Page 20 - index
P. 20
Finally, to find the shadow IPv6 already lurking on networks, IT should take the following into
consideration:
• Multicast: IPv6 does not support IPv4 “broadcast” addresses. Rather, it expands the use
of multicast addresses and can be used to deliver additional capabilities like service
solicitation and address resolution. As a result, well-known multicast addresses may be
exploited to reveal unpublished resources like critical core devices or application
servers. Once identified, these resources then become the target of more malicious
actions. To combat this issue, IT pros should carefully manage and explicitly enable
multicast configurations and associated protocols and services as needed.
• Stateless Address Auto-Configuration (SLAAC): IPv6 provides a default, automated
method for an IPv6 host to obtain an IP address without manual configuration or
interaction with a DHCP server. This means it’s possible for a device to operate
stealthily on a network. To manage this risk IT should disable SLAAC and use DHCPv6.
This will provide a single means of maintaining visibility and controlling access to the
network.
• Security Controls: It’s entirely possible that some security controls (e.g., firewalls, filters,
NIDS, etc.) either don’t work with IPv6 or have not been configured to work with IPv6,
which can potentially let IPv6 hosts onto the network undetected and IPv6 traffic go
unmonitored. Many studies document how malicious tools can be used to detect IPv6-
capable hosts, take control of IPv6 auto-configuration and begin tunneling IPv6 traffic in
and out of IPv4 networks undetected. One way to address this risk is to either verify
appropriate IPv6 security controls are in place, or aggressively filter or block IPv6 traffic
as needed.
• Vulnerabilities: Many vendors have supported IPv6 for a number of years, but the
process of hardening these implementations is ongoing. As a result, new vulnerabilities
will inevitably be discovered and exploited, which can lead to a loss of system
confidentiality, integrity and availability. To combat this, it’s important for IT to identify at-
risk hosts and actively manage security updates.
The fact of the matter is that IPv4 and IPv6 will continue to coexist for the foreseeable future, further
compounding the risks of shadow networks.
There will be an ever-growing need to identify and track IPv6 devices; concurrently manage IPv4
and IPv6 address blocks, DHCP and DNS services; monitor IPv4 and IPv6 resources and tasks and
reduce administrative burden when IP-connected devices continue to proliferate.
To sustain future growth, the most effective way to manage the shift is to allow networks to support
both IPv4 and IPv6 simultaneously—the end result will take tremendous burden off of network
administrators by providing centralized visibility and management while having a positive effect on
network uptime and security.
20 Cyber Warnings E-Magazine – February 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
