Things will go wrong. Be prepared: IPv6 increases complexity, which is already beyond manual control on most enterprise firewall policies. But if you plan ahead, when something does happen, you will be in a good position to troubleshoot. From a process and operations perspective, the simpler the better. Make sure changes are properly and clearly documented so that anyone can understand what the actual change was, why it was made, who made it and when.
Deploy network management tools that understand IPv6: Most organizations will be running dual IPv4 and IPv6 networks, known as dual stacks, as they transition.IPv4 and IPv6 cannot communicate with each other, so they will need to be deployed in tandem until the transition is complete. That means, that for the period during which you offer both IPv4 and IPv6, you have to do everything twice, which among other things, will significantly increase the number of firewall changes that will occur in a given change window. In addition to having more changes to deal with, IPv6 changes will be more complex.
If you have a multi-vendor, multi-type firewall environment, the business case (i.e. time and cost savings) for automating firewall management should be extremely compelling. Look for tools that will help analyze IPv6 addresses, objects, rules and ACLs across networks and security devices. Additionally, look for network management tools that can provide reverse lookup for any IPv6 address to its human readable names. Do not be the person that gets stuck having to manually troubleshoot mistyped IPv6 addresses across multiple firewalls.
When upgrading or automating, leverage internal and external domain expertise: Chances are external people you are working with on your IPv6 migration efforts are working with others as well. Any tips or best practices specific to IPv6 migration or in general with the systems or products they work with should be welcomed to ensure that systems are optimized for future needs. The processes you automate are likely to stick for quite some time - take the time to set things up in a way that is just aligned with the strengths of the product(s) your deploying, standard operating procedures and the culture of your company and team.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.