Network Computingwww.networkcomputing.com

Shadow Networks an Unintended IPv6 Side Effect

Posted by Robert Mullins
April 05, 2012

As adoption of the IPv6 Internet protocol continues to gain traction, some network security monitoring businesses and industry analysts are starting to see a troubling phenomenon they call "shadow networks."

On a shadow network, data flows through new IPv6-enabled connections and onto the existing IPv4 network--but the IPv4 security in place is unable to identify that IPv6 traffic. All sorts of security perils can arise, as a result. Even though they're currently only theoretical, security experts worry it may not be long before hackers and the like figure out how to use shadow networks for nefarious purposes

Blue Coat Systems, in introducing its PacketShaper 9 network monitoring device this week, says that on shadow networks, employees can engage in prohibited file-sharing or view pornography, both of which carry network security risks. Also, cybercriminals can use these shadow networks to distribute malware.

Shadow networks are popping up as more IPv6 connectivity is appearing on networks where it’s not yet formally supported by IT organizations, Blue Coat says. They can also appear on networks in which the enterprise has just upgraded to Microsoft Windows 7 from XP because 7 is automatically IPv6-enabled. PacketShaper 9, however, adds support for IPv6 to monitor and screen that traffic.

But the vulnerability remains for those who haven’t addressed this problem. Or more specifically, address this potential problem. Blue Coat says it knows of no attacks made on IPv6 shadow networks. But Bob Laliberte, senior analyst at Enterprise Strategies Group, thinks it may be just a matter of time.

“I haven’t heard of any malicious attack in the IPv6 [realm] yet, but the key word there is ‘yet,’” he says. “I'm not saying that to be a pessimist, and I hope that it doesn’t happen, but it just seems inevitable when one of these opportunities that could be exploited exist, the hackers tend to find it and can get in there.”

Network administrators need to think through the deployment of more IPv6 equipment, Laliberte says, because if they do that and aren’t firewalling the ports through which they connect, they could have a potential shadow network issue.

Elsewhere in the WAN optimization market the people at Narus are aware of the IPv6 shadow network issue, but say it’s nothing new.

“The term shadow networks is relatively new, but previously it was just called covert channels,” says Travis Dawson, director of product management for Narus. “This is just another tunnel, and we detunnel it and look inside of it just like any other standard tunnel.”

Related Reading