Chapter 1: Introduction to IPv6

Cisco Press

1 2 3 Page 3
Page 3 of 3

Virtually all organizations rely heavily on their staff and their network security devices to protect their critical computer systems. Most organizations use firewalls, host-based and network-based intrusion prevention systems (IPS), antivirus software, and Security Information Management Systems (SIMS) to help monitor security events in this locked-down environment. Companies have spent a lot of money trying to secure their computer network infrastructure from invasion. This is primarily because there are weaknesses in the protocols and defects in applications used on computer networks that can be subverted by malicious individuals. While malicious individuals exploit weaknesses in protocols, unknowing individuals help propagate the threats by ignoring corporate security policy, guidelines, and standards.

IPv6 security devices need to be purchased when they are available and kept up to date so that when new IPv6 vulnerabilities are discovered, the computer systems are protected. Organizations are going to need IPv6-capable security products ahead of the deployment of IPv6. Firewalls are pervasive in today's networks, and there are several firewall solutions available for IPv6. However, in 2008, many IPSs and VPN concentrators do not support IPv6. The planning for the migration to IPv6 has been taking place for several years, but for now, much of the needed functionality does not exist. It can take a couple of years for there to be feature parity between IPv4 and IPv6 security products. Therefore, organizations should plan to upgrade their current security systems to achieve IPv6 functionality.

Instead of focusing on the theoretical security implications of IPv6, you should aim to implement the practical practices of securing a network based on the information that is available today. No one can yet claim extensive experience deploying all the IPv6 security mitigation techniques. For now, we can only discuss what is known to be true, based on limited deployment experiences. However, there is some certainty that the techniques shown in this book are effective based on the current knowledge of IPv6, testing, and experience securing computer networks.

Summary

Effective security involves finding that perfect balance between protecting an asset and the handling the extra burden security adds to doing business. The implementation of security should match the value of your assets and the acceptable level of risk. You should craft a security strategy that matches your level of risk. When it comes to IPv6, this means adjusting the security measures to fit the changes related to using a new network layer protocol. First you must understand the differences between IPv4 and IPv6 and know how those deltas have security implications. Next you must understand what vulnerabilities in IPv6 you must address. The final step is to implement security mitigation techniques to provide adequate coverage for your environment.

Even though the guidelines in this book are based on sound principles, they are not necessarily considered time-tested best practices. Just as IPv6 is in its early stages, the methods of securing IPv6 are rapidly changing. Because few IPv6 attacks exist, not all the future attacks are fully understood. Therefore, the guidelines in this book need to be customized to meet your organization's needs. Please do not just implement every command listed in this book. Rather, you should read the book, understand the threats, and then embark on using the correct techniques to secure your own IPv6 network.

Recommended Readings and Resources

Cisco. Deploying IPv6 in Branch Networks. http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a00807753ad.pdf.

Cisco. Deploying IPv6 in Campus Networks. http://www.cisco.com/application/pdf/en/us/guest/netsol/ns107/c649/ccmigration_09186a00807753a6.pdf.

Cisco Self Defending Network (SDN) site, http://www.cisco.com/go/sdn.

Convery, Sean, and Darrin Miller. IPv6 and IPv4 Threat Comparison and Best-Practice Evaluation (v1.0). Cisco Systems Technical Report, March 2004. http://www.cisco.com/security_services/ciag/documents/v6-v4-threats.pdf.

Davies, Joseph. Understanding IPv6. Microsoft Press, November 2002.

De Capite, Duane. Self-Defending Networks: The Next Generation of Network Security. Cisco Press, August 2006.

Desmeules, Regis. Cisco Self-Study: Implementing Cisco IPv6 Networks. Cisco Press, May 2003.

Hagen, Silvia. IPv6 Essentials, 2nd Edition. O'Reilly and Associates, May 2006.

Internet Engineering Task Force (IETF) BCP Index, http://www.rfc-editor.org/bcp-index.html.

Internet Engineering Task Force (IETF) IPv6 Operations (v6ops) Working Group. http://www.ietf.org/html.charters/v6ops-charter.html.

Kaeo, Merike, David Green, Jim Bound, and Yanick Pouffary. IPv6 Security Technology Paper. North American IPv6 Task Force (NAv6TF) Technology Report, July 2006. http://www.nav6tf.org/documents/nav6tf.security_report.pdf.

Popoviciu, Ciprian P., Eric Levy-Abegnoli, and Patrick Grossetete. Deploying IPv6 Networks. Cisco Press, February 2006.

van Beijnum, Iljitsch. Running IPv6. Apress, November 2005.

Richard Murphy, Niall, and David Malone. IPv6 Network Administration. O'Reilly and Associates, March 2005.

Warfield, Michael H. Security Implications of IPv6 Whitepaper. Internet Security Systems, 2003. http://documents.iss.net/whitepapers/IPv6.pdf.

Copyright © 2007 Pearson Education. All rights reserved.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2008 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
IT Salary Survey: The results are in