What's the hold-up?
Although IPv6 is over a decade old, many vendors say it's a chicken-and-egg problem where they won't develop security products until they're sure there's solid customer demand.
"There is a kind of Catch-22 in the market today," says Dave Arbeitel, chief technology officer at Lumeta, whose IPSonar product scans IPv4-based networks for discovery and device fingerprint, with IPv6 capability expected to be added next year. "Customers aren't defining what they want to do, so it makes it hard for vendors to know what to do."
That sentiment has been echoed by Cisco and Juniper. But both vendors are indicating a willingness to make sure their intrusion-detection and prevention systems and firewalls are equally as good in IPv6 security as today's IPv4, even though official announcements have yet to come.
Juniper says the Juniper ISG 2000 firewall/VPN already supports full rules sets for IPv6 comparable to IPv4. But the Juniper intrusion-detection and -prevention products (IDP) only recognize IPv6 traffic and either permit or deny it based on policy.
"Juniper has plans to support full rule sets for IPv6 as comparable to IPv4 in the future for their stand-alone IDP and firewall/VPN products with integrated intrusion detection and prevention," a Juniper spokesman states without offering a timetable as to when this might be done.
Other security vendors take a similar stance.
Fortinet's FortiGate multipurpose security appliance "does not have 100% parity for IPv6," acknowledges Anthony James, senior director of product management at Fortinet. While Fortigate can look at IPv6 traffic and allow or disallow it based on firewall rules, it can't apply antispam, antivirus, content filtering or intrusion-prevention protections to IPv6 traffic. Fortinet expects to nail that sometime in 2008.
Some vendors, including Lancope and McAfee, decline to discuss the topic of IPv6.
Symantec's senior director of product management, Brian Foster, says the consumer versions of Norton Anti-Virus and Norton Internet Security support IPv6 in the desktop firewall and antivirus scanning functions. But on the enterprise side, Symantec's security products don't yet offer the same IPv6 security functions.
Sohail Parekh, vice president of engineering at Vernier Networks, which makes the EdgeWall line of network-access control and content inspection appliances, says the equipment doesn't support IPv6 today, but Vernier plans to add full IPv6 support in the second half of the year.
"The challenge as a security vendor is to support all the ins and outs of IPv6," Parekh says. "You have to understand all the addressing schemes and encapsulation schemes." These would include IPv4 to IPv6 over IPv6 to IPv4 "where there are multiple headers involved," he noted. "The permutations of things you are looking for is significantly increased."
During his presentation at the recent InfoSec Conference, Zot O'Connor, security researcher at the Microsoft Security Response Center, pointed out that both IPv4 and IPv6 are turned on in Vista, and a tunneling mechanism called Terado that allows IPv6 transport over IPv4 can be used. "Vista runs IPv6 really well and we use IPv6 in the IPSec layer," he said.