Planning a secure IPv6 migration: Qing Li, Blue Coat Systems

Qing Li, Blue Coat Systems

Qing Li, Chief Scientist & IPv6 Technology Leader, Blue Coat Systems

As IPv6 technology leader for Blue Coat Systems, Chief Scientist Qing Li works with customers of the carrier-level application systems delivery provider to help them transition their networks to the IPv4-IPv6 dual stack environment. Chief among his concerns is that the security of those networks is maintained both during and after the transition.

Li spoke with FierceTelecom's Sam Bookman about what providers and enterprises need to watch for when planning their IPv6 transition, and how IT staff plays a critical role in a successful migration.

FierceTelecom: Blue Coat is an Application Delivery Network (ADN) provider. How are you or your clients participating? How is that going to be structured?

Qing Li: Blue Coat has been providing IPv6 solutions in the secured gateway and also WAN optimization markets since late 2009. Our customers, which includes both large enterprise customers as well as service providers, are actually using Blue Coat to participate in that event. So we're participating in the event by helping our clientele. In addition, Blue Coat has already registered for the event and we're currently accessible over IPv6. If you go to the World IPv6 (Day) link you will see Blue Coat listed there, and you will see that we do have official registered IPv6 address and the website is accessible through both IPv4 and IPv6 natively.

"I think there's a huge fear out there because quite a few IT staff haven't had the chance to really operate IPv6 natively ... and they're still going through the learning curve."

FT: In terms of WAN optimization and web security, are you helping your clients focus on improved Web security through IPv6 and helping them see the benefits of it?

QL: One of the fears of adopting IPv6 is that IT staff have been training themselves over the last decade to perfect the arcane securities of IPv4. And that expertise in security came from years of operation and years of learning from mistakes. I think there's a huge fear out there because quite a few IT staff haven't had the chance to really operate IPv6 natively, they haven't had the experience, and they're still going through the learning curve. So their fear is really about, 'If I adopt IPv6 tomorrow or soon, am I going to be opening up security holes that do not exist today in IPv4 infrastructure? Am I going to be adopting IPv6 and at the same time expanding the attack surface for my network?'

With Blue Coat solutions because we are an integral part of the security market and the security infrastructure today, the enterprises and the service provider networks and also various government branches--it's a proven solution. So we're taking that expertise and the maturity in the technology and transformed our solution to support IPv6. So if you're an existing Blue Coat customer and you already adopt our security products today, then by simply doing a software upgrade, now you have the same set of capabilities that you had in IPv4 become available in IPv6.

Our security--we're talking about application security, we're talking about services security--we're talking about securities that center around users and application in addition to Layer 3 IP security, etc.

What we're hoping to do is really increase the comfort zone, increase the comfort level for the IT staff. At the same time, while they're still learning IPv6, while they're still learning how to operate v6 efficiently, by deploying Blue Coat solutions they have a very secure sandbox to play in. By deploying Blue Coat today, they can confidently deploy IPv6 without worrying about opening up additional security threats inside their infrastructure.

FT: As far as your clients, what are your predictions for how the testing will go? What kind of results will they see, from the Web security angle and overall?

QL: Our customers have been deploying Blue Coat's IPv6 secure web gateway since late 2009. ... We haven't seen any major issues in that deployment. There are quite a few companies out there that already had their IPv6 portals completely running 6-to-4 operations back in 2009, including Sony, for example.

"...we're hoping that we can, by doing data collection and subsequent forensics analysis, we can see what kind of security threats that may be surfacing in the IPv6 world."

What we are going to see is that there could be a lot of different users coming from various regions around the globe. We're in the mode of data collection. I don't think anybody can really predict how that day is going to go, but we're hoping that we can, by doing data collection and subsequent forensics analysis, we can see what kind of security threats that may be surfacing in the IPv6 world. We can see where the users are coming from, where they're reaching, where they're accessing, and how they're accessing the resources. And is any suspicious traffic being generated from a specific source or from a specific country? Those are the kinds of things that we will be looking at. Is there any kind of tunnel traffic that's trying to circumvent certain types of firewall rules? Because we can log traffic. So those are the things that we're going to be looking closely at.

I think a lot of organizations that have been running IPv6 for years, World IPv6 Day is kind of an external event that tries to accelerate IPv6 adoption in the sense that, during that day, if your operation doesn't go as smoothly and if your website goes down periodically, it's tolerable, it's acceptable, because that's what that day is meant for: experimentation. The day is to help you assess the readiness of your infrastructure and discover issues with the deployment. It's really to trying create a concrete example for organizations to embrace IPv6, open up their portals, make their services accessible to native IPv6, and then discover issues, so after that day they can make their service much more readily available through IPv6 infrastructure.

"They're only opening limited portals to the outside world, and the exposure is only 24 hours. If you think about it, corporations' services are on 24x7. There's going to be a lot of security challenges (during IPv6 transition)."

FT: Will there be additional challenges companies need to look at right away after World IPv6 Day?

QL: Absolutely. They're only opening limited portals to the outside world, and the exposure is only 24 hours. If you think about it, corporations' services are on 24x7. There's going to be a lot of security challenges. How do you safeguard your IT infrastructure, hide the internal infrastructure over IPv6? Because for the most part we won't see many network address translation (NAT) devices deployed over IPv6.

You're going to see a lot of projects being deployed like Blue Coat's solutions that can help organizations hide their infrastructure. But if you're going to make your services available, always on and always available, you're going to have to worry about security threats like malware, botnets, spyware, traffic being generated from inside toward the outside, and various attacks that may be surfacing from the outside. And you have to assess your attack surface of your infrastructure; you have to analyze not only your infrastructure at Layer 3, Layer 4, and Layer 5, but you also have to worry about the application side. You have to worry about the services: Is there any tunneled traffic? Do you have any encrypted traffic? Is the encrypted traffic IPSEC or SSL based? Do you have visibility in streaming encrypted traffic over IPv6? Do you have any covert channels being constructed over IPv6? There's going to be a ton of issues.

Hopefully through that day you begin to realize some of the challenges. To really produce a to-do list right after, if you want to have your services constantly being available over IPv6, you have to work all those security issues one by one. And at the top of your list should be, how do you transform the existing security policies from IPv4 and migrate those policies into IPv6?

We do know from our past experience with customers over the years is that a lot of those security policies that you deploy today in IPv4 cannot and may not be possible to translate to IPv6 security policies purely through a syntactical translation. You really have to conduct a thorough analysis, understand what those security policies are for against what types of attacks, and then semantically reproduce those types of security policies in IPv6. Those security policies may be more so... you may have five different policies in IPv6 to cover one security policy that you wrote back in IPv4 days. So there's going to be a lot of security problems and challenges, and you really have to cover more areas.

Planning a secure IPv6 migration: Qing Li, Blue Coat Systems
Read more on