Are You Secure?

Adapted from Fox News

Even though the promise of IPv6 is one of more security, IPv4 has earned its bones over the past few decades, and we’ve familiarized ourselves with what it can and cannot do. On the other hand, we have little to no experience with IPv6 in the real world. On paper, IPv6 looks great.But, I’m sure the Titanic did too. At best, IPv6 facilitates better security, it doesn’t guarantee it. 

Case in point: IPSec.  Essentially, this secures IP communication by encrypting and authenticating IP packets. In IPv4, it was optional as a feature; in IPv6, it’s mandatory. Making a feature mandatory doesn’t mean it will find widespread support; the point is, IPv6 isn’t automatically more secure. It’s going to take a lot of pre-rollout preparation and an immense amount of security vigilance to get it right.

For businesses, there’s a lot to consider, and this will likely fall into the lap of the IT department.  There are all sorts of pitfalls to avoid, and here are some to keep on top of at all times.

Buggy Programming.  This is where things usually fall apart.  In a transition this complex, on a scale this large, programmers are much more likely to make mistakes in the implementation, which could leave vulnerabilities wide open to hackers, negating the effectiveness of IPv6’s bells and whistles of security.  The worst-case scenario is actually ending up with an IPv6 infrastructure that’s even more brittle than the IPv4 infrastructure before it, placing a business at even greater risk, by amplifying the attack space.

Transition Exploitation. This migration is going to take a while, and until then, businesses will be straddling a dual IPv4/IPv6 environment, each with its own specific set of security problems.This ups the workload for companies’ networking staff and increases the number of ways things could go wrong. This is where security vigilance is crucial; due to this hybrid interim, we’re going to encounter unusual situations where hackers can potentially take advance of an interaction between the protocols.

Ineffective Blacklists. While IP blacklisting has been successful in reducing the global volume of spam, there’s the concern that ISPs won’t be able to scale IP blacklisting to IPv6, given its sheer size. This represents the problem that some security techniques may not transition very well from IPv4 to IPv6, giving hackers even more room with which to mount their attacks.

DDos Attacks. Distributed denial of service (DDoS) attacks, which overwhelm a computer network or Web site to make it useless, will still pose a threat to businesses in IPv6.  While IPsec can mitigate the effects of DDoS attacks to some degree, it does not prevent them, leaving resources at risk of being bombarded and brought to a complete stop. Broadcast amplification attacks, like “smurf” attacks, can do exactly that: keep you from your customer.

Evading Security Measures. Fragmentation attacks will still be a problem in IPv6, although architectural changes mitigate these attacks more efficiently. Fragmentation attacks can be used to evade, intrusion detection systems [IDS], intrusion prevention systems [IPS], and firewalls--often a business's only means for learning when they’re being attacked. Once they’re in, everything is fair game: client information, credentials, e-mails and trade secrets.

Masking Points of Origin. Spoofing attacks will still be a threat in IPv6, but the new IPsec mandate will better manage this threat for businesses. Spoofing allows hackers to conceal their identities, making it hard to track them down after an attack. It can also be used to fake an identity--to implicate an innocent person or company in an attack in which they had no real involvement. Attacks aren’t limited to those that try to steal information or destroy resources, they can actually attempt to tarnish the company’s reputation.

Hopefully as technology advances and with a better understanding on how IPV6 will work in the real world, some of these issues can be addressed.  Security is still one of the more important areas in business.  Are you secure?

 
If you have system questions or concerns. Or would like to have a Security Review of your business network, give the CCS Retail Systems Support Department a call at 800-672-4806 or email us

-Bryan