IPv6: An answer to network vulnerabilities?

On Aug. 15, 2012, in one of the most devastating cyberattacks ever recorded, politically motivated hackers wiped the memory of more than 30,000 computers operated by the Saudi Aramco oil company in an attempt to stop the flow of oil and gas to local and international markets.

The United States took notice of the attack, with then-Defense Secretary Leon Panetta later remarking that a similar attack on critical U.S. infrastructure, including water and electrical facilities, would cause unparalleled destruction and upheaval.

Two years later, despite steps to shore up the nation's network security defenses, cyberattacks remain seemingly ubiquitous and advanced persistent threats (APTs) are starting to exploit a broader range of threat vectors. In May, the January-April 2014 report of the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team revealed that a public utility company in the U.S. had been breached by a "sophisticated threat actor." Fortunately, the attack did not disrupt operational capabilities.

However, as the report says, the attack is a wake-up call to government agencies to re-architect and secure their control networks, particularly "security controls employed at the perimeter." To prevent Panetta's worst-case prediction from becoming reality, government agencies must construct an end-to-end, intelligent security environment that includes interconnected components such as firewalls, virtual private networks, role- and attribute-based access control systems, intrusion-prevention systems and antivirus software.

One of the first steps they should take in the next few months, however, is to meet new IP address requirements.

The security benefits of IPv6

The first version of the IP address system, IPv4, was developed in 1981 and only allowed for 4.3 billion unique IP addresses to be assigned to Internet-enabled devices. But now, given that the Internet of Things could potentially encompass 26 billion devices by 2020, IPv4 is no longer sufficient to meet demand. The new IPv6 protocol, with its 128-bit addresses that have more combinations than there are known stars in the galaxy, is slowly being rolled out and is expected to solve that problem.

So what does IPv6 mean for government agencies and their network security efforts?

For nearly four years, federal agencies have been preparing for two IPv6 deadlines issued by previous U.S. CIO Vivek Kundra. The first deadline of Sept. 30, 2012, required agencies to upgrade their public-facing websites to IPv6. By the next deadline of Sept. 30, 2014, federal agencies must have upgraded all internal client applications to the new protocol.

However, the transition to IPv6 isn't strictly for logistical reasons.

According to Elise Gerich, a vice president at the Internet Corporation for Assigned Names and Numbers, "rapid adoption of IPv6 is a necessity" to maintain the economic growth brought forth by the Internet. The White House has made a similar connection, with President Barack Obama declaring cybersecurity threats to be "one of the most serious economic and national security challenges we face as a nation."

IPv6 helps government agencies combat those threats. Unlike its predecessor, the new protocol contains the universal, end-to-end encryption and integrity-checking technology used by the most secure IP Security-based VPNs. It also has secure name-resolution capabilities, rendering man-in-the-middle and naming-based attacks much more difficult to accomplish. Best of all, its advanced security features will work natively for all IPv6 connections on all compatible devices and systems.

IPv6 will reinforce the network security defenses of government agencies, but adoption of the protocol is only the first step.

An in-depth look at defense in depth

To fully protect against breaches like the recent attack on a public utility company, government agencies must take their network security a step further by adopting a robust, multilayered defense-in-depth strategy. The value of this approach has been proven at the enterprise level, where it has been shown to build redundancy into organizations' information security infrastructure to deal with new, emerging threats, such as APTs, that are aided by the increasing variety of devices and operating systems that are accessing networks. Even if there is a breach of a perimeter safeguard, such as a network firewall, other interconnected defense mechanisms -- such as VPNs, access control systems and intrusion-prevention systems -- can work together to repel the attack or prevent it from progressing further into the network.

And how does IPv6 fit in with a defense-in-depth approach? As mentioned, the basic security technology of IPv6 is IPsec, and when used in the context of securing communications with government networks, its security capabilities include virtually unbreakable encryption, secure key exchange, access control and protection against replay attacks, among other features.

By implementing a centrally managed VPN and a network of IPv6-enabled devices as part of a defense-in-depth strategy, an agency is able to limit the vulnerabilities of its network and verify that all endpoints are compliant with the agency's network security policies.

So why take a chance and wait until Sept. 30 to upgrade to IPv6? Attackers won't wait until that deadline -- and neither should government agencies.

About the Author

Julian Weinberger is an international system engineer at NCP Engineering.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Sat, Aug 23, 2014 Jesse

Why WAIT??? They have already had over 10 years to get ready. The real question is "WHY haven't they already upgraded?"

Wed, Aug 20, 2014 Julian Weinberger

MC - Thanks for pointing out that typo and that is absolutely true. The article has been corrected.

Tue, Aug 19, 2014 MC

"The new IPv6 protocol, with its 32-bit addresses that have more combinations than there are known stars in the galaxy, is slowly being rolled out and is expected to solve that problem. " This is incorrect, IPv6 addresses use 128 bits for the address field. IPv4 used 32 bits for the address field

Tue, Aug 19, 2014 Troy K. Schneider, FCW Editor-in-Chief Vienna, Va.

KW: That's a fair point. In Weinberger's defense, however, he drafted this essay some time ago. But perhaps a better way of framing it is that agencies shouldn't let deadline-compliance be the driver -- there are mission-driven reasons to move aggressively to IPv6.

Tue, Aug 19, 2014 KW

The last sentence in this article makes the upgrade to IPv6 seem trivial by suggesting... Why Wait until Sept 30th to upgrage to IPv6? The truth is the IPv6 upgrade requires many months of planning, procurement, testing and implementation and is far from trivial.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group