Technologists and government officials alike have hailed the successor to the IPv4 Internet protocol as the next big thing in networking. The new Internet protocol supports billions and billions and billions of addresses, meaning every individual mobile device can have its own address—and then some. In 2006, the United States government set a mandate that all federal offices upgrade their backbones to IPv6 by the end of 2008. This mandate is expected to increase IPv6 adoption in the private sector, as well. Already, a number of companies have taken the plunge.
Interestingly, organizations don’t have to support IPv6 in order to pass traffic over it—a scenario that could make networks susceptible to attack. Hackers have devised a way to use secret tunnels to send IPv6 traffic over IPv4, slipping viruses, worms, and spyware through some of the toughest network defenses. Though none of the major market research firms specifically tracks IPv6 attacks, there have been reports of quite a number of these attacks in recent years. How big is the problem? How do you know if your company is at risk? How can you keep your network secure?
No discussion of IPv6 can begin without a hearty dose of context. In addition to providing trillions more network addresses than its predecessor provides, IPv6 contains many features that make it attractive from a security standpoint, as well. It is reliable and easy to set up. It configures automatically. Huge, sparsely populated address spaces make networks using IPv6 highly resistant to malicious scans. These networks also are inhospitable to self-propagating worms—a reality that hardens networks from the beginning.
Hackers have devised a way to use secret tunnels to send IPv6 traffic over IPv4, slipping viruses and spyware through the toughest network defenses
Still, IPv6 is not perfect. Because most security breaches occur at the application level, even the successful deployment of IPv6 does not guarantee added security. In addition, the new protocol does not protect against misconfigured servers, poorly designed applications, or poorly designed sites. Perhaps the biggest problem is that nobody understands exactly how sophisticated the new protocol really is, so intruders frequently use it to conceal unauthorized activity—and can do so under the radar for months. As wild as that might sound, it’s not that far-fetched.
Briefly, IPv6 tunnels are everywhere. The protocol is on by default in all Unix platforms, and it is simple to add it to anything running
Windows 2000 SP2 or higher. Because IPv6 is activated by default, it’s straightforward for somebody to set up an IPv6 tunnel on an existing network. These tunnels probably already exist on your network, and they are not hard to find if you know how and where to look for them. Whether or not hackers find them is another question nagging network administrators right now.
Hackers first discovered these tunnels as a method of launching attacks in December 2001, and they’ve been using them ever since. Today, most of these attacks employ the "Trojan horse" method, which infiltrates standard security measures through IPv6 tunnels, passing through IPv4 undetected. Once the viruses are firmly established inside, the hacker launches an external signal to trigger them to spring to life and wreak havoc from inside the network. Because the attacks are coming from the inside, it is too late for most basic intrusion prevention systems (IPS) to detect them. And because most IPS products do not yet support IPv6—such as IPv6 over IPv6 or IPv6 tunneled over IPv4—these attacks are able to enter the network unseen.
Because IPv6 tunnels are ubiquitous, the key to keeping your network secure from these nefarious attacks is to call them out and shut them down. The first step toward accomplishing this goal is to set up the infrastructure so that at least one layer is cognizant of hidden yet evident IPv6 traffic at all times. This approach should not aim to manage IPv6 addresses—that’s another task for entirely different technology. Instead, the approach should strive to scan all incoming and outgoing Internet traffic for data over IPv6—a process that monitors traffic for unauthorized transmissions of any kind.
By monitoring all traffic, IT security managers can decode all traffic and see precisely where a network’s IPv6 tunnels might be. Once the tunnels are found, they must be shut down before hackers figure out where the tunnels are hidden. This process is as simple as blocking a few ports. All told, it can be accomplished in a matter of seconds. Left without these tunnels, the hackers have no way of secretly sending information past network defenses. As a result, network security increases exponentially, and sensitive corporate data remains safe from threats.
Check Point approach
Check Point Software Technologies offers the capability to lock down errant and subversive IPv6 transmissions with IPS-1. This tool offers superior enterprise-scale intrusion prevention with the Hybrid Detection Engine, which enables precise and accurate detection with a low rate of false-positives. This engine provides full IPv6 support, ensuring that all attacks currently obfuscated by channeling through IPv6 will be prevented. This results in a safer network for everyone, a goal no matter how many quintillions of addresses your company needs.