IPv6: An answer to network vulnerabilities?
Never mind the deadline. Agencies have compelling security reasons to switch to IPv6, writes NCP Engineering's Julian Weinberger.
On Aug. 15, 2012, in one of the most devastating cyberattacks ever recorded, politically motivated hackers wiped the memory of more than 30,000 computers operated by the Saudi Aramco oil company in an attempt to stop the flow of oil and gas to local and international markets.
The United States took notice of the attack, with then-Defense Secretary Leon Panetta later remarking that a similar attack on critical U.S. infrastructure, including water and electrical facilities, would cause unparalleled destruction and upheaval.
Two years later, despite steps to shore up the nation's network security defenses, cyberattacks remain seemingly ubiquitous and advanced persistent threats (APTs) are starting to exploit a broader range of threat vectors. In May, the January-April 2014 report of the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team revealed that a public utility company in the U.S. had been breached by a "sophisticated threat actor." Fortunately, the attack did not disrupt operational capabilities.
However, as the report says, the attack is a wake-up call to government agencies to re-architect and secure their control networks, particularly "security controls employed at the perimeter." To prevent Panetta's worst-case prediction from becoming reality, government agencies must construct an end-to-end, intelligent security environment that includes interconnected components such as firewalls, virtual private networks, role- and attribute-based access control systems, intrusion-prevention systems and antivirus software.
One of the first steps they should take in the next few months, however, is to meet new IP address requirements.
The security benefits of IPv6
The first version of the IP address system, IPv4, was developed in 1981 and only allowed for 4.3 billion unique IP addresses to be assigned to Internet-enabled devices. But now, given that the Internet of Things could potentially encompass 26 billion devices by 2020, IPv4 is no longer sufficient to meet demand. The new IPv6 protocol, with its 128-bit addresses that have more combinations than there are known stars in the galaxy, is slowly being rolled out and is expected to solve that problem.
So what does IPv6 mean for government agencies and their network security efforts?
For nearly four years, federal agencies have been preparing for two IPv6 deadlines issued by previous U.S. CIO Vivek Kundra. The first deadline of Sept. 30, 2012, required agencies to upgrade their public-facing websites to IPv6. By the next deadline of Sept. 30, 2014, federal agencies must have upgraded all internal client applications to the new protocol.
However, the transition to IPv6 isn't strictly for logistical reasons.
According to Elise Gerich, a vice president at the Internet Corporation for Assigned Names and Numbers, "rapid adoption of IPv6 is a necessity" to maintain the economic growth brought forth by the Internet. The White House has made a similar connection, with President Barack Obama declaring cybersecurity threats to be "one of the most serious economic and national security challenges we face as a nation."
IPv6 helps government agencies combat those threats. Unlike its predecessor, the new protocol contains the universal, end-to-end encryption and integrity-checking technology used by the most secure IP Security-based VPNs. It also has secure name-resolution capabilities, rendering man-in-the-middle and naming-based attacks much more difficult to accomplish. Best of all, its advanced security features will work natively for all IPv6 connections on all compatible devices and systems.
IPv6 will reinforce the network security defenses of government agencies, but adoption of the protocol is only the first step.
An in-depth look at defense in depth
To fully protect against breaches like the recent attack on a public utility company, government agencies must take their network security a step further by adopting a robust, multilayered defense-in-depth strategy. The value of this approach has been proven at the enterprise level, where it has been shown to build redundancy into organizations' information security infrastructure to deal with new, emerging threats, such as APTs, that are aided by the increasing variety of devices and operating systems that are accessing networks. Even if there is a breach of a perimeter safeguard, such as a network firewall, other interconnected defense mechanisms -- such as VPNs, access control systems and intrusion-prevention systems -- can work together to repel the attack or prevent it from progressing further into the network.
And how does IPv6 fit in with a defense-in-depth approach? As mentioned, the basic security technology of IPv6 is IPsec, and when used in the context of securing communications with government networks, its security capabilities include virtually unbreakable encryption, secure key exchange, access control and protection against replay attacks, among other features.
By implementing a centrally managed VPN and a network of IPv6-enabled devices as part of a defense-in-depth strategy, an agency is able to limit the vulnerabilities of its network and verify that all endpoints are compliant with the agency's network security policies.
So why take a chance and wait until Sept. 30 to upgrade to IPv6? Attackers won't wait until that deadline -- and neither should government agencies.