Firewall management, IPv6 and you
by Reuven Harrison - CTO, Tufin Technologies - Monday, 2 July 2012.
Deploy network management tools that understand IPv6: Most organizations will be running dual IPv4 and IPv6 networks, known as dual stacks, as they transition.IPv4 and IPv6 cannot communicate with each other, so they will need to be deployed in tandem until the transition is complete. That means, that for the period during which you offer both IPv4 and IPv6, you have to do everything twice, which among other things, will significantly increase the number of firewall changes that will occur in a given change window. In addition to having more changes to deal with, IPv6 changes will be more complex.

If you have a multi-vendor, multi-type firewall environment, the business case (i.e. time and cost savings) for automating firewall management should be extremely compelling. Look for tools that will help analyze IPv6 addresses, objects, rules and ACLs across networks and security devices. Additionally, look for network management tools that can provide reverse lookup for any IPv6 address to its human readable names. Do not be the person that gets stuck having to manually troubleshoot mistyped IPv6 addresses across multiple firewalls.

When upgrading or automating, leverage internal and external domain expertise: Chances are external people you are working with on your IPv6 migration efforts are working with others as well. Any tips or best practices specific to IPv6 migration or in general with the systems or products they work with should be welcomed to ensure that systems are optimized for future needs. The processes you automate are likely to stick for quite some time - take the time to set things up in a way that is just aligned with the strengths of the product(s) your deploying, standard operating procedures and the culture of your company and team.

While it may not be of consequence to end users, IPv6 migration will be a big deal to enterprise IT and particularly network and network security managers. IPv6 has been in use for many years, it has been deployed on relatively few networks. Because people are less familiar with it, they are less likely to spot mistakes. With IPv6, security practitioners have a chance to get ahead of the game and bake best practices into IPv6 processes and operations instead of bolting them on after the fact. Lessons learned and best practices will come from trial and error, information sharing, and by supporting industry initiatives. Letís not waste the opportunity to do things right.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th