Addressing Security in IPv6New IP Offers Enhanced Protection Measures
IPv6, the new Internet communications protocol, will soon replace the still-dominant IPv4. And security benefits are a given as part of this migration, explains EMC researcher Davi Ottenheimer.
"Security is built in," says Ottenheimer, senior director of trust for online security firm EMC Corp., in an interview with Information Security Media Group [transcript below].
" [But] you can really architect your communications and your identities around security from the very beginning," he says, an opportunity that wasn't available in IPv4.
Every device that connects to the Internet must be assigned an IP address. And the explosive use of mobile devices means the number of IP addresses has jumped dramatically since the early days of IPv4, Ottenheimer explains.
Simply put, IPv4 is not equipped to handle the new demands, he says.
IPv6 provides many more addresses to account for the increased number of devices, Ottenheimer says. But that increased number of addresses also means potential for greater risk, he notes.
"I really think we should be careful because in an IPv6 world there's an opportunity for us to move to the concept of tighter, hardened controls and perimeters that are more adaptive, intelligent and risk-based," Ottenheimer says.
During this interview, Ottenheimer discusses:
- How organizations can architect identities and security now, in preparation for IPv6;
- Why IPv6 will negate vulnerabilities in IPv4;
- The challenges organizations must consider concerning private identities.
Ottenheimer, who also serves as president of security consultancy flyingpenguin, has more than 18 years of experience managing global security operations and assessments. He is co-author of the book "Securing the Virtual Environment: How to Defend the Enterprise Against Attack." An expert in compliance, Ottenheimer is a qualified PCI-DSS and PA-DSS assessor and is a former board member of the Payment Card Industry Security Alliance.
TRACY KITTEN: Can you define what trust actually is?
DAVI OTTENHEIMER: Trust is really two-fold. I like to say that it's about providing a service as well as consuming a service. Those are loaded terms. But for the sake of argument, you're trusting someone or someone is trusting you, and you're doing that by providing things like authenticity so they know they can rely on you for availability. They can rely on you for protecting their assets and so forth. There are many levels, but being able to provide some level of service or being able to consume some service and feel like you can trust it is what it's about.
KITTEN: How does trust impact identity management?
OTTENHEIMER: It impacts it greatly. Impersonation I've already mentioned is a cornerstone of trust. You want to make sure that the person you're working with, or the service or organization across all levels of spheres, you want to make sure that you can rely on it as being authentic. It goes back to some of the core security notions. You have identity that you use and that has to be something that you can authenticate. Then you authorize that person or that group or entity across different levels. Trust is really the cornerstone of the key foundation for how we're going to manage security going forward in this world of expanding data and expanding users.
KITTEN: Are there variations when it comes to how we define trust?
OTTENHEIMER: Industries differ by geographic region, by political influence, many different overlapping layers. It's a very complex Venn diagram. For example, you can have an industry that relies on one identifier in one market and then in another market the same industry will use a different identifier. One of the things that's happening, for example, is people are getting sophisticated in how they replace our identifiers. We might think of something as constant and we're used to it, and then someone figures out a way to remove that. It's actually a variable and then we're confused or we're fooled into believing something is real when it actually has been changed.
Identity and Access Management
KITTEN: How are bring-your-own-device policies and practices changing the way organizations handle ID and access management?
OTTENHEIMER: The big difference is that bring-your-own-device, by definition, is your own. You have an identity attached to a device which is different than the one you might have had if it had been issued to you, which would have been the identity of the issuer. You're introducing now a relationship and that's even more complicated when each individual has multiple identities. They have a relationship with their family. They have a relationship with a sports team, with other groups, volunteer groups that they work with. Bring-your-own-device introduces a device with multiple identities outside the sphere of the identity that would be a primarily relationship in the old model.
KITTEN: How will this new version of Internet protocol standards impact identity, as well as IAM?
OTTENHEIMER: The foundation of IPv6 is that it's larger. It's giving us many, many more addresses because we're running out of addresses with IPv4. On the face-value side of things you can say we have so many more addresses; why not just permanently assign an identity to everything? We have so many and that's kind of the mindset, and from a networking perspective you used to be very conservative. There was actually this whole exercise of conservation and that's gone with the abundance of addresses in IPv6.
However, security is always about conservation, and not just because of a risk of running out of resources, but also because you may not want to share certain amounts of information for reasons of confidentiality or for other reasons - availability or integrity. It actually can make more sense to expire an address so you're not permanently attached to something that you no longer have a relationship with, and that's a different mindset.
IPv6, while solving the problem of space, gives us thousands, technically tens of millions, of new addresses. It does not automatically mean that you should have an identity that can never be removed or never be expired. The protocol does allow for them to be changed and moved, so it's not as though it's too rigid. But it definitely does raise different architecture concerns for someone who's building. And they're not interoperable. You're shifting from IPv4 to IPv6 so when you're planning it, you should be thinking about security as well as simple resource exhaustion. You should be thinking about how you may want to change identities later. Perfect examples of this are the Witness Protection Program in real life. Even if you have an identity that you think is completely impossible to change, we have ways as a society to alter those identities for extreme reasons, and it should be no different when we get into the network world. There are things we will want to hide for whatever reason and we should think about it in those terms as well.
