IPv6 taking on national-security implications
- — 29 March, 2007 10:16
Several makers of scanning products admit they have limited eyesight when it comes to IPv6.
At nCircle, chief technology officer Tim Keanini says the nCircle IP360 scanner will be able to recognize where IPv6-based devices are on the network but won't be able to perform thorough scans comparable to IPv4.
Tenable, which makes both active and passive scanners, says it's starting to see IPv6 more clearly. Tenable chief executive officer Ron Gula said the company's ActiveScan Nessus scanner has "traditionally been a scanner for IPv4." A beta version of the IPv6-capable Nessus 3.2 is available for download and review, with a final version expected out by this summer. Tenable host-based passive scanner doesn't support IPv6 yet.
Gula says the lack of support often seen for IPv6 in security products today is directly related to the lack of customer demand. But he noted that with Microsoft's Vista, which support IPv6 by default, enterprises will be adding IPv6 to their networks though they may not be fully aware of it.
"IPv6 is another attack surface," says Adam Stein, vice president of product management at Mu Security, which has added IPv6-based analysis to its Mu-4000 Security Analyzer appliance over the last few months. The Mu-4000 looks for zero-day vulnerabilities in network equipment through a protocol mutation process. "The fourth-generation cellular phone networks are all designed to IPv6," Stein added.
One thing to keep in mind about IPv6, Stein says, is that "history is repeating itself" in terms of host and network vulnerabilities, such as buffer-overflows, that the industry has had to battle in the IPv4-based products today. "Expect to see the same problems all over again," Stein emphasized, saying Mu Security has uncovered five- or six-dozen vulnerabilities in carrier networks, though only disclosed about two dozen of them so far publicly.
While the lack of widespread deployment of IPv6 to date has made many security vendors turn a blind eye to IPv6, the good news is that they can become quickly motivated to become IPv6-capable when they think it's time. Qualys, for instance, which just last month said it had no plans to adapt the IPv4-based QualysGuard vulnerability-assessment platform to IPv6, made an about-face, saying it would have be IPv6-capable by early next year, if not sooner.