Securing a Dual Stack enterprise network using a Next-Generation Firewall

Most general-purpose operating systems implement and enable native IPv4 and IPv6 support and implement a number of transition/coexistence technologies by default. The deployment of native IPv6 networks is constantly growing, and is already present in almost all our networks. Sometimes it is "official" IPv6 traffic, often it is just link-local traffic, or global-scope traffic going through tunnels unknown to the network administrators. It is very important to prevent security exposure in enterprise networks resulting from unplanned use of IPv6. Whatever the reason of the presence of IPv6 in an enterprise network, the time when network administrators just needed to control IPv4 is over. Many communication protocols operating over the modern Internet use hostnames. Hostnames often resolve to multiple IPv4 and IPv6 addresses, so in a Dual Stack portion of the Internet, a communication between two nodes may be established either in IPv4 or in IPv6. For example, a Dual Stack client may establish an http session to a WEB server using either IPv4 or IPv6. It is therefore essential to apply a consistent security policy on both bi-directional IPv4 and IPv6 traffic independently of which protocol is being used. In this Technical Report, our main objective is to demonstrate how to plan and enforce a consistent security policy for a Dual Stack enterprise network by applying the same controls on bi-directional legitimate IPv4 and IPv6 sessions by using a Next-Generation Firewall.