Securify Discover and Verify Who, What, Where & When on Your Network home | contact | site map
PlatformFederalPartner ProgramService & SupportCompany-
Why Discovery and Verification?
Solution Overview

bullet		 Use Case:
Network and System Access

bullet		 Use Case:
Compliance & Audit

bullet		 Use Case:
Insider Risk

bullet		 Use Case:
Infrastructure Change

bullet		 Use Case:
Efficient IT Operations

bullet		 Use Case:
Identity-Based Network Behavior

bullet		 Use Case:
Leveraging Flow-Based Data

bullet		 Use Case:
IPv6 Transition Challenges
Unique Benefits
Securify Products
Use Case: IPv6 Transition Challenges

Many federal defense, federal civilian and even some commercial organizations are in the midst of the transition from IPv4 to networks that support both IPv4 and IPv6. The US federal government has mandated that the network backbones of all federal agencies must be IPv6 "capable" by June 2008. Yet the transition to IPv6 "capable" represents great new challenges for most network operators and security teams. In fact, some agencies have delayed their migration plans due to lack of necessary IPv6 compliant security devices. Securify understands these challenges and helps deliver real-time situational awareness into both IPv4 and IPv6 network activity. The following use cases profile how Securify can best be used to match key IPv6 challenges:

IPv6 "Self-Propagating" Features Can Create Unknown Tunnels and Rogue Routing

With IPv6's self propagating features, IPv6 communications can occur with little configuration and without intent or oversight. Automatic tunnels that bypass controls and rogue routing can contribute to this likelihood. Network administrators must have the ability to detect both when tunnels are used as well as what actual connections/routes and destinations occur.

Time and Effort Intensive Transition Management

Organizations may struggle to maintain availability of services while networks, hosts, servers and applications all migrate independently to IPv6. In addition, monitoring two parallel, interwoven networks will be a challenge for many network operations teams.

Introduction of New Security Risks

Several critical risks associated with IPv6 include:

Difficulty in Enforcing Security Policy on IPv6 Flows: Until the transition is complete, organizations should monitor and/or enforce where IPv6 is authorized to be used in the network so that it cannot be used as a covert channel for unmonitored, malicious behavior. Additionally, no IPv6 flows should be allowed across security gateways and critical network boundaries that are not capable of adequately inspecting IPv6 traffic. Securify offers a rapidly deployable, user-friendly solution to enforce security policies while availability and deployment of IPv6 capable security devices is still ramping.

Limitations of Traditional Active Scanning: The huge and random addressing which is a core tenant of IPv6 makes using traditional active scanning for discovery unfeasible and makes a passive discovery approach, like the one Securify offers, essential.

Increased Misconfigurations: Experts anticipate that the transition to IPv6 as a new protocol and the related learning curve across thousands of organizations will result in untold misconfigurations. Securify has received high marks from its customers for its ability to quickly and efficiently identify misconfigurations. Customers use Securify to dramatically reduce operational time and effort, substantially reduce risks around misconfigurations and also to help avoid compliance failures.

 

How Securify Helps Overcome IPv6 Challenges

Addressing IPv6 Self Propagation

Securify's monitoring solution helps counter IPv6's "Stateless autoconfig" which can lead to rogue/misconfigured routers attempting to establish unauthorized routes for IPv6 hosts without IT setup. It also helps counter automatic tunnels that can hide actual IPv6 destinations. Specifically,

  • Securify detects rogue/misconfigured IPv6 routers by seeing IPv6 based router advertisements
  • Securify provides topology-based verification to ensure intended connectivity and routes traversed
  • Securify gives visibility into the ultimate destination of communication exchanges, and also the ability to write controls to prevent unauthorized communications
Streamlining the Transition to IPv6

Securify can help ensure a more efficient transition process.

In the first phase of the transition, Securify:

  • Provides the IPv6 network monitoring required
    • The majority of current technologies drop IPv6 traffic. Securify doesn't
  • Baselines current usage of services to be migrated
  • Verifies proper application of IPv6 transition protocols

In the second phase of migrating services and applications, Securify can:

  • Generate progress reports on hosts/services migrated, IPv6 vs IPv4 traffic, usage of tunnels, etc.
  • Replace active scanning as the means to develop inventory.
Improved Security: Monitoring and Enforcing Security Policy

Securify provides discovery of all network activity whether IPv4 or IPv6 as well as real-time verification against business and security policies of what should be allowed. Specifically:

  • Securify employs native packet capture (via SPAN or tap) or flow data (e.g. Cisco NetFlow) - or both - for both IPv4 and IPv6 traffic and correlates this against login data from Microsoft Active Directory domain controllers
  • Both Securify's discovery data and Securify's controls capabilities can be based on specific user name and/or group membership, as well as protocol information, source machine logon, destination machine logon, and IPv4/IPv6 src/dst addresses.
    • For example, Securify can discover, alert and optionally initiate an enforcement action if there is both an unexpected IPv6 tunnel and that includes activity from a user in the "contractor" group that is unauthorized to use SSH into a classified server
In turn, these capabilities dramatically reduce risks associated with IPv6, including:
  • Addressing network evasion
    • Securify identifies malicious users employing disallowed tunnels through firewalls or hiding disallowed services inside tunnels
    • Securify identifies malicious users bypassing firewalls, proxies, and security gateways
  • Identifies rogue hosts in the network.
    • Securify's IPv6-capable passive discovery solution compensates for the gap in coverage related to active scanning and can replace active scanning
  • Securify can help validate that firewall policies are implemented correctly by firewall technologies
    • It is expected that firewall technologies will take a long time to become stable on IPv6

Pinpointing, Reducing Misconfigurations

Securify can help quickly pinpoint misconfigurations, including:

  • Firewall policy misconfigurations due to sheer volume of updating
  • Paths for tunneling misconfigured due to automatic tunnel configuration
  • DNS misconfiguration due to need for manual entries for long IPv6 addresses
  • Misconfigured prefixes likely due to complexity of new addressing and self propagation
  • IPSec misconfiguration due to complexity of configuration and lack of government definition for adoption

Securify has now monitored over 1400 petabytes of data in the most demanding (and attacked) environments in the world. Our ability to discover and control user access and behavior has resulted in successful deployments across the highest sensitivity networks within the Federal government. While the addition of IPv6 presents many new challenges, Securify will be one of the first security vendors to deliver an IPv6 compliant solution that will help immediately reduce and even eliminate many of the risks surrounding the migration to IPv6.

 

Go To Securify Solution Overview

Contact a Solution Expert

SOLUTIONS | FEDERAL SOLUTIONS | PARTNER PROGRAM | SERVICE & SUPPORT | COMPANY
© 2008 Securify, Inc. All rights reserved.   Privacy Policy
Securify, SecurVantage, and the associated logos and marks are trademarks,
registered trademarks and/or intellectual property of Securify, Inc.
Common Criteria logo