Firewall management, IPv6 and you

Created 30 years ago, IPv4 has a 32-bit addressing scheme and can support approximately 4.3 billion devices connected directly to the Internet. Well aware that IPv4 addresses would eventually run out, the IETF created IPv6 as an upgrade to IPv4. IPv6 features a 128-bit addressing scheme, supports a mind-numbing amount of devices and delivers much needed security and performance improvements.

While the IPv6 protocol has been around for along time, forklift upgrades to IPv6 were (rightly) seen as expensive and time consuming without much practical benefit. However, with the pool of IPv4 addresses completely exhausted, IPv6 is a trend whose time has come.

It is well known that most security incidents are caused by human error, either as the result of a programming error or through misconfiguration, so it comes as no surprise that research by Tufin Technologies revealed that misconfigurations are the greatest source of firewall-related risk and inefficiencies.

The lack of experience and training for those IT professionals dealing with IPv6, will only make mistakes more likely, and IPv6 address complexity will only exacerbate this because they are extremely difficult to read and do not lend themselves to memorization. Compare a typical 32-bit IPv4 addresses - with a 128 bit IPv6 address -2001:db8:31:1:20a:95ff:fef5:246e. Now do you get it?

Knowing that IPv6 migration will be a fact of life, here are some measures you can take to ensure migration efforts will not impede firewall management:

Understand what IPv6 means to your network, people, and vendor partners: Although many potential issues can be avoided by testing IPv6 conditions in a lab or by running pilots, as with any IT deployment, there are some scenarios that even th most savvy IT people would not have known to anticipate. The only way your team will learn what the issues are, is by experience. For example, network devices or firewalls could become overwhelmed and fail when used in an IPv6 environment, allowing data traffic to pass without full inspection or resulting in an outage, or not. Talk to your firewall and network infrastructure vendors to see where they are at with IPv6 and what sort of resources they can provide to aid with migration. If you outsource firewall management, get educated on what your MSSP or service provider is doing for IPv6.

Avoid having to manually type IPv6 addresses: Because writing IP addresses manually is a highly error-prone, endeavor, you should minimize this. If you have to write an address, do it once and whenever possible, assign a human readable name to it and use the name in all places (firewall rules, policies, ACLs etc.).In order to minimize the duplication of address definitions, you need consolidated management systems so that IPv6 addresses are stored on a central repository and can be sourced as needed – for example, host naming should be consolidated across firewalls and routers, even from different vendors. For those organizations running Next-Generation firewalls, incorporate your firewalls with Active Directory to avoid having to manually enter user addresses.

Things will go wrong. Be prepared: IPv6 increases complexity, which is already beyond manual control on most enterprise firewall policies. But if you plan ahead, when something does happen, you will be in a good position to troubleshoot. From a process and operations perspective, the simpler the better. Make sure changes are properly and clearly documented so that anyone can understand what the actual change was, why it was made, who made it and when.

Deploy network management tools that understand IPv6: Most organizations will be running dual IPv4 and IPv6 networks, known as dual stacks, as they transition.IPv4 and IPv6 cannot communicate with each other, so they will need to be deployed in tandem until the transition is complete. That means, that for the period during which you offer both IPv4 and IPv6, you have to do everything twice, which among other things, will significantly increase the number of firewall changes that will occur in a given change window. In addition to having more changes to deal with, IPv6 changes will be more complex.

If you have a multi-vendor, multi-type firewall environment, the business case (i.e. time and cost savings) for automating firewall management should be extremely compelling. Look for tools that will help analyze IPv6 addresses, objects, rules and ACLs across networks and security devices. Additionally, look for network management tools that can provide reverse lookup for any IPv6 address to its human readable names. Do not be the person that gets stuck having to manually troubleshoot mistyped IPv6 addresses across multiple firewalls.

When upgrading or automating, leverage internal and external domain expertise: Chances are external people you are working with on your IPv6 migration efforts are working with others as well. Any tips or best practices specific to IPv6 migration or in general with the systems or products they work with should be welcomed to ensure that systems are optimized for future needs. The processes you automate are likely to stick for quite some time – take the time to set things up in a way that is just aligned with the strengths of the product(s) your deploying, standard operating procedures and the culture of your company and team.

While it may not be of consequence to end users, IPv6 migration will be a big deal to enterprise IT and particularly network and network security managers. IPv6 has been in use for many years, it has been deployed on relatively few networks. Because people are less familiar with it, they are less likely to spot mistakes. With IPv6, security practitioners have a chance to get ahead of the game and bake best practices into IPv6 processes and operations instead of bolting them on after the fact. Lessons learned and best practices will come from trial and error, information sharing, and by supporting industry initiatives. Let’s not waste the opportunity to do things right.