Security Concerns around IPv6
KITTEN: Based on what you have just said, it sounds like or it should be an assumption that IPv6 will open the Internet to more risk. But what about the concern where it will lead to destructive attacks? Is there a heightened worry that destructive attacks could increase in IPv6?
OTTENHEIMER: I think that's always a worry. There are the naysayers who say, "Whenever you connect more devices, you expose yourself to more risk. The larger the attack surface, the more dangerous the world becomes." But I'm not sure that's an automatic assumption. I really think we should be careful because in an IPv6 world there's an opportunity for us to move to the concept of tighter controls, hardened controls, perimeters that are more adaptive, intelligent and risk-based.
In other words, in a BYOD scenario, a perimeter might be formed around the data on a device for a specific identity, and there may be thousands of identities and there may be relationships between those identities. All that means is we're getting more information about more devices that are more accurate and allows us to be, in a sense, building less expensive and more appropriate controls than before, where we had antiquated controls that were very large and very expensive, but weren't able to keep up with what was really going on. In other words, we might have had confidence in our old castle walls and the stones that we were putting in them, but we couldn't really build them fast enough or cheaply enough to actually protect ourselves against the known threats.
In today's world, what that means is we can be more secure by being able to identify threats sooner and respond faster than we were in the old world where, by the time we figured out what had happened, they had already taken all of our assets and left. There's a good chance we can be more secure if we design the world right with the IPv6 and the addressing that it provides us.
Steps to Prepare
KITTEN: What should organizations be doing now to prepare for IPv6?
OTTENHEIMER: There are several things. First of all, security is built in, so there's an opportunity to look at IPsec for example, something which you didn't have in IPv4. You can really architect your communications and your identities around security from the very beginning. Another thing to consider is that it's a complete switch. It's not really IPv4 enhanced or transitioned to IPv6. It's really a completely new architecture so you have to think about where there might be weaknesses that you would run into that would limit your functionality or make you blind. Those are two main points to really consider.
The third is this resourcing. Once you move into this world of addressing everything permanently and in the open, how do you have to think about things differently? Should you put security controls and do you have the ability to put controls much more tightly on each device and let it be roaming in the public space, as opposed to creating somewhat private spaces, like in the old architectures where you didn't want people to know about addresses and once they found them out you had to change how you did things? Architectures are completely different, and how you place your security controls will be completely differently when you look at the world of IPv6. Those are three big things to think about.
KITTEN: As organizations lay out their plans for IPv6, how can they know if they're on the right path?
OTTENHEIMER: They know they're on the right path because you're really doing the implementation properly. I know that may be a tautology, but what you're doing is you're building a new architecture, so it's not like you're saying one vehicle is more secure than another vehicle, but rather the way that you drive that vehicle is secure.
You know you're on the right path with IPv6 when you think about addressing every device uniquely, but also maintaining the ability to change address. You also know that you're on the right path when you're using IPv6 in this inexhaustible space to protect each device as though it were in a hostile environment all the time. You don't use a large perimeter as an excuse for leaving a device weakened or insecure. Instead, you treat every device as though it could potentially be on the larger network and be attacked at any time by threats. Your defense-in-depth methodology will shift to where you can support every device uniquely and for its needs relative to its value and not have defense-in-depth more like an onion with layers and things in the middle being the most secure.
The Move to IPv6
KITTEN: When can we expect to see this move to IPv6?
OTTENHEIMER: That's a question that has been asked of me for at least ten years, maybe longer. I'm not a betting man on it, but I think that the move will come when people feel that they can trust IPv6 with their business. That's a business decision more than a technology one. It takes two to tango. The more people that move in the general direction, the more we will see. It's probably in exponential effect, but once critical mass happens and all providers are moving that way, then people feel comfortable that they can trust their business won't be interrupted. They'll have availability and they'll have the confidentiality and security they need. You'll see that mass migration. Until then, it really is an either/or and people are still feeling more comfortable with where they've been as opposed to seeing the advantages of where they're going to go.
OTTENHEIMER: It's an exciting time when you think about the growth of the planet, because we have so much more data and we have so many more devices. The "Internet of things" that some people call it and the big data together, IPv6 is really the obvious piece of the solution that we need to move towards for networking because it's the only way we're going to be able to keep up and design better solutions. Although it's scary, although there are reasons to fear these new technologies, I think the faster we move into them, understand them and work with them, the stronger our trust will be because we'll iron out the problems before it's too late, before there's so much data, so many devices that we've left ourselves with a timeline that we can't possibly meet; the sooner the better.