Page 19 - index
P. 19
IT Pros Beware: The Security Risks of Shadow IPv6
By Chris LaPoint, Vice President, Product Management, SolarWinds
The impending transition from IPv4 to IPv6 has been an ongoing discussion for years—the Internet
is running out of IPv4 addresses, IPv4 isn’t “future-proof,” IPv6 will make managing networking
services much easier, and so on. However, despite the buzz, IPv6 addresses still make up just four
percent of today’s Internet. And adoption will likely continue to be slow—mostly due to costs
associated with making the switch.
However, IT pros should not be fooled by this, as it’s highly likely IPv6 is already enabled and
operational in many organizations whether they know it or not, creating “shadow networks” of
unmanaged IPv6-enabled devices that can pose significant security risks. So, the question is not
when IT pros should begin managing IPv6, but rather what can be done today to manage IPv6.
Origins of Shadow IPv6
IT pros may ask how, if they haven’t yet transitioned from IPv4, do shadow IPv6 networks exist in
their organizations? The reality is that many network devices enable IPv6 by default—think
expansion, BYOD or system lifecycle replacement.
So, even though IT may not have formally made the switch to IPv6, it’s actually natively enabled on
the network—and just like an open TCP can pose security risks, unmanaged IPv6 raises security
concerns.
It should be noted that while IPv6 does not inherently make the network less secure; it is neglecting
to actively manage IPv6 that can introduce security risks. For example, the existence of IPv6 on the
network introduces the need for new processes and controls for comprehensive IP address
management, and for those who haven’t actually transitioned, these likely have not been
implemented.
Without these new processes and controls, there could be a covert route in and out of the network,
presenting security vulnerabilities that can go undetected.
Eliminating the Risk by Tackling IPv6 Now
To truly bridge the IPv4-IPv6 gap and avoid security issues associated with shadow IPv6, there are
several best practices IT can employ now, before it’s too late.
First, IT pros should try to simplify the whole process of IP address management—for both IPv4 and
IPv6—in order to eliminate network conflicts and outages, track critical assets, ensure network
security and provide reports based on a wide range of parameters, including IP address status.
In terms of processes, IT should identify and document devices that currently support IPv6, map
existing IPv4 space and proposed IPv6 space and document devices that need to be
added/replaced for IPv6 support.
19 Cyber Warnings E-Magazine – February 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
