BYOD & IPv6: The Secret to Providing a Secure Network

By TMCnet Special Guest
John Sung Kim, Cofounder of 6connect
  |  October 15, 2012

This article originally appeared in the October 2012 issue of INTERNET TELEPHONY.

Some network security engineers are already calling BYOD, “bring your own disaster.”

With the proliferation of Internet-connected mobile devices that consumers and employees alike use to access public and private networks every day, the bring-your-own-device trend definitely affects the data center in unforeseen and potentially very damaging ways.

In fact, the millions of iPads and smartphones used daily in college and corporate environments are willing conduits for attack – if you’re not thinking ahead.

Spammers are gearing up for a field day as 2^128 – or more than 170 undecillion – new IPv6 addresses come online. Opportunities to take advantage of the complex dual-stacked IPv4 and IPv6 network abound.

Spoofed addresses are potential vulnerabilities for both IPv4 and IPv6 networks, especially if router interfaces are not configured correctly. As an example, if v6 is on without the same level of ACLs, it's an obvious attack vector – whether or not your v4 network has the correct ACLs in place.

Even v4-only networks could have IPv6 devices up and running with self-configured v6 addresses from new servers, desktops and mobile devices that automatically turn on and configure IPv6 out of the box. Completely unknown to most network administrators, these IPv6-enabled endpoints can also serve as attack vectors for other internal targets or as conduits for off-premises and phishing style attacks.

With only a small amount of IPv4 space left for allocation, the cost of using a single IP address will come at a premium. This means even more services will start to be stacked behind a single v4 address, providing attackers with a convenient single point of access to multiple attack vectors and many hosts. With IPv6-enabled hosts, the malicious code or intruder will be able to spread easily to multiple other hosts on the same subnet, increasing the size and scope of attacks – even if they are in private (RFC 1918) IPv4 space.

The secret to providing a secure network is knowing exactly where your IPv4 and IPv6 addresses are, what they are being used for, and by whom. Network administrators that rely on managing IPv4 and IPv6 addresses with spreadsheets will fail because that methodology is simply no longer tenable in a complex v4 and v6 network environment.

Having an inventory of the unused pools of v6 addresses – and the devices that are correlated to them – is key to preventing v6-based network compromises. It is also crucial to have the ability to audit activity around your network address space and have the forensic capability to gather information should a security incident occur with any IP management.

Understanding and mapping a network, its IP addresses and its devices requires a deep, constant scan with an IPAM tool that continuously assesses its activity and health. However, scanning IP addresses in an IPv6 environment is completely different than scanning IPv4. A common allocation for an endpoint can be as large as a /64 of space.

So, while you may only have one or two hosts, the address space itself is over four billion times the size of the current IPv4 Internet. This makes conventional IPv4 scanning techniques obsolete in an IPv6 world.

Surprisingly, most IP address automation software cannot actually detect v6 addresses on a network or accommodate the volume of IPv6 addresses that have to be accounted for. Most legacy IP address management applications simply correlate a v4 address to a v6 address as an add-on, creating an almost artificial v6 address to claim a dual stacked environment.

Unfortunately, this does not provide an accurate inventory of all the v6 addresses that may sit on a network and may even obfuscate the security aspect of tracking the addresses. The network administrator may not even realize the need for additional IP intelligence for IPv6 network management.

Most IPAM software is a UI interface based on spreadsheets, which in v6 simply won't work to manage security concerns. With current IPAM solutions, managing and tracking v6 addresses will require a 5x to 10x increase in time to manage and track network assets – not acceptable in an age where network engineers are being tasked with managing an ever increasing amount of BYOD devices and traffic on their networks.

With the widening deployment of IPv6 and the increasing trend toward BYOD, IP address management needs to evolve into IP address automation and take into account v6 security needs as part of its base architecture. Automating IPAM eliminates the labor-intensive, error-prone manual tasks involved in reassigning Internet protocol addresses. In order to effectively manage and host devices within these large address ranges, DNS and other name services are crucial to ensuring that network policies are enforced while still allowing the level of discoverability required by endpoint devices.


Edited by Braden Becker
blog comments powered by Disqus