Tuesday, July 22nd 2008
IPv6 Protection by OSes Inadequate, Potential Vulnerabilities Surface
Rudimentary software-level protection for IPv6 (Internet Protocol Version 6), a network protocol which comes pre-installed with several operating systems (OS) but poorly implemented in the real-world makes it a protocol ignored by security providers, and effectively a soft-target for hackers to compromise a system.
Several OSes including Linux 2.6 upwards, Windows Vista, Solaris, Mac OS X and mobile OSes such as Windows Mobile 5 and 6 come with IPv6 enabled by default, though the user would probably not use the protocol in a year 2008 setting where the networks haven't embraced the protocol to level that makes it an explicit requirement for all internet-enabled computers the way IPv4 is. Keeping this in mind, software level protection for IPv6 is close to non-existent, having strong intrusion detection-enabled protection might keep you safe at an IPv4 level that's still standard, but with IPv6 enabled and with protection that doesn't cover IPv6, the PC is as vulnerable as one without any firewall at all. With IPv6 'listeners' (programs that open ports and allow incoming connections) in place the PC becomes vulnerable to intrusions. All it takes is for a hacker to create an IPv6 listener program (malware) and plant it on a PC.
Security Reasercher Joe Klein of Command Information says that the internet has no dearth for computers with IPv6 enabled without users' knowledge. Administrators who don't keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley risk non-compliance if they don't secure their IPv6 implementations - whether they realize they have one or not. Perhaps the biggest threat is that of hackers tunneling IPv6 traffic through an IPv4 system. Tunneling often circumvents firewalls, even over IPv4.
Command Information predicts that we will run out of IPv4 addresses in about two and a half years' time. The continuity of the internet's expansion depends on how quickly IPv6 is implemented globally. Apparently security isn't able to catch up with the pace of network technologies' advancements.
Source:
DailyTech
Several OSes including Linux 2.6 upwards, Windows Vista, Solaris, Mac OS X and mobile OSes such as Windows Mobile 5 and 6 come with IPv6 enabled by default, though the user would probably not use the protocol in a year 2008 setting where the networks haven't embraced the protocol to level that makes it an explicit requirement for all internet-enabled computers the way IPv4 is. Keeping this in mind, software level protection for IPv6 is close to non-existent, having strong intrusion detection-enabled protection might keep you safe at an IPv4 level that's still standard, but with IPv6 enabled and with protection that doesn't cover IPv6, the PC is as vulnerable as one without any firewall at all. With IPv6 'listeners' (programs that open ports and allow incoming connections) in place the PC becomes vulnerable to intrusions. All it takes is for a hacker to create an IPv6 listener program (malware) and plant it on a PC.
Security Reasercher Joe Klein of Command Information says that the internet has no dearth for computers with IPv6 enabled without users' knowledge. Administrators who don't keep tabs of their systems face a huge risk, said Klein. Operational dangers aside, administrators who work for organizations that have to comply with regulations like HIPAA or Sarbanes-Oxley risk non-compliance if they don't secure their IPv6 implementations - whether they realize they have one or not. Perhaps the biggest threat is that of hackers tunneling IPv6 traffic through an IPv4 system. Tunneling often circumvents firewalls, even over IPv4.
Command Information predicts that we will run out of IPv4 addresses in about two and a half years' time. The continuity of the internet's expansion depends on how quickly IPv6 is implemented globally. Apparently security isn't able to catch up with the pace of network technologies' advancements.
9 Comments on IPv6 Protection by OSes Inadequate, Potential Vulnerabilities Surface
Is it a problem then bta?
From what I understand of the article a firewall software hasn't been designed for IPv6 and this researcher is lamenting about it. One can't expect companies to come out with a software which no one uses. Companies need to make money and they will wait till IPv6 is started to be used or a few days before the switch is made.
See if your internet/local network/NAS work properly. If so, keep it that way.
I'd like to point out also that at some point with SP2 I started to notice my computer contacted microsoft a lot, even while I have automatic updates disabled, and I traced it to the IPv6 service that was running, so in privacy respect, and in wasted resources until IPv6 comes to the masses respect, I'd advise to disable the IPv6 service if it's running on your system.
Right now AFAIK IPv6 is only used on backbones and by fervent enthusiast as an experiment in cooperation with their ISP, which is actually a pretty weird thing because one ISP for instance had that option and if you did they assigned you 32000 IP's!!! instead of the normal one or two.
Once they roll it out it'll be hard to block unwanted people I guess.