Tuesday, February 1, 2011

Are your firewalls ready for IPv6?

I have to admit, over the last few years I have become a bit immune to all the declarations that this year was finally going to be the year that the Internet ran out of IPv4 addresses. While I still think this issue is getting sensationalized by the media, http://bit.ly/eLV7ci, the reality is that 2011 will likely mark the first year where enterprises really have to start planning for how they are going to support IPv6.

Even though it may be a little while before your enterprise is running a dual stack network with both native IPv4 and native IPv6 it’s probably time to start planning for when that day arrives. One notable change driven by IPv6 will be how network and security administrators think about firewall functions and network boundaries.

For example, one of the goals of IPv6 is to have a large enough IP address space that Network Address Translation (NAT) is no longer necessary. However many security administrators view NAT as providing useful hiding of their internal IP address schemes. I predict there will be a lot of interesting discussions about how best to secure IPv6 networks as it gets more widespread and mainstream adoption.

So, why am I posting about IPv6 you ask? One of the features of Firewall Builder is that it has built-in support for creating IPv6 objects and using those objects in your rules. This helps reduce the pain of deploying and supporting IPv6 firewalls. As noted IPv6 network architect pointed out to me, using a tool like Firewall Builder where objects are used in rules instead of straight IP addresses becomes even more critical with IPv6. How many times do you have to type 2001:0db8:85a3:::8a2e:0370:7334 before you make a typo??

Right now Firewall Builder supports IPv6 rules generation for Linux ip6tables, BSD pf, Cisco router access lists and ipfw, however I expect that as we see more of our users adopting IPv6 that we will add support for other platforms like Cisco ASA and PIX firewalls in the future.

Are you already using IPv6 or starting to plan for it? Let us know in the comments how you see IPv6 affecting your firewall management plans.


Simon said...

As currently IPv4 is still fully functional I have yet to change our networks for compatibility. In our network however most of the hardware is compatible with IPv6 although it will require hard modding on 2 of them (most probably a replacement), the dd-wrt wrt54gs systems will be the easiest to maintain most probably.

erwicker said...

I totally agree with you:)

portable wireless router