6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

If You Build It, They Will Come... With A Little Help
By David W. Goodrum, CEH
Federal Sales Manager
NFR Security

nfr security

You know you have to support IPv6… but then what? So, you’ve got an IPv6 backbone… that doesn’t do you much good until applications and hosts starting actually speaking IPv6, and not just tunneling IPv4 over IPv6. But, don’t worry, if you build it, they will come (to steal a line from Field of Dreams)… and with a little help they might come faster than you hoped.

Creating the field of dreams (your IPv6 backbone) will eventually entice administrators, developers, vendors and visionaries to take advantage of that field. However, there’s a little problem. What if the players aren’t ready? You’ve got thousands of end users still running IPv4 probably, and you need to know how hard it’s going to be to update them for IPv6. Or, what if there are players ready, but you don’t know about them? Heck, how do you even know when any IPv6 player actually takes to the field you’ve built for them? How do you measure the Return on your Investment (ROI) into this new IPv6 backbone? NFR Security is one provider helping to answer these questions, and provide solutions to meet customers IPv6 needs today. Let’s take each question one at a time.

Identify players ready to take the field (or already on the field). There are many reasons you might want to know which users on your network are taking advantage of its IPv6 functionality. Perhaps you need to pilot an IPv6 program and are interested in feedback from users taking advantage of it. Perhaps you’d like to know what applications IPv6 end users are using that spurred them to move to IPv6 (this could be a great motivator for other users). Perhaps you’re in policy management and weren’t expecting ANY IPv6, and are wondering why these people are ahead of the curve! Would you be interested in knowing which nodes on your network are running IPv6 today and tunneling it over IPv4? Whatever the reason, with the proper systems deployed (which may actually already be deployed), gathering this type of information is easy.

Identify players who need help taking the field. Forget the players on the field… they’re working and happy and taking advantage of the results of all the hard work you’ve done to enable them. What about the rest of those benchwarmers? How do we identify them and get them out in the field? Without knowing who is still using IPv4, the transition to IPv6 could be years or decades. It is critical to be able to create reports showing you who are still using IPv4 natively. Once again, you may already have the tools deployed on your network to gather this type of information. And we’re not just talking about identifying IP addresses. These tools can tell you operating system and application information. For example, Windows 2000 SP1 and above are capable of running IPv6 with very little effort. But, creating a list of operating systems older than that, and associating them with IP addresses, hostnames, applications used and other information could help to facilitate the IPv6 transformation to get these stragglers up to speed quickly.

Turn this information into an ROI study. What happens after you meet the IPv6 backbone milestones? The answers to the first two questions above may help you create a study on the return of your investment, or ROI. As an example, suppose you meet your deadlines and create your IPv6 backbone. And, in one year, you find that 30 percent of your end users are using IPv6 in one form or another, and not just IPv4 tunneled over IPv6. You’re showing that this wasn’t a waste of time, the transition was effective and the end result is that people are using the new technology. You could go further and gather information on what types of applications are being used, create trending charts showing the increasing usage each month of the last year and correlate them to other initiatives underway that may be affecting the transition to IPv6.

So, how do you get there? The good news is that you may already be there. There’s a chance that you’ve already got the tools in place to provide you all this information. Most organizations and agencies have Intrusion Detection Systems or Intrusion Prevention Systems deployed throughout their network. These same systems, if they’re IPv6 capable, can be used as multipurpose systems, not just security systems. Thinking “outside-the-box,” one could turn these systems into tools to facilitate and monitor the transition from IPv4 to IPv6 quite easily. NFR Security is one such company that is creating tools surrounding its IPv6 capable IDS/IPS systems to help customers achieve their IPv6 goals. A special webcast on this topic, as well as how to dynamically scan every new IPv6 host on your network for vulnerabilities, is available at http://www.nfr.com/invite/index.htm at no cost.

One focus of the webcasts will be to teach users to think “outside-the-box” and utilize existing systems to achieve their goals, whatever those goals may be. In this article, we’ve outlined a few uses that clients have already suggested. But, the reality is that when IDS/IPS is deployed throughout a network, in true defense-in-depth fashion, those devices can be used to gather extraordinary amounts of information. In this case, that information is IPv6 oriented. You might think of another use. We invite you to share your “outside-the-box” idea with us at federal@nfr.com.