IPv6 Security Guideline for Business User
As IPv4 address allocation have already exhausted, IPv6 is the only solution to the shortage of IPv4 address. IPv6 adoption will grow for business user and it is expected both version of Internet Protocol will coexist on the Internet for some years. Therefore, business organizations should be prepared to provide services to their customer which support both IPv4 and IPv6.
Security Risk of IPv6 to Business
- If your Internet service provider does not support native IPv6 connectivity, you might still be able to connect to IPv6 network via tunnel broker service. However, all IPv6 data connection will go through the tunnel broker and the data is open to interception during transit.
- Make sure existing security software and network devices fully support IPv6. Some security software and network device only focus on IPv4 and will not inspect IPv6 traffic at all, leaving all systems completely exposed on IPv6 network.
- Be cautious when configuring security software and firewall policy. Disable unnecessary services and check the ports and protocols used by the services you need. Default settings could allow employees and attackers to bypass security controls and access the resource on company’s Intranet.
- Be cautious when selecting IPv6 address assignment scheme. Although it is convenient to use IPv6 Auto configuration for address assignment, it also generates a privacy problem. Because the MAC address of the interface will become part of the IPv6 address, location of the target devices or users can be traced easily by third party.
- Use encryption technologies, such as SSL. Enable SSL encryption on company's website and encrypt the content of email before sending. Remind employee only visit SSL enabled IPv6 website.
- Check the IPv6 support status from your software and equipment provider. If the current version does not fully support IPv6, check whether it can support in the future through software or firmware upgrade. You may need to replace the device if it is not upgradable to support IPv6.
- First of all, define firewall policy for IPv6 connection and limit the IPv6 service to be accessed by employee. Filter all tunnel broker service connection1 and only allow web, email and DNS services on firewall with IPv6 support. In addition, configure permission on PC to prevent users from installing softwares.2 When IPv6 and IPv4 are running on the same network, you should control your IPv6 traffic as you do for IPv4 with the principle of least privilege. You can refer to more security guidelines relating to IPv6 for more information.3
- Manually configure IPv6 address on every PC or deploy DHCPv6 for IPv6 address assignment.
- Check and disable all IPv6 function on network devices. Some network devices might enable IPv6 by default.
- Filter all tunnel broker service connection1 on firewall and configure permission on PC to prevent users from installing tunnel broker softwares.2
- Disable IPv6 function on all PC.4
- Filtering tunnel broker service on firewall
We recommended that firewall should block all connections by default and open the service with the principle of least privilege.
You can refer to the table below for the protocol and service port required by IPv6 tunnel broker service.
IPv6 Tunnel Services Protocol & Ports no. 6in4, 6to4, 6RD, IPv6 in GRE and Dual Stack Protocol 41 and 47 Teredo UDP 3544 AYIYA UDP 5072 TIC UDP 3874 TSP UDP 3653
- You can set User account Controls on Windows system to prevent users from installing software on the computer.
User accounts: frequently asked questions
Why use a standard user account instead of an administrator account?
What is User Account Control?
What are User Account Control settings?
- Security Guideline
Guidelines on Firewalls and Firewall Policy from NIST US
IPv6 Security from HKSAR
- Please refer to Appendix 7 of IPv6 Security Guideline for Home User on How to disable IPv6 system default settings.