Will IPv6 Make Us Unsafe?
IT pros who see NAT as essential to network security are worried about a wide-open, any-to-any connection model. Should they be?
By Jeff Doyle InformationWeek
May 28, 2011 12:00 AM
We see security as a major stumbling block in enterprise migrations from IPv4 to IPv6. For starters, the code is mostly untested, and too few of our current network security products support IPv6, something the black hat community is banking on. And there's widespread confusion--the idea that some characteristics of IPv6 make it intrinsically more secure than IPv4 is, sadly, just plain false, and information security teams are largely in the dark on how to help their companies safely transition.
Consider the "NAT-bashing" slide, a fixture in IPv6 presentations. Presenters gleefully list all the reasons Network Address Translation is evil, and explain how an abundance of IPv6 addresses will finally let us eliminate what was always supposed to be a temporary address-conservation kludge and get back to a true peer-to-peer Internet. High-fives ensue.
Except, IT security professionals don't share the enthusiasm. Let's face it, IPv6 idealists can wave their fists at NAT all they want, but there are legitimate concerns about losing the ability to shield internal address schemes.
No wonder, then, that among the sessions InformationWeek Analytics presented at the recent Interop conference, by far the most popular was our program on IPv6 with a focus on security. A quick show of hands revealed that most attendees are still in the planning stages of their deployments, par for the course among companies we work with. The good news is that they can take advantage of the lessons learned by telecom carriers and ISPs, which tend to be well along the road to IPv6. And while many conventional enterprise security systems will need to change to work in a v6 network, the upgrade also provides opportunities for improvement--possibly even an outright reimagining of your security strategy.
