Yesterday evening, just as I was leaving the office, one of my colleagues in WinServer shot me an email about an interesting blog posting by one of our security MVPs on the subject of IPv6 and network security:
First off, I’m psyched that more and more folks are writing about IPv6. Even though it appears far off for many, non-US federal agencies, IPv6 will help usher in the next “connected” evolution, and move us even closer to realizing the vision of a secure, seamless access experience.
As Alessandro helps illustrate in his post; with any new and emerging IT technology, we always need to evaluate its potential impact to our current security posture, define a risk management strategy and implement the appropriate security controls to enforce this strategy.
IPv6 is no exception to this best practice. Even if the “underground” appears to already be publishing attack tools and few “IPv6 ready” options appear to exist in the security controls space. I firmly believe that’s about change, and the next releases of Windows (Windows Vista and Windows Server “Longhorn”) will be at the center of it.
As I’ve blogged before (see my IPv6 archive and a post to the Windows Server Division blog) the support for IPv6 in the next wave of Windows is extensive and complete. All platform components, in both client and server, will be IPv6 ready and willing! This includes the newly updated Windows Firewall, which is now integrated with IPsec.
This is possible, in part, thanks to two major Windows innovations:
The new “Next Generation TCP/IP” stack, featuring is dual IP layer architecture, and
The Windows Filtering Platform or WFP on which the Windows Firewall is built on…just like 3rd host security tools can!
The net/net: security features like IPsec and Firewalling will provide the same experience on IPv6 as they will on IPv4. With a solid, IPv6 ready enterprise platform (Windows Vista and Windows Server “Longhorn”) shipping in the near future, third parties will have a base to build IPv6 ready and able security controls.
Now, here’s my shameless plug: check out this article I wrote about planning a more secure transition to IPv6 using technologies (like IPsec) that are available today on Windows and will benefit IPv4 too:
There are a lot of things that “go boo at night” on the Internet, and IPv6 will not necessarily make that any better or worse. Instead, applying the experiences and network security best practices compiled over the last few decades will enable you to embrace the benefits of IPv6 while mitigating the risks that could be targeted at your networks, data and users.
Time to go home, before someone sends me something else to blog about <grin>.