Latest news
Firewall management, IPv6 and you
by Reuven Harrison - CTO, Tufin Technologies - Monday, 2 July 2012.
Avoid having to manually type IPv6 addresses: Because writing IP addresses manually is a highly error-prone, endeavor, you should minimize this. If you have to write an address, do it once and whenever possible, assign a human readable name to it and use the name in all places (firewall rules, policies, ACLs etc.).In order to minimize the duplication of address definitions, you need consolidated management systems so that IPv6 addresses are stored on a central repository and can be sourced as needed – for example, host naming should be consolidated across firewalls and routers, even from different vendors. For those organizations running Next-Generation firewalls, incorporate your firewalls with Active Directory to avoid having to manually enter user addresses.
Things will go wrong. Be prepared: IPv6 increases complexity, which is already beyond manual control on most enterprise firewall policies. But if you plan ahead, when something does happen, you will be in a good position to troubleshoot. From a process and operations perspective, the simpler the better. Make sure changes are properly and clearly documented so that anyone can understand what the actual change was, why it was made, who made it and when.
Deploy network management tools that understand IPv6: Most organizations will be running dual IPv4 and IPv6 networks, known as dual stacks, as they transition.IPv4 and IPv6 cannot communicate with each other, so they will need to be deployed in tandem until the transition is complete. That means, that for the period during which you offer both IPv4 and IPv6, you have to do everything twice, which among other things, will significantly increase the number of firewall changes that will occur in a given change window. In addition to having more changes to deal with, IPv6 changes will be more complex.
If you have a multi-vendor, multi-type firewall environment, the business case (i.e. time and cost savings) for automating firewall management should be extremely compelling. Look for tools that will help analyze IPv6 addresses, objects, rules and ACLs across networks and security devices. Additionally, look for network management tools that can provide reverse lookup for any IPv6 address to its human readable names. Do not be the person that gets stuck having to manually troubleshoot mistyped IPv6 addresses across multiple firewalls.
When upgrading or automating, leverage internal and external domain expertise: Chances are external people you are working with on your IPv6 migration efforts are working with others as well. Any tips or best practices specific to IPv6 migration or in general with the systems or products they work with should be welcomed to ensure that systems are optimized for future needs. The processes you automate are likely to stick for quite some time - take the time to set things up in a way that is just aligned with the strengths of the product(s) your deploying, standard operating procedures and the culture of your company and team.
Things will go wrong. Be prepared: IPv6 increases complexity, which is already beyond manual control on most enterprise firewall policies. But if you plan ahead, when something does happen, you will be in a good position to troubleshoot. From a process and operations perspective, the simpler the better. Make sure changes are properly and clearly documented so that anyone can understand what the actual change was, why it was made, who made it and when.
Deploy network management tools that understand IPv6: Most organizations will be running dual IPv4 and IPv6 networks, known as dual stacks, as they transition.IPv4 and IPv6 cannot communicate with each other, so they will need to be deployed in tandem until the transition is complete. That means, that for the period during which you offer both IPv4 and IPv6, you have to do everything twice, which among other things, will significantly increase the number of firewall changes that will occur in a given change window. In addition to having more changes to deal with, IPv6 changes will be more complex.
If you have a multi-vendor, multi-type firewall environment, the business case (i.e. time and cost savings) for automating firewall management should be extremely compelling. Look for tools that will help analyze IPv6 addresses, objects, rules and ACLs across networks and security devices. Additionally, look for network management tools that can provide reverse lookup for any IPv6 address to its human readable names. Do not be the person that gets stuck having to manually troubleshoot mistyped IPv6 addresses across multiple firewalls.
When upgrading or automating, leverage internal and external domain expertise: Chances are external people you are working with on your IPv6 migration efforts are working with others as well. Any tips or best practices specific to IPv6 migration or in general with the systems or products they work with should be welcomed to ensure that systems are optimized for future needs. The processes you automate are likely to stick for quite some time - take the time to set things up in a way that is just aligned with the strengths of the product(s) your deploying, standard operating procedures and the culture of your company and team.
Spotlight
The security of WordPress plugins
Posted on 18 June 2013. | Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection.
Information security executives need to be strategic thinkers
Posted on 17 June 2013. | George Baker, the Director of Information Security at Exostar, talks about the challenges in working in a dynamic threat landscape, offers tips for aspiring infosec leaders, and more.
Large orgs in denial about own security breaches?
Posted on 14 June 2013. | Over two thirds (66%) of large organizations said they either had not experienced a security incident in the last 12-18 months or were unsure if they had.
Vulnerability scanning with PureCloud
Posted on 12 June 2013. | nCircle PureCloud is a cloud-based network security scanning product built upon the companies' vulnerability and risk management system IP360.
Reactions from the security community to the NSA spying scandal
Posted on 11 June 2013. | Read on for comments on this scandal that Help Net Security received from a variety of security professionals and analysts.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
