Department of Defense
High Performance Computing Modernization Program

Introduction

This article focuses on procedures and practices to detect, prevent, and monitor attempts to use networks or Internet of Things (IoT) devices (also called smart things or smart objects) connected to networks in unauthorized ways. These procedures and practices are recommended for two audiences:

  1. IPv6 network security personnel, and for
  2. Organizations and individuals deploying and subsequently operating IoT devices.

The focus of this article differs from the focus of the Network Management Recommendations article in the Network Management section. That article focuses on procedures and practices recommended for use by IPv6 network administrators and managers.

Network security and deploying and subsequently operating IoT devices have been the subject of numerous Internet Engineering Task Force (IETF) Request For Comments (RFC) documents, including:

  • RFC 4057 IPv6 Enterprise Network Scenarios,
  • RFC 4301 Security Architecture for the Internet Protocol,
  • RFC 4942 IPv6 Transition/Coexistence Security Considerations,
  • RFC 6418 Multiple Interfaces and Provisioning Domains Problem Statement
  • RFC 7368 IPv6 Home Networking Architecture Principles,
  • RFC 7381 Enterprise IPv6 Deployment Guidelines, 
  • RFC 7452 Architectural Considerations in Smart Object Networking,
  • RFC 7548 Management of Networks with Constrained Devices,
  • RFC 7556 Multiple Provisioning Domain Architecture
  • RFC 8576 Internet of Things (IoT) Security: State of the Art and Challenges,
  • RFC 8043 Source-Address-Dependent Routing and Source Address Selection for IPv6 Hosts
  • IETF draft document Recommendations on the Filtering of IPv6 Extension Headers at Transit Borders,
  • RFC 8801 Discovering Provisioning Domain Names and Data,
  • RFC 9006 TCF Usage Guidance in the Internet of Things (IoT),
  • RFC 9019 A Firmware Update Architecture for Internet of Things,
  • RFC 9124 A Manifest Information Model for Firmware Updates to Internet of Things (IoT) devices, and
  • RFC 9099 Operational Security Considerations for IPv6 Networks (which complements RFC 4942).

In additiong to the topics of networks supporting IPv6 networking and IoT devices, this article provides a comprehensive overview of best practices to establish and maintain security for other risk management areas of information technology (IT). For more in-depth information on IPv6 security, several books are listed in part 3 of the IPv6 Training Information file referenced in the IPv6 Training and Learning article in the Deployment section. 

1. IPv6 Security Best Practices

There are no easy or quick solutions when changing the security infrastructure of any network that currently supports Internet Protocol version 4 (IPv4)-only to either supporting dual-stack (IPv4 and IPv6 are both supported) or IPv6-only.

Specific examples, general recommendations, and limited product information to deploy IPv6 in an existing network or to transition to an IPv6-only network are provided by the following articles, reports, papers, tutorials, presentations and websites:

  1. SP800-119 Guidelines for the Secure Deployment of IPv6, published by National Institute for Standards and Technology (NIST
  2. ERNW Security and Privacy for Multi-Prefix and Provisioning Domains in IPv6 presentation and video
  3. IPv6 Vulnerability Scanning and Penetration Testing article in the Security section
  4. Presentations presented annually at various conferences by Cisco Systems, Inc. (for example: APNIC, Apricot, and Cisco Live 365), entitled “IPv6 Security Threats and Mitigations”. (Search the web for Cisco and the title, including the quote marks.)
  5. Canadian Internet Registration Authority (CIRA) internal IPv6 Policy document
  6. Infoblox Best Practices for IPv6 Security webinar
  7. Although written for the home and small office network, the recommendations described in the Security section of the Deploying IPv6 in the Home and Small Office/Home Office article in the Deployment section also apply when administering user systems in the workplace
  8. IPv6 Deployments, a presentation to the Réseaux IP Européens Network (RIPE)
  9. Federal IPv6 Interagency Working Group presentation, 2013, provides suggestions for mitigating IPv6 security issues.
  10. IPv6 Security Best Practices by Cisco Systems, Inc., 2013
  11. Monolith Software blog entry, 2013, provides some best practice tips for monitoring any network
  12. Grand European Academic NeTwork (Géant) project documented many Network Monitoring recommendations. An example is this Practical IPv6 Monitoring on Campus Best Practice document, 2013, describing a way to monitor a dual-stack network using a combination of SNMP and Netflow
  13. IPv6 Security (2008), IPv6 Security, 2011, and IPv6 Attacks and Countermeasures, 2013, presentations from the Rocky Mountain IPv6 Task Force (RMv6TF).
  14. Master Thesis: IPv6 Security Test Laboratory, 2013, Johannes Weber (see “Countermeasures & Firewall’s Best Practices” sections)
  15. SearchNetworkingTechTarget.com articles describe mitigations for and ways to avoid Neighbor Discovery Protocol Attacks, 2015:
    1. How to avoid IPv6 neighbor discovery threats
    2. How to protect your IPv6 address management
    3. Mitigating IPv6 neighbor discovery attacks
    4. IPv6 attack attempts and how to mitigate them
  16. A collection of guides, best practices, checklists, benchmarks, tools, and other resources describing the steps to harden numerous commercial and open source operating systems against a wide variety of attacks are available on this github project webpage.

