With the update of the internet, we are welcome to use the IPv6 network protocol. After we continue to praise the advantages of the IPv6 network protocol, we are also worried about some of its vulnerabilities and problems. The computer network protocol version 6 (IPv6) does not improve the Web security of enterprises. However, when IPv4 is migrated, understanding IPv6 network security helps you prevent potential threats to IPv6 in your company's network. Scott Hogg and Eric Vyncke are co-authors of IPv6 Security: protection measures for the next computer network protocol. They will discuss the meaning of IPv6 Security in this interview. Use their suggestions to ease concerns about Protocol Security and understand network security tools and product features that can reduce risks.
◆ Can IPv6 network protocol Improve Enterprise Web security? What about customer security?
IPv6 does not change any applications running on the transport layer. At present, threats to IPv4 applications also exist in IPv6 applications. For example, if your dual-protocol Web server is vulnerable to cross-site scripting attacks, it will still be attacked when IPv6 is used as the Layer 3 protocol. The introduction of IPv6 is also not affected by customers' computers with dual stacks. However, if an enterprise or a customer uses a firewall that does not filter IPv6 packets, they are basically completely open. At the same time, the computer can create an IPv6 Internet channel without your knowledge. At the same time, these channels can bypass all currently used only for IPv4 Security protection.
The next generation of Internet protocol IPv6 is mainly used to introduce a larger address space, but it has almost no improvement in Web security. The main reason is that Web security is an application security-related attack, including SQL injection and cross-site scripting, application Security is completely independent from the network layer after the new IPv6 is deployed.
◆ What is the comparison between IPv6 Network Protocol Security and IPv4 Security?
There are some similarities between IPv4 and IPv6 Security in terms of ARP, proximity detection, DHCP, DHCPv6, slice attacks, and DoS attacks. Due to the IPv6 Header structure and the extensive use of ICMPv6, the IPv6 network protocol has some new vulnerabilities. Filtering unallocated addresses in IPv6 is much easier than in IPv4, because IPv4 address space is very scattered. Because NAT is not used with IPv6, IPSec is easier to implement with AH and ESP. IPv6 has some advantages in this respect. IPv6 and Mobile IPv6 provide new opportunities and challenges for secure Mobile communication. At the same time, the transmission mechanism of IPv6 is also the target of attacks.
If we compare IPv4 and IPv6 on the LAN) or Internet network layer, they are almost the same.
A large number of IPv6 addresses make the network scan fail to check all addresses to find all computers on the network. However, hackers can easily find possible targets by using DNS or other information resources. Therefore, this is not a security advantage.
The standard requires that computers in the IPv6 Network Protocol use encryption technology for confidentiality and Authentication). However, in fact, IPv6 computers are free to use or not use IPsec. In addition, the widespread use of IPsec will make the work of the Information Security Department more difficult, because they can no longer use the firewall for encrypted traffic, the firewall is invalid ).
As for Layer 2 secure Ethernet, we all know that there are many ARP problems in IPv4, among which it can maliciously redirect traffic. IPv6 also has a very similar problem, but the name has changed: NDPNeighbor Discovery Protocol) poisoning, rather than ARP poisoning. The same mitigation technology can be used here. In addition, SEcure Neighbor disbor (SEND) Even protects NDP through encryption. The only thing to note is that it is still not implemented on Microsoft Windows or Mac OS/X.
In general, the IPv4 and IPv6 protocols have almost the same security. The only problem is that most network and security architects and employees do not know IPv6, And they currently lack operation skills for this new protocol. These months are quite dangerous. Only people who have received training and experience can effectively avoid risks.