NetScreen puts IPv6 in firewall beta

Makers of network security gear are lining up to help enterprises and service providers implement IPv6 (Internet Protocol version 6), the next-generation network layer protocol for the Internet that offers a vastly larger number of host addresses.

NetScreen Technologies, a maker of network security appliances in Sunnyvale, Calif., on Monday made available to existing customers a beta version of firewall and VPN (virtual private network) software that supports IPv6. The release comes less than a month after Cisco Systems, the dominant maker of Internet routers and a major vendor of firewalls itself, laid out plans to add stateful packet filtering of IPv6 to its software and hardware firewall products in the first half of next year. Check Point Software Technologies last October introduced IPv6 support for its software with the release of Check Point VPN-1/FireWall-1 Next Generation, Feature Pack 3, according to a company representative.

The beta release of ScreenOS, the software for NetScreen's integrated firewall and VPN platforms, can automatically detect and secure traffic that uses either IPv6 or IPv4, the current version of IP. The beta release is free.

IPv6 is not yet necessary for networks in North America, where IP addresses are relatively plentiful, but is likely to be needed soon in some Asian countries and for advanced applications such as mobile data services and voice over IP, according to Dave Kosiur, an analyst at The Burton Group in Midvale, Utah.

A number of network routers from Cisco and other vendors are capable of handling traffic with IPv6 addresses, but the story doesn't necessarily end there for network administrators, Kosiur and others said.

"You don't need to have a firewall that routes IPv6 in order to run IPv6. However, the way networks are run today, it's out of the question to do it without security," said Alan Bavosa, a NetScreen product manager.

Some enterprises and service providers that last year were starting to use IPv6 were concerned that few security tools, including firewalls, were available for it. Another concern was that because IPv6 would allow each system to have a unique IP address, a hacker might be able to target a specific system in an enterprise for attack.

The new ScreenOS release provides encryption and firewall capabilities, as well as protection against denial of service attacks, for IPv6 traffic. It can encapsulate IPv6 traffic in IPv4, allowing enterprises or service providers to operate an IPv6 network across a backbone that hasn't been configured to handle the new kinds of packets, Bavosa said.

Organizations or carriers that haven't deployed IPv6 generally don't have to worry about IPv6 attacks because their firewalls and routers can't route the harmful packets, Kosiur and Bavosa said. However, if they want to start trying it out they'll demand some security mechanisms, experts said.

"If someone is dependent on firewalls now, then they will want a firewall when they move to IPv6," said John Klensin, chairman of the Internet Engineering Task Force's Internet Architecture Board.