This is the last part in the series. In this article I will be focusing on how to micro segment networks utilizing IPv6. For many years we have used segmentation as a way of controlling both access and traffic types, as well as to mitigate risks to systems running on outdated software of operating systems.
Introduction to micro segmentation
- Early network segmentation: Network segmentation has been used for decades as a way to divide a network into smaller subnetworks or segments. The goal was primarily to improve performance, manage network traffic, and enhance network management. However, early network segmentation was primarily based on physical or logical boundaries and did not focus on security.
- Rise of cyber threats: With the rise of sophisticated cyber threats, such as advanced persistent threats (APTs) and insider attacks, traditional security measures like firewalls and intrusion detection systems (IDS) became insufficient. Attackers found ways to move laterally within networks, exploiting vulnerabilities and gaining access to sensitive data.
- Introduction of micro segmentation: Micro segmentation as a concept started gaining prominence around the early to mid-2010s as a response to the shortcomings of traditional network security approaches. The idea was to create small, isolated segments within a network and implement fine-grained security controls for each segment.
- Software-Defined Networking: Micro segmentation received a significant boost with the emergence of Software-Defined Networking (SDN). SDN decoupled network control from the physical infrastructure, enabling dynamic and programmable network management. SDN allowed for granular control over network traffic flows, making it easier to implement micro segmentation.
- Virtualization and cloud computing: The adoption of virtualization and cloud computing further fueled the need for micro segmentation. As organizations embraced virtual machines (VMs) and cloud infrastructure, the traditional perimeter-based security model became less effective. Micro segmentation provided a way to secure inter-VM communication and control lateral movement within virtualized environments.
- Advancements in security technologies: The development of advanced security technologies, such as next-generation firewalls (NGFWs), intrusion prevention systems (IPS), and network access control (NAC), complemented micro segmentation efforts. These technologies offered better visibility, threat detection, and policy enforcement within each microsegment.
- Zero Trust Security: The Zero Trust security model, which assumes that no user or device can be inherently trusted, gained traction in the early 2010s. Micro segmentation aligns well with the principles of zero trust by enforcing strict access controls and segmentation at the network level, limiting the attack surface.
- Continued evolution: Micro segmentation continues to evolve with the changing threat landscape and technology advancements. Today, it often incorporates elements of network virtualization, containerization, and cloud-native architectures. Additionally, the integration of machine learning and artificial intelligence into micro segmentation solutions enables more intelligent and adaptive security controls.
Micro segmentation has evolved from a concept to a critical security practice in response to the growing complexity of cyber threats and the need for robust network security. It has become an integral part of modern security architectures, helping organizations achieve stronger security postures and reduce the impact of potential breaches. Now, how do we apply micro segmentation in an IPv6 infrastructure?
Challenges to micro segmentation
While micro segmentation can be applied to both IPv4 and IPv6 networks, there are certain challenges and considerations specific to IPv6 micro segmentation. Here are a few challenges and potential solutions related to implementing micro segmentation in an IPv6 environment:
- Address space: IPv6 provides a significantly larger address space compared to IPv4, which can make addressing and segmentation more complex. However, the abundance of IPv6 addresses also allows for more flexibility in defining network segments and assigning unique addresses to each segment.
- Network infrastructure support: Not all network infrastructure devices, such as routers and switches, can fully support IPv6 and the necessary features for micro segmentation. It is crucial to ensure that the network devices in use are IPv6-capable and compatible with the desired micro segmentation solution.
- Addressing scheme: With IPv6, the use of subnetting and addressing schemes may differ from IPv4. Subnetting in IPv6 often involves using a hierarchical addressing plan, which can influence the design and implementation of micro segmentation. It is important to carefully plan the addressing scheme to ensure efficient segment creation and management.
- Address autoconfiguration: IPv6 supports address autoconfiguration through features like Stateless Address Autoconfiguration (SLAAC) and Dynamic Host Configuration Protocol version 6 (DHCPv6). Micro segmentation strategies need to consider how address assignment and autoconfiguration will be managed within each segment to maintain security and avoid unauthorized access.
- Security policies and ACLs: IPv6 introduces new header fields and extension headers that may require adjustments in security policies and access control lists (ACLs) used for micro segmentation. These policies need to account for the unique characteristics of IPv6 traffic and ensure the appropriate filtering and control of traffic between segments.
- IPv6 transition technologies: During the transition from IPv4 to IPv6, organizations may implement various transition technologies, such as dual-stack networks, tunneling mechanisms (e.g., 6to4, Teredo), or network address translation (NAT64). These technologies may introduce additional complexities in terms of micro segmentation, as they affect how traffic is routed and managed.
