Cheat Sheet for Securing IPv6 Networks

With the latest estimates that IPv4 addresses will be exhausted before 2012, the government is stepping up efforts to assure that agencies can capably use Internet Protocol Version 6 sooner rather than later. In particular, systems administrators and network managers will need to delve into system security settings and assess readiness of all network devices.

Cheat Sheet for Securing IPv6 Networks

With the latest estimates that IPv4 addresses will be exhausted before 2012, the government is stepping up efforts to assure that agencies can capably use Internet Protocol Version 6 sooner rather than later. In particular, systems administrators and network managers will need to delve into system security settings and assess readiness of all network devices.

In its new Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government, the CIO Council notes that “IPv6 upgrades involve technology refresh that many federal network architects are unfamiliar with” and recommends testing changes to devices, applications and services in simulation environments before wide deployment.

December 2009

Deadline for agencies to add Domain Name System Security Extensions cryptographic authentication services to DNS servers

SOURCE: OMB Memoradum M-08-23

For security, the road map recommends that agencies:

• Develop comprehensive IPv6 security plans and associated IPv6 policies within the IPv6 addressing rollout plan.

• Prepare routers and switches by

• disabling IPv6 tunnels unless and until required by the IPv6 addressing and security plans;

• implementing Access Control Lists to block IPv6 traffic and/or tunnels on core, edge and outside perimeters unless and until required by the IPv6 addressing and security plans.

• Upgrade network protection devices and tools for IPv6 support.

• Enable IPv6 intrusion detection and prevention system features.

• Enable IPv6 host firewalls on all end devices.

• Disable IPv6 on routers, infrastructure devices, servers and hosts unless and until required by the IPv6 addressing and security plans.

• Expand core and perimeter boundary monitoring to incorporate IPv6 and IPv6-in-IPv4 tunnels.

The guide also points out that agencies will have to think about how they incorporate changes so that they comply with other security efforts, such as the Trusted Internet Connection and Federal Desktop Core Configuration mandates. When it comes to FDCC for instance, agencies will have to align their IPv6 requirements with the remote-access requirements, virus and firewall scanning capabilities, support for centralized management and default configuration settings already established for most of their end-user systems.

Jul 28 2009