Raz-Lee Supports IPv6 with IBM i Security Software
October 22, 2013 Alex Woodie
Raz-Lee Security last week announced it’s now supporting IPv6 addresses with its IBM i network security software suite. The change, which the company says involved extensive development work on three related products, should address concerns of IBM i shops that IPv6 connected devices won’t be properly interrogated by their IBM i network security software, and could create a vulnerability in the network protection scheme.
Raz-Lee can now support the 128-bit hexadecimal IP addresses that are used in the IPv6 scheme within three components of its iSecurity suite, including: Firewall, its network security and exit point monitoring solution; Audit, which is used for monitoring security and the QAUDJRN; and AP-Journal, which is used to audit database changes and protect applications.
The Israeli security company says iSecurity supports three types of IP addresses in iSecurity, including IPv6, IPv4, and IP-v4-mapped IPv6 addresses. The company says it implemented IPv6 support in the same manner as it is supported in IBM i, which has supported IPv6 since i5/OS V5R2 shipped over a decade ago. That is, “while IPv4 addresses are handled with subnet masks, IPv6 addresses are handled with a separate prefix length field,” the company says.
This gives iSecurity the capability to properly identify Internet-connected devices with IPv6 addresses, and to separate them from 32-bit IPv4 or IPv4-mapped IPv6 addresses. This is important, the company says, because without the capability to properly identify IP addresses, it raises the possibility of mistakes being made in the IBM i security layer, such as blocking authorized devices or letting unauthorized devices have access.
Raz-Lee CEO and CTO Shmuel Zailer claims Raz-Lee is the first IBM i network security software provider to support IPv6; the claim appears to be correct. While IPv6 addresses are not in widespread use at the moment–they accounted for only about 2 percent of traffic to Google in September–they are growing quickly, as the last IPv4 addressed was assigned in 2011.
Raz-Lee developers had to take several things into account when it added IPv6 support to Firewall, Audit, and AP-Journal. They had to increase field sizes, making them 40 characters wide in some cases. They also had to add new fields, for family address, IPv6, and prefix length, Zailer said. “Also, the use of a different set of APIs is required. And of course the IPv4 mapped IPv6 address set will also be supported in parallel,” he said via email.
Zailer questioned how other security software companies treat IPv6 addresses. The usual approach is to IPv6 addresses is to “strip the prefix and refer to it as IPv4. This is good but partial,” Zailer says.
Other packages take other approaches. “One competitor decided to use generic* notification for IPs so an IP range becomes 184.108.40.206*. This very strange notification does not allow the actual flexibility of subnet mask, and was found impossible to communicate with the network people who spoke a ‘different language,'” Zailer said. “A second competitor uses a range notification such as 220.127.116.11 – 18.104.22.168. This by itself is very hard to manage as some ranges can overlap other ranges, while normally using a subnet mask, an IP range cannot ‘cross the border’ of another set.”
The lack of actual IPv6 support can lead to troublesome situations, Zailer said. “In the best scenario, [it will] omit the check, and in the worst scenario, misinterpret it and use the first 32 of the 128 bits as a IPv4 address,” he said.
George Alexander, a Raz-Lee technical documentation specialist, says the way that some IBM i security software packages “tolerate” IPv6 addresses could spell real trouble. “This kind of algorithm can lead to malicious entries not being detected, or even worse, being approved,” he said via email.
Raz-Lee is hoping that IPv6 support gives it a competitive advantage. “IPv6 is the inevitable wave of the future. Big companies are either already there or seriously considering it,” Zailer said. For more information, see www.razlee.com.