How a default enterprise security policy could be adapted for your organization’s particular needs.
IPV6 means more than just having a large enough pool of addresses to give every grain of sand and star in the sky a pool of unique addresses to play with. It also incorporates a lot of long-needed improvements in the IP protocol.
The switch from IPv4 to IPv6 will force many organizations to rethink the way their networks are defended. As noted in this EnterpriseNetworkingPlanet article, it is only when organizations become more open to incoming traffic that they will get the full benefits of IPv6.
Why is IPv6 Better?
So what has all this got to do with IPv6 security? It certainly raises the question of whether any form of NAPT is desirable. If you get rid of it, you have the potential benefit of end-to-end connectivity between any arbitrary device on your network and any external device — because with IPv6, remember, every device can have its own unique IP address because there are so many to go around.
And getting rid of NAPT with IPv6 doesn’t really make your network less secure by making its topology visible to attackers. That’s because default IPv6 subnets have some 2 ^ 64 addresses on them, so even at a rate of 10Mpps it would take more than 50,000 years for a hacker to complete a scan (and Nmap doesn’t even support ping sweeps on IPv6). That’s not to say that hackers won’t be able to carry out reconnaissance on your network — it just means that they’ll have to use other means, like DNS records or the examination of logs or netstat data on compromised machines, to find other machines to attack.
This article was originally published on February 25, 2011