One of the more subtle aspects of and bigger lessons learned from IPv6 from a security perspective is how easy a technology developed to solve a specific problem can wind up being misappropriated.
IPv6 was originally created to address the problems being caused by the shortage of IPv4 addresses, but it turns out that unless it's carefully managed, someone looking to do harm could set up a back channel on a corporate network using IPv6 that the security team may know nothing about.
Speaking at the RSA Conference 2012 this week, Check Point Software Technologies fellow Robert Hinden noted that because IPv6 now comes as a default option on new server operating system software, end users inadvertently or on purpose can wind up creating an IPv6 network that is invisible to existing security products. Beyond making sure their security infrastructure is IPv6-compatible, Hinden said security professionals need to block the deployment of IPv6 transition tunnels, which are a mechanism that allows IPv6 sites to communicate with each other over the IPv4 network without setting an explicit tunnel.
While the transition to IPv6 will be taking place over an extended period of time, Hinden said there’s no doubt that the potential for security miscues is high, especially if hackers find ways to turn on IPv6 remotely to create their own back channel into the enterprise.
Beyond making sure your organization has security technologies in place that are compatible with IPv6, there is no silver-bullet solution to the IPv6 problem beyond continuing education and ongoing vigilance. But Hinden said when it comes to IPv6 security, awareness -- as it is with almost any security issue -- is half the battle.