The following are older but still useful reports and papers:

  1. An IPv6 Security Guide for U.S. Government Agencies, published by Juniper Networks, Inc.
  2. IPv6 and IPv4 Threat Comparison and Best Practice paper from Cisco Systems, Inc.
  3. Secure IPv6 Operation: Lessons learned from 6NET report from the European IPv6 deployment. (The 6NET project completed Jun 2005, followed by the 6DISS project which completed Sept 2007; followed by 6DEPLOY and 6DEPLOY-2 (www.6deploy.eu) which completed Feb 2013. A more recent European IPv6 project was Governments Enabled with IPv6 (GEN6) which completed May 2015. Deliverables and Presentations under the Publications tab of the GEN6 website provide additional material.) The last European IPv6 project is IPv6 Framework for European Governments which completed 2018.

The following websites contain articles discussing procedures and practices that can detect, prevent, or monitor attempts to use networks in unauthorized ways:

  1. The United States Computer Emergency Readiness Team (US-CERT) issues a continuing series of security publications, with dissemination sometimes limited by a publication’s designated Traffic Light Protocol (TLP) color. Many older publications specific to IPv6, such as Fundamental Filtering of IPv6 Network Traffic and Malware Tunneling in IPv6, are no longer available on the US_CERT site, but are available on the Homeland Security Digital Library.
  2. While specific to the Department of Defense (DoD), the publicly available Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGS) include guidance for IPv6. They are available on the DISA website.
  3. The National Security Agency (NSA) Security Configuration Guidance are available here (hover over the "LIBRARY" keyword on the row of keywords at the top of the screen to see other available subject areas). Older NSA Security Configuration Guides are available here.

2. IoT Security Best Practices

There are no easy or quick solutions when deploying and subsequently operating IoT devices on any network,

Best practices for establishing and maintaining network security when deploying IoT device(s) on a network and subsequently operating them have been the subject of documents by many different organizations and individuals.

Organizations provided recommendations and limited amounts of product and support services information about deploying and subsequently operating IoT devices in the following articles, reports, papers, presentations and websites:

  1. Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Best Practices For Industrial Control Systems, 2020,
  2. Institute of Electrical and Electronic Engineers (IEEE) Internet of Things (IOT) Security Best Practices, 2017,
  3. Réseaux IP Européens (RIPE) Network Coordination Centre (NCC) Architectural Considerations for IoT Device Security in the Home,
  4. United Kingdom GOV.UK (Government Digital Service) Department for Digital, Culture, Media & Sport "Smart Devices", secure by design, a collection ongoing since 2018,
  5. Internet of Things Security Foundation (IoTSF) Best Practice Guidelines, ongoing,
  6. Internet Society (ISOC) Online Trust Alliance (OTA) Best Practices: Enterprise IoT Security Checklist, 2018,
  7. NIST Cybersecurity for IoT Program, ongoing,
  8. This Microsoft Security Best Practices for Internet of Things article provides profiles of the companies to involve in the deployment of IoT devices,
  9. Amazon Web Services Internet of Things (IOT) Security Best Practices article, 2019,
  10. Hong Kong Computer Emergency Response Team (HKCERT) Coordination Center IOT Security Best Practices Guidelines, Jan, 2020
  11. SDxCentral What are Internet of Things (IoT) Security Best Practices?, 2020,
  12. IoT Security Foundation website articles, ongoing,
  13. IoT Security Initiative website articles, ongoing, and
  14. Industry IoT Consortium website articles, ongoing.

Individuals provided recommendations about deploying and subsequently operating IoT devices in the following articles:

  1. Two articles IoT for System Tests::Checking for Failure and Internet of Things security challenges and best practices describe various security measures for use when deploying and subsequently operating IoT device(s) on any network, while this article asks Best Practices for IoT Security, What Does That Even Mean? None of these articles can (nor indeed can any article) consider all aspects of such a multi-dimensional problem
  2. The title of this Here are 7 Actionable Tips to Secure Your Smart Home and IoT Devices article describes its contents,
  3. The title of this Ten best practices for securing the Internet of Things in your Organization article describes its contents, and
  4. Some recommendations for individuals deploying and subsequently operating IoT devices are described in the Security section of the IPv6 in the Home and Small Office/Home Office (SOHO) article in the Deployment section.

Top