- Monitoring and visibility: IPv6 micro segmentation requires adequate monitoring and visibility solutions that can handle IPv6 traffic flows and provide insights into network behavior and security incidents. Organizations need to ensure that their monitoring tools and techniques are IPv6-capable to effectively monitor and manage segmented IPv6 networks.
It is important to note that the specific challenges and solutions for IPv6 micro segmentation may vary based on the organization’s network infrastructure, security requirements, and deployment scenario. It is advisable to consult with network and security professionals who have expertise in IPv6 and micro segmentation to design and implement an effective solution tailored to the organization’s needs.
If you are anything like me, having cut your teeth on designing and implementing IPv4 networks, then an additional challenge will be the waste of address space when we are using IPv6 for micro segmentation. In IPv4 wasting addresses was an anathema to a network designer, but remember, with IPv6 we have 340 trillion trillion trillion addresses available. Wasting a few addresses will not pose a challenge this side of the next century.
How to micro segment IPv6
Now the rubber meets the road. Fortunately, the skills you have on segmenting an IPv4 network can be applied to an IPv6 network as well. So, here goes:
- Plan and define segments: Start by identifying the different segments or zones within your network that require isolation or specific security policies. This could include segments for different departments, critical systems, guest networks, IoT devices, or any other logical grouping. Clearly define the purpose and security requirements for each segment.
- Design the addressing scheme for the purpose, LAN, WAN or datacenter: Determine the IPv6 addressing scheme for each segment. Decide whether you will use a flat addressing scheme or a hierarchical addressing plan. For hierarchical addressing, you can assign a unique subnet prefix to each segment to achieve clear separation. Consider using a subnetting strategy that allows room for growth and easy management.
- Configure routing and VLANs: Configure the routers and switches in your network to support IPv6 routing and VLANs. Ensure that your network devices are IPv6-capable and have the necessary features enabled. Set up VLANs to segregate the traffic between the segments, creating virtual networks for each segment.
- Enable IPv6 security features (remember the previous article in this series!). Many of the security features in IPv6 depend on other features in the protocol stack: IPv6 introduces security features like IPv6 Access Control Lists and IPv6 Firewalls. Enable these features on your network devices to control the traffic between the segments. Configure the appropriate rules to allow or deny traffic based on the security policies defined for each segment.
- Implement VLAN tagging: Assign VLAN tags to the appropriate ports on your switches to associate them with the respective segments. This helps ensure that traffic is correctly directed to the appropriate VLAN and prevents unauthorized access across segments.
- Configure DHCPv6 or SLAAC: Determine the method for IPv6 address assignment within each segment. You can use Stateless Address Autoconfiguration or Dynamic Host Configuration Protocol version 6 (DHCPv6) to assign addresses. Configure the appropriate DHCPv6 or SLAAC settings on your network devices based on your addressing scheme and segment requirements.
- Implement micro segmentation policies: Define micro segmentation policies that specify which traffic is allowed or denied between segments. This includes creating rules in your ACLs or firewalls to enforce these policies. Consider factors like source/destination IP addresses, ports, protocols, and application-specific requirements when defining these policies.
- Monitor and maintain: Implement network monitoring and logging tools to monitor the traffic between segments and detect any potential security incidents or anomalies. Regularly review and update your micro segmentation policies to align with changing requirements and to address any emerging threats.
- Test and validate: Conduct thorough testing to ensure that the micro segmentation implementation is functioning as intended. Verify that traffic is correctly isolated between segments and that security policies are enforced. Conduct vulnerability assessments and penetration tests to identify any potential weaknesses.
- Documentation, documentation, documentation: I cannot tell you how many times I have lost my way in an undocumented network. Document the micro segmentation design, including addressing schemes, VLAN configurations, security policies, and any other relevant information. This documentation will serve as a reference for future maintenance, troubleshooting, and updates.
Remember, micro segmentation is an ongoing process that must receive periodic reviews and adjustment as network requirements evolve. Regularly assess the effectiveness of your micro segmentation strategy and make updates to address any emerging threats or changes in the network environment.
This series was an introduction to IPv6, the security features and how-to use IPv6 in a micro segmentation project. IPv6 is still not implemented in any big way outside of the big Internet Service Providers, but make no mistake: We have run out of IPv4 addresses. The only way forward for all of us is to begin looking into IPv6 and make plans for implementing it in our own infrastructures.
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.