Data Center

Cheat Sheet for Securing IPv6 Networks

With the latest estimates that IPv4 addresses will be exhausted before 2012, the government is stepping up efforts to assure that agencies can capably use Internet Protocol Version 6 sooner rather than later. In particular, systems administrators and network managers will need to delve into system security settings and assess readiness of all network devices.

Cheat Sheet for Securing IPv6 Networks

In its new Planning Guide/Roadmap Toward IPv6 Adoption within the U.S. Government, the CIO Council notes that “IPv6 upgrades involve technology refresh that many federal network architects are unfamiliar with” and recommends testing changes to devices, applications and services in simulation environments before wide deployment.

December 2009

Deadline for agencies to add Domain Name System Security Extensions cryptographic authentication services to DNS servers

SOURCE: OMB Memoradum M-08-23

For security, the road map recommends that agencies:

• Develop comprehensive IPv6 security plans and associated IPv6 policies within the IPv6 addressing rollout plan.

• Prepare routers and switches by

• disabling IPv6 tunnels unless and until required by the IPv6 addressing and security plans;

• implementing Access Control Lists to block IPv6 traffic and/or tunnels on core, edge and outside perimeters unless and until required by the IPv6 addressing and security plans.

• Upgrade network protection devices and tools for IPv6 support.

• Enable IPv6 intrusion detection and prevention system features.

• Enable IPv6 host firewalls on all end devices.

• Disable IPv6 on routers, infrastructure devices, servers and hosts unless and until required by the IPv6 addressing and security plans.

• Expand core and perimeter boundary monitoring to incorporate IPv6 and IPv6-in-IPv4 tunnels.

The guide also points out that agencies will have to think about how they incorporate changes so that they comply with other security efforts, such as the Trusted Internet Connection and Federal Desktop Core Configuration mandates. When it comes to FDCC for instance, agencies will have to align their IPv6 requirements with the remote-access requirements, virus and firewall scanning capabilities, support for centralized management and default configuration settings already established for most of their end-user systems.

Off the Shelf

What: “Social Media and the Federal Government: Perceived and Real Barriers and Potential Solutions” by Bev Godwin (General Services Administration), Sheila Campbell (GSA), Jeffrey Levy (Environmental Protection Agency) and Joyce Bounds (Veterans Affairs Department)

Recommended by: Beth Noveck, deputy chief technology officer for open government, Office of Management and Budget

Why: These insights from the Federal Web Managers Council can help agencies craft better policies for using new social media tools. It was suggested as useful guidance by government officials, according to Noveck, who in turn posted it as a discussion source for a White House online open-government brainstorming session.

Takeaway: This document, which can be found under the “Social Media” link on www.usa.gov/webcontent, identifies several common reasons — some technical, some procedural and some cultural — why agencies avoid using social media and then provides suggested solutions. The goal of the paper, the authors say, is to help create “greater consistency and a clearer understanding of what is expected and permitted across federal agencies” because social media is the No. 1 topic of discussion within the federal web manager community.