Tuesday, February 1, 2011

Are your firewalls ready for IPv6?

I have to admit, over the last few years I have become a bit immune to all the declarations that this year was finally going to be the year that the Internet ran out of IPv4 addresses. While I still think this issue is getting sensationalized by the media, http://bit.ly/eLV7ci, the reality is that 2011 will likely mark the first year where enterprises really have to start planning for how they are going to support IPv6.

Even though it may be a little while before your enterprise is running a dual stack network with both native IPv4 and native IPv6 it’s probably time to start planning for when that day arrives. One notable change driven by IPv6 will be how network and security administrators think about firewall functions and network boundaries.

For example, one of the goals of IPv6 is to have a large enough IP address space that Network Address Translation (NAT) is no longer necessary. However many security administrators view NAT as providing useful hiding of their internal IP address schemes. I predict there will be a lot of interesting discussions about how best to secure IPv6 networks as it gets more widespread and mainstream adoption.

So, why am I posting about IPv6 you ask? One of the features of Firewall Builder is that it has built-in support for creating IPv6 objects and using those objects in your rules. This helps reduce the pain of deploying and supporting IPv6 firewalls. As noted IPv6 network architect pointed out to me, using a tool like Firewall Builder where objects are used in rules instead of straight IP addresses becomes even more critical with IPv6. How many times do you have to type 2001:0db8:85a3:::8a2e:0370:7334 before you make a typo??

Right now Firewall Builder supports IPv6 rules generation for Linux ip6tables, BSD pf, Cisco router access lists and ipfw, however I expect that as we see more of our users adopting IPv6 that we will add support for other platforms like Cisco ASA and PIX firewalls in the future.

Are you already using IPv6 or starting to plan for it? Let us know in the comments how you see IPv6 affecting your firewall management plans.

5 comments:

Simon said...

As currently IPv4 is still fully functional I have yet to change our networks for compatibility. In our network however most of the hardware is compatible with IPv6 although it will require hard modding on 2 of them (most probably a replacement), the dd-wrt wrt54gs systems will be the easiest to maintain most probably.

erwicker said...

I totally agree with you:)

portable wireless router

MaryJohn said...

good post

MaryJohn said...

An Internet Protocol address (IP address) is a numerical label assigned to each connection.The computer uses this to establish the connection.Two versions of the IP are in use: IP Version 4 and IP Version 6.In IPv4 an address consists of 32 bits and the IP v6 uses from 32 to 128 bits.I have a IPv 4 when I checked through Ip-details.com

Zheng junxai5 said...

zhengjx20160818
oakley vault
polo ralph lauren
michael kors outlet clearance
louboutin shoes
true religion jeans cheap
kate spade handbags
ralph lauren outlet
toms wedges
polo ralph lauren
jordan femme pas cher
cheap jordans
true religion outlet online
ugg boots
retro jordans 13
coach factory outlet online
rolex watches outlet
asics running shoes
coach outlet store online
louis vuitton outlet
michael kors outlet
toms wedges
michael kors bags
christian louboutin sneakers
mbt shoes
moncler coat
true religion uk
adidas yeezy 350
christian louboutin sale
canada goose sale
michael kors outlet online
louis vuitton handbags
cheap rolex watches
ralph lauren
michael kors outlet
fitflops
gucci outlet
air jordan 11
michael kors outlet
nike tn pas cher
true religion jeans