How IPv6 and the Cloud Will Help Us be More Secure

Monday, October 17, 2011

Craig S Wright

8b5e0b54dfecaa052afa016cd32b9837

We are starting to move to IPv6 and the cloud. Right now, the uptake is minimal at best with very few early adopters for all of the hype. That stated, the climate is changing. Soon, IP addresses will be on everything.

Network systems work on an exponential growth curve. Things are exponentially less expensive each year and incrementally more powerful. This will drive applications and uses that people have not even thought of.

The following are ideas that have serious  serious money already behind them and are just a few years from deployment:

  • Disposable communication tablets. Basically these could be dropped in places such as Iran and allow for communications no matter what the incumbent government tries to filter. Think $1 devices.
  • Milk, Coke cans and more in supermarkets with IP addresses and RFID. Why, well first as they can integrate this with smart appliances, but more importantly, merchandising and stock control. Who needs to do stock take when the store tells you what it contains.
  • Light bulbs with web and IP addressing. Well actually these are already available.

The thing is, there are many reasons why IP addressing will be used up quickly and these are but a few.That is one reason why we will move to IPv6. Mobility and security is another.

The network catch-cry of the 21st century will be, Anytime, Anywhere.. Everything.

Done correctly, IPv6 can make for extremely secure networks. Right now, using Group Policy and a number of other tools if you have Linux or Macs, it is already possible to make a secure mobile network. It is more difficult under IPv4 due to the constraints on the protocol and the nature of DHCP (against DHCPv6)

As much as I like Linux, I will just talk on Windows for this post as it becomes far to complicated to start going into all the possibilities when Linux, Macs, Windows and other devices are involved. Microsoft have already published a number of good IPv6 implementation guides as well.

More, they have detailed processes for implementing IPv6 through group policy. In time I will expand this series of posts to incorporate Linux and other devices, but the economy of time constrains us all.

Secure Server

In the domain world, Windows allows for the simple deployment of secure server and client trust models. This can also be achieved using workgroups, but like with Linux, it is more complex.

Using Group Policy, you can set a client to only talk using encrypted sessions and only to trusted servers.

Why restrict clients this way?

In a large organisation, client peer to peer communications can be a means of malware dissemination. There is rarely any real need that cannot be achieved on the server to have clients talking to clients over the network directly. Rather, they should be controlled via a server.

What this can allow is that only authorised client hosts are allow to communicate with servers.

In an organisation, even mobile users can be forced to communicate to company servers. This is where the cloud becomes important. With disk encryption, IPv6 with IPSec enabled and the right controls, each and every host is firewalled.

image

A mobile user (A) can be restricted to communications with only allowed systems (such as a home office (D), and the corporate servers (D).

All attempts to connect to the system with an untrusted host will be dropped as the host attempting this will not (we are assuming that keys have not been compromised here) be allowed to communicate through policy and host firewall rules. As stated, this is simple using Group Policy.

Here, the client host can be restricted to connecting to the organisational proxy server and no more.

Using DaaS (Desktop as a Service) with mobile tablet makes this even more secure if done correctly. The desktop can be configured to be accessed only from selected tablets with a key and at best, the loss of a tablet will provide only a key to the remote desktop which still needs to be authenticated to.

This restricts local access to the host as the “desktop”is stored in a data centre. The user cannot use local escalation attacks based on physical access to the system as they are never actually on the system.

More, if the user loses a tablet or other device, they are not actually connected to the system and files and the loss of the tablet will not lead to a loss of data (if configured correctly).

As the desktop is configured to only talk to the tablet and the organisational servers and all communications are encrypted, the location of the user does not actually matter and they can be truly mobile (as IPv6 allows). More, this allows the organisation to control access to the Internet through organisational proxy and email servers.

As strange as it may seem, a well defined and deployed cloud and IPv6 system can actually be far more secure than the traditional crunchy shell firewall model.

In coming posts, I will provide detailed instructions how this can be achieved.

About the Author:

Craig Wright is the VP of GICSR in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, a Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Sturt University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

Possibly Related Articles:
14636
Network->General
Information Security
Cloud Computing Network Security IP Address Servers IPv6 IPv4 DHCP
Post Rating I Like this!
4349e27c2e58c3bbc0c91ac64210093e
Jeff Hall Obviously you have no concerns about abuse. Do you really want people tracked by their Coke can? Will you have to make sure you "opt out" before you buy it? Yes, our new technological capabilities are very interesting, but they also create some very interesting privacy issues that should be addressed before we roll out the technology.
1319380519
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright @Jeff These are no my projects. They will occur. You can either work security into the future or ignore it and then try and tack it on later.

Yes, these issues should be addressed, but to do this, you first need to know that this is coming.
1319394418
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.