Makers of network security gear are lining up to help corporations and service providers implement IPv6, the next-generation network layer protocol for the Internet that offers a vastly larger number of host addresses.
NetScreen, a maker of network security appliances, last week made available to existing customers a beta version of firewall and VPN software that supports IPv6.
Interest in IPv6 was sparked at a recent conference in San Diego, where the U.S. Department of Defense announced it is making IPv6 a procurement requirement (see here).
NetScreen's release comes less than a month after Cisco laid out plans to add stateful packet filtering of IPv6 to its software and hardware firewall products in the first half of next year. Check Point Software last October introduced IPv6 support for its software with the release of Check Point VPN-1/FireWall-1 Next Generation, Feature Pack 3, according to a company representative.
The beta release of ScreenOS, the software for NetScreen's integrated firewall and VPN platforms, can automatically detect and secure traffic that uses either IPv6 or IPv4, the current version of IP. The beta release is free.
IPv6 is not yet necessary for networks in North America, where IP addresses are relatively plentiful. But IPv6 is likely to be needed soon in some Asian countries and for advanced applications such as mobile data services and voice over IP, according to Dave Kosiur, an analyst at Burton Group.
A number of network routers from Cisco and other vendors can handle traffic with IPv6 addresses, but the story doesn't necessarily end there for network administrators, Kosiur and others say.
"You don't need to have a firewall that routes IPv6 in order to run IPv6. However, the way networks are run today, it's out of the question to do it without security," says Alan Bavosa, a NetScreen product manager.
Some companies and service providers using IPv6 last year were concerned that few security tools, including firewalls, were available for it. Another concern was that because IPv6 would let each system have a unique IP address, a hacker might be able to target a specific system in a company for attack.
The new ScreenOS release provides encryption and firewall capabilities, as well as protection against denial-of-service attacks, for IPv6 traffic. It can encapsulate IPv6 traffic in IPv4, letting corporations or service providers operate an IPv6 network across a backbone that hasn't been configured to handle the new kinds of packets, Bavosa says.
Organizations or carriers that haven't deployed IPv6 generally don't have to worry about IPv6 attacks because their firewalls and routers can't route the harmful packets, Kosiur and Bavosa say. However, if they want to try it out they'll demand some security mechanisms, experts say.
"If someone is dependent on firewalls now, then they will want a firewall when they move to IPv6," says John Klensin, chairman of the Internet Engineering Task Force's Internet Architecture Board.
Emerging applications might force companies and service providers in North America to adopt IPv6, Kosiur says. To conserve unique, public IP addresses, many network administrators hand out addresses just for use inside a closed area, but new applications might have trouble with that, he says. For example, without the additional addresses provided by IPv6, it might be hard to implement voice over IP in an organization and receive calls from outside. Networks of air-quality and other sensors or closed-circuit TV cameras are likely to demand too many unique public addresses to be set up under IPv4.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment