IPv6 and You

Typically, we think of network IP addresses as a technical topic — not something a security director or security operations manager would be too concerned about. Not so fast…there are several reasons why the envisioned upgrade to the Internet’s main...


IPv6 is about the whole set of systems and network protocols providing systems and device communications capabilities that we need to put to use to increase security operations effectiveness and reduce operations costs — it’s not just about IP addresses.

 

Who Is Where?

Security systems need to be using a whole set of protocols that exist in both IPv4 and IPv6 networking. An example of the difference between where security technology is today, and where it should be, is a feature found in many access control systems called the “Who Is Where” report (or something similar). It can be used to help locate key employee or visitor personnel for safety or security reasons. For example, in a personal medical emergency, are CPR-trained personnel present in an area or on a floor close to where they are needed? Where are the co-workers of the injured visitor?

For this capability to actually work, dual card readers have to be installed in the areas to be covered, so that the “in” and “out” status of personnel can be accurately determined. Additionally, the company culture has to ensure that personnel actually use the card readers as intended. Except for very high security facilities, the financial and cultural costs are too high for this to be feasible.

For most companies, it is not feasible to establish a reliable presence information capability using card access alone. Today, however, computing and communications technology infrastructure exists that provides multiple points of presence information per individual, such as computers (instant messaging, e-mail, calendar info, Skype calls), desk phones, mobile phones and conference call/meeting management systems.

An IT protocol exists for interoperability around presence information — the Extensible Messaging and Presence Protocol (XMPP). The existence of this protocol highlights what the security industry typically does not do — embrace IT standards for their security operations capabilities. For the most part, the industry incumbents wait until customers and integrators are demanding compatibility or compliance, and then they provide it. Rarely is forward-thinking initiative applied to answer the question: How can we help our end-users do a better job with security given all of the new information technologies and their capabilities?

Continuing with the presence technology example, personnel with special security and safety training or roles could register multiple points of presence with a security system that would maintain an updated status available for emergency security and safety use. The standards to do this are nearly a decade old. Where are our security applications?

 

More than Half a Decade Behind

About five years ago at the Naval Postgraduate school in Monterey, Calif., Captain Adrian D. Arnold submitted a 172-page published thesis titled, “XML Tactical Chat (XTC): Extensible Messaging and Presence Protocol for Command and Control Applications,” in which he writes, “Current chat and instant messaging (IM) solutions within the DoD have created problems with information security and interoperability. Though Extensible Message and Presence Protocol (XMPP) is the only mandated chat and IM protocol in the DoD, the majority of the military still operates alternate non-standard solutions that prevent interoperability and lack appropriate security assurances.”

This is typical for the security industry, whose products minimally support key IT protocols and which often require specific network configurations that limit deployment options. Security practitioners, consultants, convergence engineers and IT personnel need to understand this situation and its impact on security technology planning.

 

Security Management Challenges

It is continually being stated that our world is changing faster and faster in ways both good and bad. This applies to the economic climate, the state of political unrest, the corporate environment and in other aspects that impact the assets we must protect, and the threats we must deal with.