network managers] are unaware of," said Bob Laliberte, senior analyst for the Enterprise Strategy Group, noting that open and unmonitored IPv6 ports could present big security implications if not recognized.
IPv6 security: Promoting "shadow network" awareness
Blue Coat announced better visibility into IPv6 traffic with PacketShaper version 9, the operating system that runs on its series of PacketShaper enterprise network security and monitoring appliances. With it, enterprises will be now be able to monitor and control unauthorized IPv6 traffic and applications across existing IPv4 corporate networks, according to Mark Urban, Blue Coat's senior director of product marketing for application delivery.
"The more traffic [enterprises] get across their Internet connections and WAN connections to the branch offices, the more companies will have the need to understand what exactly is going across their network," Urban said.
PacketShaper 9 will give enterprises a more granular view of the exact applications -- whether IPv4 or IPv6-enabled -- running across their network. "Providing customers the ability to make better judgments regarding their networks and how to treat these different applications and traffic is becoming increasingly important," he said.
The IPv6 traffic that has emerged onto IPv4 enterprise networks -- which Blue Coat dubs "shadow networks" -- is typically unanticipated and uncontrolled by IT. Enterprises not only run the risk of internal employees running applications like Netflix and YouTube over these networks that may be restricted by company policies, but criminals could attempt to access networks illegally via the open IPv6 ports, Laliberte said.
"The shadow networks are just another area to exploit," he added.
The BYOD trend is forcing companies to open up their networks. By opening up, they are increasing the risk for a security breach, Laliberte said. "The focus needs to be on prioritizing web traffic," he said. "In some cases, enterprises may find after evaluating their network they must either restrict access to certain applications, or make sure it's not a priority over business applications," he said.
BYOD also presents compliance implications for unauthorized traffic. "If your transition plan is to support IPv6 in 2014 and suddenly you are supporting it in 2012 because of IPv6-ready devices brought onto the network, you may have moved your network out of compliance," Blue Coat's Urban said.
More on IPv6 security:
IPv6 security: issues for the enterprise
IPv6 security vulnerabilities hinder transition
IPv6 tutorial: security threats and defenses
IPv6 security: myths and misconceptions
Enterprise network security starts with IPv6 security
The North American market has not experienced the same issues with the IPv4-IPv6 transition that other regions have, Laliberte said. Emerging countries that are experiencing rapid growth and rising mobile device usage have struggled. But the U.S. government has taken note. "We know we have to go toward IPv6, and [the government] has begun to make it a requirement to be IPv6-ready," he said.
"We've definitely seen a change, from 'we don’t care about' to 'we have to plan' for the IPv6 transition," Urban said, noting that many customers are surprised to learn that applications are running on the IPv6 shadow networks -- which are bypassing network security measures -- and how much bandwidth is being consumed.
As IPv6 infrastructure comes alive, unanticipated traffic must be better managed, Laliberte noted. "As more organizations look to the use of cloud computing and Software as a Service [SaaS], the ability to understand what is running over those links and managing that application performance will be huge."
Let us know what you think about the story; email: Gina Narcisi, News Writer