IPv6 Security: 5 Things You Need to Know
NAT devices have been widely used to extend the life of IPv4 by allowing enterprises to use private IPv4 addresses on premises and then translate those into a shared but smaller pool of IPv4 addresses to traverse the public Internet. Because NAT prevents direct access to those private addresses, many feel it offers a layer of security.
"I actually think that NAT has been falsely touted as a security feature," Kaeo says. "A lot of people misunderstand that even with NAT, you are not as secure as you might think you are. And it complicates a lot of issues in the network, for auditing capability and traceability."
Those complications move into the network once Carrier-Grade NAT is used to translate IPv4 addresses within a carrier's network, something many believe is inevitable but unfortunate during the period when both IPv4 and IPv6 addresses will be in use. (See The Case Against Carrier-Grade NAT and The Ugly Side of IPv6: Carrier-Grade NAT).
Even when used just on the premises, NAT provides a false sense of security, unless combined with a stateful firewall, says Maufer. It fails to protect against TCP hijacking, for instance, which is a common practice of punching through corporate defenses after authentication has taken place. "If you care about security, you need to take a lot more precautions than a network-only protocol," he says.
If anything, carriers and enterprises are adding to their security portfolio, using things like active intrusion protection systems (IPS) and deep packet inspection to look at incoming traffic and make sure it isn't malicious, and those efforts need to continue, he says.
The IETF has developed RFC 4864 which provides Local Network Protection (LNP) using IPv6 that can provide the same or more benefits without the need for address translation, says Daniel Awduche, IP Technologist in Verizon’s Corporate Technology Organization.
Next Page: New Software Means New Testing