x
IP protocols/software

IPv6 Security: 5 Things You Need to Know

2. Network Address Translation (NAT) is not a form of security, although some folks have thought of it as such.

NAT devices have been widely used to extend the life of IPv4 by allowing enterprises to use private IPv4 addresses on premises and then translate those into a shared but smaller pool of IPv4 addresses to traverse the public Internet. Because NAT prevents direct access to those private addresses, many feel it offers a layer of security.

"I actually think that NAT has been falsely touted as a security feature," Kaeo says. "A lot of people misunderstand that even with NAT, you are not as secure as you might think you are. And it complicates a lot of issues in the network, for auditing capability and traceability."

Those complications move into the network once Carrier-Grade NAT is used to translate IPv4 addresses within a carrier's network, something many believe is inevitable but unfortunate during the period when both IPv4 and IPv6 addresses will be in use. (See The Case Against Carrier-Grade NAT and The Ugly Side of IPv6: Carrier-Grade NAT).

Even when used just on the premises, NAT provides a false sense of security, unless combined with a stateful firewall, says Maufer. It fails to protect against TCP hijacking, for instance, which is a common practice of punching through corporate defenses after authentication has taken place. "If you care about security, you need to take a lot more precautions than a network-only protocol," he says.

If anything, carriers and enterprises are adding to their security portfolio, using things like active intrusion protection systems (IPS) and deep packet inspection to look at incoming traffic and make sure it isn't malicious, and those efforts need to continue, he says.

The IETF has developed RFC 4864 which provides Local Network Protection (LNP) using IPv6 that can provide the same or more benefits without the need for address translation, says Daniel Awduche, IP Technologist in Verizon’s Corporate Technology Organization.

Next Page: New Software Means New Testing

Previous Page
2 of 4
Next Page
paolo.franzoi 12/5/2012 | 4:56:00 PM
re: IPv6 Security: 5 Things You Need to Know

 


I don't disagree with your assertion about the effectiveness of blacklists.  What I was disagreeing with was your assertion that attack vectors once establish become unestablished.  There are new ones all the time.  The bigger issue is that very legitimate sites are often the source of attacks.  Mom and Dad and Junior (1 consumer) is easier to deal with than say a compromised host at CNN or a compromsed ad being displayed by Light Reading (like say a Flash ad).


seven


 

jdbower 12/5/2012 | 4:56:00 PM
re: IPv6 Security: 5 Things You Need to Know

I'll grant you spambot blacklists are more effective (but still a bandage on a fundamentally broken system), relying on blacklists for real security verses just spam is much more painful.  Blocking Mom and Dad from accessing MegaBank.com because Junior has illusions of being an Anonymous vigilante is bad business.  Blocking outbound SMTP traffic from a typical consumer IP address doesn't hurt anyone.  Most of the time...

jdbower 12/5/2012 | 4:56:00 PM
re: IPv6 Security: 5 Things You Need to Know

"Lots of folks use IP blacklists...which of course become useless with IPv6"


So no change with IPv6, then.  ;)


I've never liked blacklists, attacks come from Internet cafes, anonymous proxies and flash mobs, not static IP addresses.

paolo.franzoi 12/5/2012 | 4:56:00 PM
re: IPv6 Security: 5 Things You Need to Know

 


jd,


Actually that is not true.  The C&C hosts and many of the spambots are quite static.  There is also a significant amount of movement. Once a host is compromised and used for attacks, the attackers don't give it up. 


seven


 

paolo.franzoi 12/5/2012 | 4:56:01 PM
re: IPv6 Security: 5 Things You Need to Know

 


Lots of folks use IP blacklists...which of course become useless with IPv6 until those same blacklists get replicated across.  If you use products that rely on blacklists (For example mail filters from Barracuda Networks) then you are in a world of hurt.


seven


PS - The link that has the page title at the bottom of Page 3 goes back to Page 3 and not on to Page 4.


 

HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE