FEATURE 8. Cappelli DM; Trzeciak RF; Moore AB. ‘Insider Threats in the SLDC: Lessons Learned From Actual Incidents of Fraud: Theft of Sensitive Information, and IT Sabotage’. Carnegie Mellon University, USA: CERT; 2006. 9. Glisson W; Welland R. ‘Web Development Evolution: The Assimilation of Web Engineering Security’. In Proceedings of the Third Latin American Web Congress,
Washington, USA: IEEE Computer Society; 2005.
About the author Dr Shadi Aljawarneh holds a BSc degree in Computer Science from Jordan Yarmouk University, a MSc degree in Information Technology from Western Sydney University and a PhD in Software Engineering from Northumbria University, UK. He is currently assistant professor at the faculty of IT in Isra
University, Jordan, where he has worked since 2008. His research is centred on web and network security, e-learning, bioinformatics, and other ICT fields. Aljawarneh has presented at and been on the organising committees of a number of international conferences and is a board member of the International Community for ACM, ACS, and others. He is editorin-chief for the International Journal of Cloud Applications and Computing (IJCAC) with IGI Global.
IPv6 migration and security Steve Gold, freelance journalist
Steve Gold
The world has run out of IPv4 addresses – technically, at least. In theory, this is not a problem: the IPv6 standard is already in place and offers a significantly bigger address space. But while everyone seems to be talking about IPv6 migration, are they actually doing it? And what are the security implications? At the beginning of 2010, it was revealed that the last IPv4 numbering block was about to be allocated to a Regional Internet Registry (RIR). In fact, the AsiaPacific Network Information Centre (APNIC) received the last two blocks to be issued under normal assignment processes. This triggered a special rule, laid down by the Internet Corporation for Assigned Names and Numbers (ICANN), under which the five remaining Class A blocks, each containing more than 16.7 million addresses, would be divided equally among the world’s five RIRs – AfriNIC (Africa), APNIC, ARIN (North America), LACNIC (South America) and RIPE (Europe). The Internet Assigned Numbers Authority (IANA) carried out this assignment at a ceremony in Florida at the beginning of February.2 According to Martin Levy, director of IPv6 strategy at US backbone service provider Hurricane, each of the RIRs now has a finite amount of IPv4 space left for allocations to operators in its region. And just to set the IT management pulse racing, the company has posted an IPv4 exhaustion countdown application on its site that shows the
March 2011
time left until all IPv4 addresses are depleted.1 This, the firm hopes, will help concentrate people’s minds on the solution to the problem of dwindling IPv4 addresses – to migrate a company’s IP systems to a 128-bit IPv6 structure and numbering system.
IPv6 migration strategy, but where do you begin?
Sooner rather than later
“In the not too distant future, everything from mobile phones and PCs to automobiles, gaming stations and home appliances will be assigned its own unique Internet IPv6 address”
All well and good, but what does this mean for the vast majority of organisations whose IP infrastructures are based on IPv4? Levy says that, in order to avoid costly capital expenditures down the road and the possible failure of their business continuity plans, companies must make the migration to IPv6 sooner rather than later. “Companies that fail to migrate to IPv6 will face a number of painful options, including buying expensive equipment to cobble together an address-sharing scheme or going out to the marketplace to acquire IP address space at a potentially exorbitant price,” he says. The good news is that even the largest company probably has until the end of the year to develop and implement an
Of all the world’s carriers, AT&T has arguably been the most open in how it is adapting to the IPv6 migration, which Dale McHenry, the firm’s vice-president of enterprise data networks, says is directly caused by the fact that the 4.3 billion IPv4 addresses are starting to run out. The cause of this, he says, has been the explosive growth in mobile applications, machine-to-machine computing, and peer-to-peer applications, which is creating a need for IP addresses that goes well beyond the capabilities of the IPv4 numbering system. But it gets more complex than this, he adds: in parallel with migrating to an IPv6 numbering system, most organisations will also need to beef up their own IP infrastructures at the same time.
Network Security
15
FEATURE “In the not too distant future, everything from mobile phones and PCs to automobiles, gaming stations and home appliances will be assigned its own unique Internet IPv6 address,” he says. “Each of these devices will be trying to connect over IPv6 to corporate URLs.”
Early action McHenry also says that businesses need to realise the importance of early action and start planning their transition. Companies should start by establishing an IPv6 Internet presence with Internetfacing services, and the first step is to perform a readiness assessment. This will allow IT managers to identify non-IPv6 compliant hosts, servers, applications, carrier services and network equipment that are used to provide both internal and external IP services. The next stage, says McHenry, is to define IPv6 transition timelines incorporating testing and piloting of IPv6 functionality, as well as assessing the current IPv4 footprint, in order to identify likely IPv6 triggers such as private number exhaustion, mobile, public exhaustion, customers and partners. Although it’s a relatively easy task to install a dual-stack IPv4/6 front end to a company’s IP systems, McHenry says
it is often better to upgrade the firm’s infrastructure to support dual-stack IP services that support both IPv4 and IPv6. AT&T itself has gone down this path and, as well as supporting IPv6 alongside the IPv4 numbering system, it has been aggressively reclaiming unused IPv4 addresses from customers since 2006, a process that it claims will allow it to offer IPv4 addresses well into 2012.
The security perspective There is still a question mark over how IPv6 changes the security ballgame. According to Johannes Ullrich, chief research officer for the SANS Institute, one problem that few IT professionals are prepared for is the accidental implementation of IPv6. You may, he says, already have IPv6 on your network without knowing about or configuring it. This is because Windows 7, Apple OS X and Linux enable IPv6 by default, as do many Google Android and Apple iOSdriven devices such as iPhones and iPads. Because of this, Ullrich argues that the growth of mixed IPv4 and IPv6 networks – in some cases without the knowledge of IT security teams – can introduce a variety of potential security risks. The problem is made worse, he says, because attacks designed to exploit
IPv6-enabled devices could also be missed by intrusion detection systems that have not been correctly configured to deal with IPv6 traffic.
“Many organisations will look at their own networks and not see a big problem with staying on IPv4” Against this backdrop, Ullrich says he believes that organisations have failed to grasp the full impact of a move to IPv6 or the amount of time needed to plan, test and secure any migration strategy. Many organisations will look at their own networks and not see a big problem with staying on IPv4, he explains. However, suppose you need to connect to a supplier network in China and it has been forced to migrate to IPv6? Your organisation may have to switch over very quickly. Yet Ullrich believes that it will take at least a year for larger organisations to move over to IPv6. Although most modern routers and switches are IPv6-enabled, supporting SIEM, IDS, IPS and monitoring tools will need some degree of reconfiguration. The application layer is more problematic, and the scale of the issue, Ullrich claims, is comparable to the Y2K problem. On top of this, there may well be many complex or custom applications that are affected by switching over and which need to be tested.
The dual stack issue
Exhaustion of IPv4 Class A (/8) address blocks.
16
Network Security
Most organisations will probably end up with a dual-stack solution, which involves running IPv4 and IPv6 systems in parallel. With this option, end nodes and routers/switches effectively run both protocols, and if an IPv6 communication is possible, then that is the preferred and supported protocol. A common dual-stack migration strategy is to make the transition from the core to the edge. This typically involves enabling two TCP/IP protocol stacks on the WAN core routers, then perimeter routers and firewalls, then the server farm routers and finally the desktop access routers. After the network supports IPv6 and IPv4 protocols, the process will enable dual-
March 2011
FEATURE protocol stacks on the servers and then the edge computer systems.
“From a security manager’s perspective, it is worrying when your routers are communicating with other non-authenticated routers” Another approach favoured by some North American vendors is to use tunnels to carry one protocol inside another. These tunnels take IPv6 packets and encapsulate them in IPv4 packets to be sent across portions of the network that haven’t yet been upgraded to IPv6. Tunnels can be created where there are IPv6 ‘islands’ separated by an IPv4 ‘ocean’, which will be the norm during the early stages of the transition to IPv6. Later on, there will be IPv4 islands that will need to be bridged across an IPv6 ocean.
Tunnel types There are two types of tunnels: manual and dynamic. Manually configured IPv6 tunnelling (RFC 2893) requires configuration at both ends of the tunnel, whereas dynamic tunnels are created automatically based on the packet destination address and routing. It’s worth noting that dynamic tunnelling techniques simplify maintenance compared with statically configured tunnels, while static tunnels make traffic information available for each endpoint, providing extra security against injected traffic. As you might expect, there are security issues associated with tunnelling – for example, with dynamic tunnels it isn’t easy to track who is communicating over the transient tunnels, and the IT overlay may not be aware of the tunnel destination endpoint. From a security manager’s perspective, it is worrying when your routers are communicating with other non-authenticated routers. This is because it is possible to generate forged IP traffic toward a tunnel endpoint and get traffic spuriously inserted into the tunnel. The bad news is made worse by the fact that tunnelling creates situations in which traffic will be encapsulated, and many firewalls won’t inspect the traffic if it is in a tunnel. Simply put, allowing IP
March 2011
Tunnelling IPv6 traffic over IPv4 networks.
Protocol 41 (IPv6 encapsulated in IPv4) through an IPv4 firewall is not best practice. This is like creating an ‘IPv6 permit any/all’ rule through the firewall.
The vendor solution At the RSA Security event in San Francisco in mid-February, Blue Coat Systems took the wraps off its Mach5 WAN optimisation appliance, which is billed as the industry’s first solution to offer a full range of WAN acceleration and optimisation capabilities for IPv4 and IPv6 content and applications.
“While the communications industry has been aware of the fact that IPv4 addresses will run out, there has – until now – been a lot of talk and little action” According to Qing Li, the firm’s chief scientist and an IPv6 expert, introducing IPv6 presents some significant challenges to companies and service providers. These, he says, range from traffic visibility and access control to security and WAN optimisation. The Mach5 appliance, he explains, works at the application level across both IPv4 and IPv6 environments and maintains application-level optimisations for CIFS, MAPI, HTTP, SSL,
RTMP, RTSP and other applicationspecific optimisations. Li advises IT professionals that they need to start their IPv4 to IPv6 migration on the security front now, largely because, although the communications industry has been aware of the fact that IPv4 addresses will run out, there has – until now – been a lot of talk and little action. “The problem is made worse by the lack of knowledge of IPv6 in our industry,” says Li. “Most IT managers are fearful of IPv6 because they simply don’t know how to deal with the technology.” Because of this, Li advises IT professionals planning to migrate to IPv6 of the need to take ‘baby steps’ at all stages in the security migration process, especially when dealing with firewalls. “There are problems with dynamic tunnels, for the simple reason that IP address tracking is
Qing Li, Blue Coat Systems.
Network Security
17
FEATURE a Layer 7 issue,” he says, adding there is also the question of what happens if you encapsulate IPV6 over IPv4. Fortunately for users, he says, a growing number of technologies now support the ISO layer – this helps on the security front, as does the AppID approach to IP security.
“This is going to be a slow and painful process for most businesses, and will be something of a challenge, no matter what level of expertise the IT security professional has” The real challenge, Li adds, is about analysing the behaviour of IP transmissions in an IPv6 environment, as not all security scanning systems can moni-
tor IPv6 data. This creates a situation where malware can be inserted into a company network without the underlying security infrastructure being capable of detecting the malware. The real headaches occur when you start to translate security policies from an IPv4 to an IPv6 platform, as the process is a manually intensive one. Lu concludes: “This is going to be a slow and painful process for most businesses, and will be something of a challenge, no matter what level of expertise the IT security professional has.”
About the author Steve Gold has been a business journalist and technology writer for 26 years. A qualified accountant and former auditor,
he has specialised in IT security, business matters, the Internet and communications for most of that time. He is technical editor of Infosecurity and lectures regularly on criminal psychology and cybercrime.
References 1. ‘Hurricane Electric IPv4 Exhaustion Counters’. Hurricane Electric. Accessed Feb 2011. < http://ipv6. he.net/statistics/>. 2. Lawson, Stephen. ‘Update: ICANN assigns its last IPv4 addresses’. Computerworld, 3 Feb 2011. Accessed Feb 2011. .
Data loss prevention: a matter of discipline Alexei Lesnykh, DeviceLock Alexei Lesnykh
The recent study ‘Cost of a Data Breach’ by the Ponemon Institute, which was published this year for five leading Western economies including the US, Germany, the UK, France, and Australia, confirmed that the damage to enterprises across the globe from data breaches is continuing to grow.1 The same trend is also occurring in the SMB market. According to the Symantec 2010 Global SMB Information Protection Survey, SMB organisations now rank data loss as the top security threat to their business.2 This is hardly surprising when you consider that the average annual cost of a cyber-attack for SMBs was found to reach almost US$190,000. Three main factors have shaped and strengthened this alarming trend. The first is the consumerisation of corporate IT – the ubiquitous proliferation of high-end consumer technologies such as smartphones, tablet computers and Web 2.0 software into the corporate IT environment. Undoubtedly, social media and peer-to-peer networking, instant messaging, blogging and webmail have proved to be highly effective instruments in the modern, Internet-centric economy and are already indispensable for internal corporate use. But from the information security standpoint, all these communication tools create new data leakage pathways that neither conventional network security nor anti-virus solutions can control. 18
Network Security
The extent of the industry’s concern with regard to the misuse of social media in corporate IT became clear in May 2010 when a leading IT standards promotion association, ISACA, released a special white paper, ‘Social Media: Business Benefits and Security, Governance and Assurance Perspectives’ with recommendations to organisations on how to secure the use of social media in their IT systems.3 However, it is not just social media that is cause for concern – no less dangerous for businesses are peer-to-peer (P2P) technologies. Early in 2010, widespread data breaches due to inappropriate use of P2P file sharing were uncovered by the Federal Trade Commission in almost 100 US organisations.4
Hunting data Second, over the past 10 years, external threat vectors to corporate IT security have strategically shifted from targeting the IT infrastructure to hunting the data – or, to be more precise, valuable data. The cybercrime industry has become well organised and commercialised, with its current annual turnover around US$1 trillion.5 Modern cyber-threats commonly target endpoint computers because they are less protected than servers but, at the same time, store a vast amount of sensitive private and corporate information. External attacks are becoming increasingly sophisticated: cutting-edge software and network technologies and the power of social engineering are combined to infect endpoint computers with commercial malware. Just one careless click on a link in a spam email and the corporate computer gets infected with a small program that could sniff out data of required
March 2011