Home / Blogs

IPv6 Security Myth #10: Deploying IPv6 is Too Risky

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Chris Grundemann

After a quick break to catch our breath (and read all those IPv6 Security Resources), it's now time to look at our tenth and final IPv6 Security Myth. In many ways this myth is the most important myth to bust. Let's take a look at why:

Myth: Deploying IPv6 Makes My Network Less Secure
Reality: Deploying IPv6 Now is the Best Way to Ensure Ongoing Network Security

I can hear you asking "But what about all those security challenges we identified in the other myths?" To really dig into this, let's walk through the first 9 IPv6 Security Myths and see what turns up:

In Myth #1 we learned that IPv6 traffic often shows up on networks long before that network has deployed IPv6. Once you know that "Your Devices are Using IPv6" and "Your Users are Using IPv6" it's easy to see that the best way to mitigate risk on your network is by turning on and protecting IPv6 now. You can't protect against what you can't see.

Myth #2 may have scared many of you, and it should have! Network security is all about mitigating risks. Knowing where the risks are hiding is the first step. Any good security expert must be a little paranoid, always seeking out potential sources of harm. We must also take a step back from these risks and look at the big picture though. When we do this, it is clear that Myth #2 provides a set of risks that must be considered. However a careful examination will show that none of them are serious enough to prevent the deployment of IPv6. The bottom line remains that securing an IPv6 host or IPv6 network does not happen automagically. It takes the same forethought and diligence required to secure any valuable asset. Hopefully the challenges outlined in Myth #2 give you a head start in that process.

Myth #3 showed us that deploying IPv6 allows the removal of NAT devices, which is a good thing as long as they are replaced by stateful firewalls. NAT is not a security feature and removing NAT from your network will NOT make it less secure. In fact, it may actually increase your overall security.

In Myth #4 we discovered that IPv6 networks are not, in fact, too big to scan. Of course, we also learned several ways to keep them much harder to scan than comparable IPv4 networks. In the end, the larger address space remains an advantage for IPv6.

Myth #5 showed us that while "privacy addresses" are not perfect, there are several options for maintaining user privacy in IPv6 networks. This is another area where attention should be paid but full-on paranoia is likely unwarranted.

Myth #6 introduced us to some existing IPv6 security tool-kits and repositories of IPv6 bugs and vulnerabilities. The great news here is that they are all publicly available. This means that you can use them to probe, test, and harden your own network before the bad guys get their chance!

In Myth #7 we examined many of the fundamental differences between IPv4 and IPv6 from a security perspective. As I'm sure you'll agree, there is a need for training and awareness of these differences in order to maintain network security when deploying IPv6. What I think is just as clear is that none of these changes make IPv6 any less secure than legacy IPv4 networks.

Myth #8 is all about ensuring that you get what you pay for. The need to document, verify, and test network security gear is not new. You must treat IPv6 like you would any other new technology being deployed on your network. Ensure that all new equipment meets your specific needs, and remember to trust but verify when it comes to IPv6 support.

Finally, in Myth #9 we learned that we're not alone! There are IPv6 security resources out there for us to reference and learn from. When it comes to network security, knowing the risks ahead of time may make it scarier, but it also makes it safer to deploy.

In summary, these nine IPv6 security myths have given us the tools and information we need to securely deploy IPv6. So what about today's myth?

Myth: Deploying IPv6 is Too Risky
Reality: Deploying IPv6 Now Lowers Your Risk

The bottom line here is that the sooner you deploy IPv6, the more secure your network will be in the long run. From giving you visibility into the IPv6 that may already be on your network, to giving you time to find and mitigate IPv6 risks, to providing staff more time for training and experience; all indicators suggest that your best bet is to deploy IPv6 today.

By Chris Grundemann, Internet Technologist, Author, and Speaker; Principal Architect at Myriad Supply. More blog posts from Chris Grundemann can also be read here.

Related topics: Cybersecurity, IPv6, Networks

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic