How to prevent IPv6 VPN breakout

Without properly configured remote-access VPNs, IPv6 traffic from remote devices can escape corporate security controls.

Enterprises unaware of the role IPv6 plays on remote users’ devices run the risk that these machines might access banned sites despite using VPNs that are meant to restrict what they access.

This hole stems from the fact that some of these remote-access VPNs are configured to inspect and apply security controls only to IPv4 traffic as it passes through a VPN concentrator without enabling similar protections for IPv6 traffic.

This leaves IPv6 traffic free to access the Internet directly without those controls being applied. Known as IPv6 VPN breakout, the issue is well known yet often remains overlooked.

There are solutions for IPv6 VPN breakout, but the first step is to understand it in order to appreciate its importance.

Why IPv6 VPN breakout is overlooked

Many enterprises do not realize how often IPv6 is being used on devices that access their networks via VPN. Phones, tablets and laptops used for remote access to corporate networks commonly support IPv6 as do broadband and cellular services they might use to access the internet.

As a result, enterprises often don’t recognize IPv6 as a security factor. They configure their VPNs to inspect only IPv4 traffic, which can leave mobile devices free to access IPv6 sites that could prove dangerous to business networks, devices and data.

The way IPv4 protections work is, once the VPN has been established, the VPN concentrator inspects traffic bound for the internet and blocks traffic bound for destinations judged out of bounds by the policies the enterprise has configured. (See Figure 1).

nw ipv6 figure 1 Network World / IDG

This diagram shows a typical enterprise VPN user laptop with an IPv4-only VPN tunnel established back to the corporate internet perimeter.  The red line represents IPv4 traffic that is directed through the enterprise to apply traffic inspection and security controls to internet-bound traffic. All IPv4 traffic must go through the VPN tunnel and cannot directly access the internet, but IPv6 traffic, represented by the blue line, can.

Most corporate VPNs enforce what is called no split-tunneling to enhance security by forcing all IPv4 connections to traverse the VPN.  With no split-tunneling, once a VPN connection has been established, remote devices cannot make a separate connection to the internet at large.

To continue reading this article register now

Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.