This Forum is Closed
January 20, 2022, 04:19:07 am
Welcome, Guest. Please login or register.

Login with username, password and session length
News: GGF now has a permanent home:
  Home Help Search Links Staff List Login Register  

The "Digital Pearl Harbor"

Pages: [1]   Go Down
Author Topic: The "Digital Pearl Harbor"  (Read 2803 times)
birther truther tenther
Full Member
Offline Offline

Posts: 182

View Profile
« on: December 10, 2010, 12:29:48 pm »

May 18, 2007 • Volume 5 • Number 5


Digital Pearl Harbor

Will IPv6 make us more secure? Experts give their opinions.

It seems like in the past with all new technologies come new vulnerabilities, said Jim Flyzik during the Federal Executive Forum on IPv6.

“Often times new technologies hit the market and then we are catching up later trying to get the security fixes in place because the so called ‘bad guys’ out there find ways to exploit new technologies. There are some concerns today about a digital Pearl Harbor or a terrorist attack taking down networks, attacking networks.”

The question is: will IPv6 improve security. Federal Executive Forum panelists weighed in on the issue.

Command Information’s Tom Patterson put the issue in perspective this way.

“Keep in mind that the Internet we use today, and we just call it the internet. We don’t know what version number it is and no one really cares. It was designed in the ‘70s and the concept was you had to be a trusted person before you were allowed to connect at a university or a research division or something like that. The concept of the general person coming along and connecting to the internet wasn’t part of the design.”

That means all the security now is place has been “added on”. According to Patterson there actually is a really good security standard now called IPSec. The problem is not enough people use it. The banks use it for very high volume transactions; maybe the State Department will use it for a top secret cable or something. But the rank and file people, it’s not being used to protect their credit cards, to safeguard their privacy and it can be.

“So when IP version 6 came out and started to be thought of as the next generation, leave everything old still working, but let’s see what we need to fix,” explained Patterson.

“One of  the first things that we fixed was let’s take whatever we know how to do really well, that is IPSec, the best security that we know how to do, make that default to the on position instead of an off position. So that someone will be able to, you don’t have to be a rocket scientist in order to use good security now.”

However that’s not the whole thing and it’s certainly no security silver bullet. “It’s also when WiFis came out. If you remember that a lot of CIOs said we don’t have a WiFi problem because we don’t allow it. And then there were all these chalk marks outside their building saying this is where you get free WiFi access; because people were just putting it in because it’s easy. That is possible now with IPv6 but you can’t just ignore it. And just outlaw it in your organization because it’s built into Apple, it’s built into Windows XP, it’s built into half the cell phones you are buying today. And some people are going to turn it on.”

So you need to be addressing the security implications. Security changes absolutely if you address it on a proactive basis, it changes for the better.

According to Commerce’s John McManus, there’s a lot of work going on looking at security in the IPv6 world. “There’s a lot of groups going on looking at security in the services that we provide today. And I think that Tom made a critical point. Those risks exist today. When you go and look at when IPv4 was designed, it has matured. Security has been bolted on to IPv4. In  IPv6 we’ve had the opportunity to actually design that in.”

When you employ a new technology there usually is a period of increased risk. And that risk comes from the simple fact that no matter what testing you do in the lab, and I think we do test very thoroughly, when you hit the wild, you hit some situations that you have not tested for.

“So one of the key things that we are doing now is working together as a community, there’s a working group that’s a part of the IPv6 working group, we are doing outreach into the DOD, outreach into all the carriers and equipment providers to start testing that equipment in a live environment on test networks so that when we go live we are sure that we are achieving at least the level of security, if not better, than we have in the networks we have today.”

“I just wanted to add that when you think of security regardless of the Internet protocol, you think of confidentiality,” says Education’s Peter Tseronis. “You think of integrity and authentication. And IPv6 isn’t going to be the panacea that says I’m going to take care of your mis-configured server, your poorly designed application, your poorly protected Internet sites. You need to have the skills to implement and maintain.”

Tseronis knows that not everything will be smooth and there will be some Internet engineers and systems engineers’ folks out there who are ready now, but others who are running for the foothills saying we don’t need to go there.

“But at the end of the day, you still have to maintain your security in such a way that, whether it’s IP stack or some other method, you are still going to have to protect it. So it’s not that it’s more secure, it just isn’t going to be less secure. You still have to maintain those policies in your network.”

Security is also on the mind of Cisco’s David West.

“A move to anything new, any new capability, produces threats and risk.  But if you do proper planning, validation, testing, a phased implementation of how you are going to introduce something new, you minimize those risks,” says West.

“One of the things that we are trying to make sure occurs is that as they make this transition, and they integrate this new service, they do it well thought out. What’s more interesting I think in terms of security, is the new application services that will be enabled as a result of the protocol.”

“We’ve got now a very large address face where many devices can have addresses. That introduces a potential security risk but again with proper planning, with consideration of what needs to happen from the vendor community in testing and validation, you could minimize those risks and really start to take advantage of what the protocol offers.”

At GSA, according to Fred Schobert, “We fully realize that with IPv6 there’s a lot of promise with security but we realize there’s a lot of work that remains to be done to be able to implement it with the agencies. When we talk with the agencies about IPv6 we are talking about things like IPSec but you are also talking about encryption and if you think about it, the security standards need to be defined, they need to be precise. The information security tools that the agencies will use need to be developed and they need to be there.”

Schobert thinks they are going into network monitoring and management facility overall to monitor a network, but that FISMA guidance needs to be considered because right now we have to go through certification and accreditation and if there are any holes we won’t be able to do anything. And finally he thinks they need to take a look at what we need to do in the application area to best support the IPv6 and what applications are required.

“We do take security very, very seriously, said Charlie Wisecarver, State Department CIO.

“I think IPv6 is going to introduce some new security concerns but ultimately we will be better off as we become smarter about this and adjust our policies and procedures. The denial of service possibilities is always a very, very serious concern for us as so much of our work is done through the internet. I think this can all be mitigated through some monitoring tools. The intrusion detection system, we haven’t heard too much about those types of tools that will help us identify those intrusion sets and how we can mitigate this quickly.”
Report Spam   Logged

Pages: [1]   Go Up
Jump to:  

Powered by EzPortal
Bookmark this site! | Upgrade This Forum
Free SMF Hosting - Create your own Forum

Powered by SMF | SMF © 2016, Simple Machines
Privacy Policy
Page created in 0.102 seconds with 22 queries.