This summer, I saw the new animated movie, “Spider-Man: Across the Spider-Verse,” and it got me thinking about multiverse theory and how IPv4, IPv6, and even out-of-band networks for telemetry are akin to having a set of universes that comprise your network. These different dimensions exist whether you realize they are there and interact with them or not. But understanding that there may be another plane of existence that attackers are targeting you from is key in defending your enterprise.
IPv6 adoption and abuse on the rise
IPv6 has been talked about for 20 years, but you still may not have planned for it as part of your network management strategy, and attackers are catching on. The volume of IPv6 addresses reported by the CrowdSec network that were related to malicious activity have doubled over the last eight months, jumping from 10% to 20%. This happens to coincide with steady growth in IPv6 adoption and current usage, which Google reports is at approximately 40%.
Like in a multiverse, threat actors are increasingly acting on this IPv6 plane, and you have no visibility into it unless you enter that plane and begin to observe. It's essential that you begin to explore and extend your management capability to cover not only IPv4 but also IPv6 and additional planes.
Real vulnerabilities and threats
Many versions of Linux and Windows now prefer IPv6. Beyond that, embedded versions of Linux are common in IoT devices, and these devices have proliferated across environments. If you are not engaged with that plane when these IoT devices reach out to your network requesting an IPv6 address, you may not even know. It's not unusual for organizations to have a considerable number of these rogue devices that are generally unmanaged, which creates risk within the organization.
IoT devices also tend not to be updated because either they are not patchable or the patch is questionable. Threat actors have the opportunity and ability to spoof IPv6 addresses and intercept those devices, rerouting traffic as they see fit. Clearly, you can’t trust the devices in your organization, so you need to ensure that you have consistent DHCP and DNS control across your entire IPv6 network.
Getting started
Many organizations have tried to avoid IPv6 as long as possible – it's a big, steep learning curve for network engineers. Instead, they rely on network address translation (NAT). Unfortunately, NAT becomes cumbersome in environments where you need wide-scale reachability, like in an MSP environment, some other management domain, or in a carrier-grade network.
As IPv6 usage continues its inevitable rise, now’s the time to admit you have or soon will have some IPv6 on the network and to engage with the IPv6 plane to incorporate it into your management strategy.
Recommendations for moving to IPv6
Start with establishing a standard IPv6 DNS, which will help you corral the traffic. Then, deploy an automation platform that fully supports IPv6 in your management network that you'll use for monitoring, observability, and configuration management or automation. These two steps ensure that routing through IPv6 is happening properly on all your Linux and Windows devices and routers at the network level.
With a network automation platform in place, you now have the tools to address common and important use cases, including:
- Access auditing: Check to see where you have IPv6 enabled and validate that the DNS and DHCP settings for IPv6 are consistent across the organization to mitigate the risk of a DNS spoofing attack.
- Asset inventory: Find and discover IPv6-enabled devices in your environment. Identify security risks, automate remediation, and maintain an accurate device details inventory to ensure compliance.
- Security rule administration: Simplify administration of IPv6 firewall rules and access control lists by automatically checking devices against critical parameters and remediating to groom settings into a standard and maintain and manage consistent security hygiene.
- OS upgrades: It’s critical that your devices are upgraded to support the most secure, relevant version of IPv6 for your environment. Pre- and post-checks with automated reporting ensure devices that are out of sync with the latest version are updated successfully.
Beyond what you are likely observing today as part of your universe, IPv6 exists, and the time has come to include it as part of your network management strategy - especially as it relates to network configuration management and managing vulnerabilities on network and IoT devices. The most efficient and effective way to protect your organization from the rise in malicious activity targeting your organization from other planes is to have an automation platform that natively supports multiple dimensions at once. This includes your old-school IPv4 dimension, your next-gen IPv6 dimension, and any other planes that may come about, like an out-of-band-network for telemetry.
And one last recommendation: If you haven’t had a chance to see the latest Spider-Man movie, I encourage you to check it out!
Josh Stephens is the CTO of BackBox.
Related articles: