Skip to main content

IPv6 Security Guideline for Business User

Release Date: 30 May 2013 2920 Views

 

As IPv4 address allocation have already exhausted, IPv6 is the only solution to the shortage of IPv4 address. IPv6 adoption will grow for business user and it is expected both version of Internet Protocol will coexist on the Internet for some years. Therefore, business organizations should be prepared to provide services to their customer which support both IPv4 and IPv6.

 

Security Risk of IPv6 to Business

 
You should beware of the following whether you intend to use IPv6.
 
Connect to IPv6 network
 
If you use IPv6, manage it as you should do for IPv4.
  1. If your Internet service provider does not support native IPv6 connectivity, you might still be able to connect to IPv6 network via tunnel broker service. However, all IPv6 data connection will go through the tunnel broker and the data is open to interception during transit.
  2. Make sure existing security software and network devices fully support IPv6. Some security software and network device only focus on IPv4 and will not inspect IPv6 traffic at all, leaving all systems completely exposed on IPv6 network.
  3. Be cautious when configuring security software and firewall policy. Disable unnecessary services and check the ports and protocols used by the services you need. Default settings could allow employees and attackers to bypass security controls and access the resource on company’s Intranet.
  4. Be cautious when selecting IPv6 address assignment scheme. Although it is convenient to use IPv6 Auto configuration for address assignment, it also generates a privacy problem. Because the MAC address of the interface will become part of the IPv6 address, location of the target devices or users can be traced easily by third party.

Solution

  1. Use encryption technologies, such as SSL. Enable SSL encryption on company's website and encrypt the content of email before sending. Remind employee only visit SSL enabled IPv6 website.
  2. Check the IPv6 support status from your software and equipment provider. If the current version does not fully support IPv6, check whether it can support in the future through software or firmware upgrade. You may need to replace the device if it is not upgradable to support IPv6.
  3. First of all, define firewall policy for IPv6 connection and limit the IPv6 service to be accessed by employee. Filter all tunnel broker service connection1 and only allow web, email and DNS services on firewall with IPv6 support. In addition, configure permission on PC to prevent users from installing softwares.2 When IPv6 and IPv4 are running on the same network, you should control your IPv6 traffic as you do for IPv4 with the principle of least privilege. You can refer to more security guidelines relating to IPv6 for more information.3
  4. Manually configure IPv6 address on every PC or deploy DHCPv6 for IPv6 address assignment.
Not connect to IPv6 network
 
If you do not plan to use IPv6 at this moment, you have to ban non-authorized use of IPv6 that will bypass your security controls applied to IPv6 traffics.
  1. Check and disable all IPv6 function on network devices. Some network devices might enable IPv6 by default.
  2. Filter all tunnel broker service connection1 on firewall and configure permission on PC to prevent users from installing tunnel broker softwares.2
  3. Disable IPv6 function on all PC.

Appendix:

  1. Filtering tunnel broker service on firewall
    We recommended that firewall should block all connections by default and open the service with the principle of least privilege.

    You can refer to the table below for the protocol and service port required by IPv6 tunnel broker service.

    IPv6 Tunnel ServicesProtocol & Ports no.
    6in4, 6to4, 6RD, IPv6 in GRE and Dual StackProtocol 41 and 47
    TeredoUDP 3544
    AYIYAUDP 5072
    TICUDP 3874
    TSPUDP 3653
     
  2. You can set User account Controls on Windows system to prevent users from installing software on the computer.

User accounts: frequently asked questions

http://windows.microsoft.com/en-US/Windows7/User-accounts-frequently-asked-questions

Why use a standard user account instead of an administrator account?

http://windows.microsoft.com/en-us/windows7/Why-use-a-standard-user-account-instead-of-an-administrator-account

What is User Account Control?

http://windows.microsoft.com/en-us/Windows7/What-is-User-Account-Control

What are User Account Control settings?

http://windows.microsoft.com/en-US/windows7/What-are-User-Account-Control-settings

  1. Security Guideline

Guidelines on Firewalls and Firewall Policy from NIST US

http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf

 

IPv6 Security from HKSAR

http://www.infosec.gov.hk/english/technical/files/ipv6s.pdf

  1. Please refer to Appendix 7 of IPv6 Security Guideline for Home User on How to disable IPv6 system default settings.