IPV6 FROM PAGE 26which companies already wrestle and
about, but it’s a big sigh of relief.” The ugly that doesn’t employ an external enabler.
Wettling said another driver for the Security “A lot of companies have the chal-
no-Teredoapproachisthat Bechtel wants threats are lenge of wrestling with, ‘What do
to build a solid and secure foundation for already active on IPv6: we do with IM [instant messaging]?
innovation. The company has been hav- Elite crooks have their own IRC Treat it like e-mail as far as logging,
ing extensive discussions with external (Internet Relay Chat) channels, FTP or not?’” he said. “We’re still debating
customers as well as with its internal sites and Web sites that within Bechtel.”
customers, such as the engineering and And after all, IPv6 and IPv4 are just
construction departments. The parties Many IRC bots have IPv6 patches protocols. At the end of the day, it’s that
have found opportunities to use IPv6 IPv6 has been used for communi- chunk of communication they’re trans-
to improve its work methods, Wettling cation tunneling porting that matters. “That’s where
said—the Katrina scenario being one people really need to focus on security
example—and wants to build those IPv6 can be used to hide backdoors stuff: Focus on protecting what needs
applications on a firm grounding. to be protected,” Wettling said. “The
Granted, Wettling doesn’t have a IPv6 can be used to bypass firewalls transport from my standpoint doesn’t
grudge against Teredo; he uses it at Sources: IBM Internet Security Systems make much difference. It’s protecting
home with no problem. That said, he the resource. V6 gives us the ability
suggests that a company take heed if traffic, which uses a call manager or the to do things differently. We need to
it plans to use it. If running Teredo on like to set up a call but handles commu- understand what the security risks
the host layer, for example, companies nication directly from P2P. IPv6 will be are, and balance them against what the
need to understand the implications, more similar to P2P—a technology with business opportunities are.” ´
he said: “One is you need to make
sure you have some local firewall to
do some level of local blocking, and [make sure] it uses IPv6.” IPv6 switch will be onerous
Bechtel runs Cisco PIX firewalls,
which support IPv6, to protect its IPv6 By Cameron Sturdevant, g WEEK LABS bors. Default gateways, which were
network, which now runs only in the une 2008 will be a milestone for designated either explicitly in endpoint lab. At this point the company is upgrad- IPv6 adoption. By that time, U.S. network configuration or more com- ing its intrusion detection/intrusion Jmilitary and government agencies monly assigned via DHCP (Dynamic
prevention systems to make sure they must source IPv6-capable hardware Host Configuration Protocol) Version
have the current versions of hardware and software. For most IT managers, 4, are now distributed through nodes
and software to support IPv6. the switch to IPv6 will be an onerous that listen on the network for address
Also important when considering transition involving extensive equip- assignmentandother availableservices.
IPv6 from a security standpoint is to ment, application and protocol tests. This means many troubleshootingrou-have logging facilities in place that While NAT (Network Address Trans- tines that network managers now use
can support IPv6. Bechtel, like many lation) has staved off one of the most as second nature must be relearned in
companies, keeps tabs on traffic flow- prominent drivers an IPv6 world.
ing in and out of its network. “Being for a next-generation For example, net-able to log IPv6 is important to us, so IP architecture— workmanagersaccus-we’re working on making sure logging namely, too few pub- tomed under IPv4 to
mechanisms will record v6 sessions,” lic addresses—gov- checking in a router’s
Wettling said. “It’s not complete yet; ernment adoption ARP (Address Reso-that’s one of the last things we have to will almost certainly lution Protocol) cache
do to connect to the outside.” increase IPv6 use in to learn the associa-
Once the logging piece is in place, the private sector. tion of a MAC (Media
Bechtel will be able to see source and Growing IPv6 adoption in the rest Access Control) address to an IP address
destination addresses in network traf- of the world, along with military and must, in IPv6, learn to look elsewhere,
fic. The company now records what federal use of the technology, is setting as the new protocol has dispensed with
machines from which a given transac- the stage for significant changes in the ARP, replacing it with the Neighbor Dis-tion originates, as well as what user is way network managers operate and covery protocol. On Windows machines,
attached to that machine. troubleshoot IP infrastructure. this means running netsh from the com-
With IPv6’s facility for stealth, how In IPv6, routers advertise their pres- mand line to query a neighbor machine
will Bechtel replicate that tracking? Wet- ence using the same protocol that net- residing on the same network to fetch
tling said IPv6 traffic differs from VOIP work nodes use to learn about neigh- this association information. ´
