IPv6 security a growing concern as Blue Coat, Akamai note malware, exploits

Samantha Bookman, FierceTelecomAccording to some of the equipment vendors and networking providers out there, 2012 is the year for IPv6 adoption. In many ways that's true, as enterprise IT departments last year faced up to the reality that new IPv4 addresses really are no longer available and that eventually--not right away, but a few years down the road--their IP network will use only v6 addressing protocols. A July 2011 survey by Infonetics Research found that 83 percent of U.S. carriers are at least planning to migrate to a dual-stack, IPv4/IPv6 environment, and that many of those surveyed are actively in the process of doing so. And a Network World survey in the same time frame found that 70 percent of IT departments were planning IPv6 upgrades of their websites within the next two years.

Migration is far enough along that the Internet Society renamed its annual event World IPv6 Launch--no longer merely calling attention to the v6 protocol for a single day, but stressing the idea that participants should keep their forward-facing websites running on IPv6 after June 6.

It's also far enough along that IPv6 experts are calling attention to the need to secure v6 networks. Like many new technologies, adoption often happens well before effective security measures are put into place to protect that technology. This is becoming an issue with dual-coexistence networks, according to folks at Blue Coat Systems and Akamai. Both companies are taking a closer look at IPv6 security issues as they transition customers to the new protocol.

The security issue of the moment is that IPv6 opens endpoints into and out of a company's network that may not be adequately monitored--or monitored at all. Blue Coat last week highlighted the rise of IPv6 "shadow networks" on corporate networks that are in the middle of transition to a dual-stack architecture but that haven't yet made IPv6 available to all employees. Individuals in the building who have figured out how to access the IPv6 side of the network can unwittingly open the network to outside parties whose intentions are not the purest.

Blue Coat IPv6 shadow network

Click here for a larger view.

Shadow networks need to be on the radar of enterprises migrating to dual-stack that have employees who use or bring in IPv6-enabled devices, said Mark Urban, senior director of product marketing at Blue Coat. "What we're talking about is just native IPv6 support that if, for example, it's been enabled in the router, and it's been enabled in a Windows 7 device, some user who's even a little bit knowledgeable can put it up." When a user creates that IPv6-based opening to the outside Internet, he said, "suddenly you have these potential exposure points where IPv6 is ... one of the most vulnerable areas for new exploits from entities who are looking for that kind of soft way into the enterprise."

Blue Coat's solution to the shadow network is equipment-based, and involves installing its PacketShaper platform to detect traffic on both the IPv4 and IPv6 sides of an enterprise's network.

Akamai, which just this month announced its network offers IPv6 support, is addressing the security threat as part of its network service. Since Akamai functions as "an extension of customers' environments," Michael Cucchi, director of product marketing, explained, its content delivery network does "a lot as traffic is headed toward customers' infrastructure." He pointed out that Akamai handles, for example, DDOS attacks natively, out on its network, applying prevention technologies where IPv6 network traffic is terminated and inspected as it moves onto Akamai's v4 network and before it reaches a customer.

The CDN provider's transparent network allows both Akamai and its customers to monitor activity, giving customers an advantage beyond just having monitoring equipment on the perimeters of their networks, said Erik Nygren, chief architect at Akamai.

Both Blue Coat and Akamai are seeing security issues and malware that can affect IPv6 networks.

"We've seen at least two cases of malware that is IPv6 aware and capable," Nygren said. "There is definitely malware out in the field. But also a lot of equipment deployed at origin for intrusion detection is not IPv6 aware or capable."

Blue Coat's Urban explained that the shadow networks issue became apparent as they transitioned customers into IPv6 environments. "We've seen it in at least one beta site and we've had it confirmed by analysts and by customers that there is something potentially there that they're not expecting," he said.

It's apparent then, as providers and enterprises plan their moves to dual-coexistence architecture, that securing the IPv6 side of that environment should be part of that planning from the earliest stages.--Sam