Introduction
This two part article focuses on procedures and best practices recommended for use by IPv6 network administrators and security managers, and by organizations and individuals deploying and subsequently using Internet of Things (IoT) devices in order to monitor, detect, and prevent unauthorized attempts to use networks and the devices connected to them:
Part 1: Best Practices for IPv6 Computer Security, Network Security and Cybersecurity, and
Part 2: Best Practices for Secure IoT Devices Deployment and Use.
(Note: A best practices document describes actions or practices that are known to produce good outcomes when followed.)
For more in-depth information on IPv6 security, several books are listed in part 3 of the IPv6 Training Information file referenced in the IPv6 Training and Learning article in the Deployment section. In addition, this article provides a comprehensive overview of best practices to establish and maintain security for other risk management areas of information technology (IT).
Network security and deployment and the subsequent use of IoT devices have been the subject of numerous Internet Engineering Task Force (IETF) Request For Comments (RFC) documents, including:
- RFC 4057 IPv6 Enterprise Network Scenarios,
- RFC 4301 Security Architecture for the Internet Protocol,
- RFC 4942 IPv6 Transition/Coexistence Security Considerations,
- RFC 6418 Multiple Interfaces and Provisioning Domains Problem Statement,
- RFC 7368 IPv6 Home Networking Architecture Principles,
- RFC 7381 Enterprise IPv6 Deployment Guidelines,
- RFC 7452 Architectural Considerations in Smart Object Networking,
- RFC 7548 Management of Networks with Constrained Devices,
- RFC 7556 Multiple Provisioning Domain Architecture,
- RFC 8043 Source-Address-Dependent Routing and Source Address Selection for IPv6 Hosts,
- RFC 8576 Internet of Things (IoT) Security: State of the Art and Challenges,
- RFC 8801 Discovering Provisioning Domain Names and Data,
- RFC 9006 TCF Usage Guidance in the Internet of Things (IoT),
- IETF draft document Secure IoT Bootstrapping: A Survey,
- RFC 9019 A Firmware Update Architecture for Internet of Things,
- RFC 9099 Operational Security Considerations for IPv6 Networks (which complements RFC 4942)
- RFC 9124 A Manifest Information Model for Firmware Updates to Internet of Things (IoT) devices
- RFC 9288 Recommendations on the Filtering of IPv6 Packets Containing Extension Headers at Transit Routers, and
- RFC 9334 Remote ATtestation procedureS (RATS) Architecture.
Part 1. Best Practices for IPv6 Computer Security, Network Security, and Cybersecurity
There are no easy or quick solutions when changing the security infrastructure of any network that currently supports Internet Protocol version 4 (IPv4)-only to either supporting dual-stack (IPv4 and IPv6 are both supported) or IPv6-only.
Specific examples, general recommendations, and limited product information to deploy IPv6 in an existing network or to transition to an IPv6-only network are provided by the following articles, reports, papers, tutorials, presentations and websites
- Cybersecurity and Infrastructure Security Agency (CISA) Alert AA22-137A Weak Security Controls and Practices Routinely Exploited for Initial Access, May, 2022
- CISA Cybersecurity Best Practices, best practices for various cybersecurity risk areas, a continuing series
- CISA Free Cybersecurity Services and Tools, a list of free services and tools, a continuing series
- The National Security Agency (NSA) Network Infrastructure Security Guidance PP-22-066, Mar 2022, covers many aspects of network security, including IPv6, while IPv6 Security Guidance PP-22-1805, Jan, 2023, only covers IPv6
- NSA and CISA Critical Infrastructure Partnership Advisory Council (CIPAC) Enduring Security Framework (ESF) Identify and Access Management: Recommended Best Practices for Administrators PP-23-0248_508C, Mar, 2023
- SP800-119 Guidelines for the Secure Deployment of IPv6, Dec, 2010, published by National Institute for Standards and Technology (NIST)
- Internet Society (ISOC) IPv6 Security Frequently Asked Questions (FAQ)
- MITRE Corporation, 11 Strategies of a World-Class Cybersecurity Operations Center, 2022
- ERNW Security and Privacy for Multi-Prefix and Provisioning Domains in IPv6 presentation, 2018, and video
- IPv6 Vulnerability Testing, Penetration Testing, and Vulnerability Remediation article in the Security section
- Presentations presented annually at various conferences by Cisco Systems, Inc. (for example: APNIC, Apricot, and Cisco Live 365), entitled “IPv6 Security Threats and Mitigations”. (Search the web for Cisco and the title, including the quote marks.)
- Canadian Internet Registration Authority (CIRA) internal IPv6 Policy document, July, 2011
- Infoblox Best Practices for IPv6 Security webinar
- Although written for the home and small office network, the recommendations described in the Security section of the Deploying IPv6 in the Home and Small Office/Home Office article in the Deployment section also apply when administering user systems in the workplace
- IoT Acceleration Consortium IoT Security Guidelines Ver. 1.0, Jul, 2016
- Cyber Security Division, Commerce and Information Policy Bureau, Ministry of Economy, Trade, and Industry, Japan IoT Security Safety Framework, Nov, 2020
- IPv6 Deployments, a presentation to the Réseaux IP Européens Network (RIPE), 2010
- Federal IPv6 Interagency Working Group presentation, 2013, provides suggestions for mitigating IPv6 security issues.
- IPv6 Security Best Practices by Cisco Systems, Inc., 2013
- Monolith Software blog entry, 2013, provides some best practice tips for monitoring any network
- Grand European Academic NeTwork (Géant) project documented many Network Monitoring recommendations. An example is this Practical IPv6 Monitoring on Campus Best Practice document, 2013, describing a way to monitor a dual-stack network using a combination of SNMP and Netflow
- IPv6 Security (2008), IPv6 Security, 2011, and IPv6 Attacks and Countermeasures, 2013, presentations from the Rocky Mountain IPv6 Task Force (RMv6TF).
- Master Thesis: IPv6 Security Test Laboratory, 2013, Johannes Weber (see “Countermeasures & Firewall’s Best Practices” sections)
- A collection of guides, best practices, checklists, benchmarks, tools, and other resources describing the steps to harden numerous commercial and opensource operating systems against a wide variety of attacks are available on this github project webpage.
The following are older but still useful reports and papers:
- An IPv6 Security Guide for U.S. Government Agencies, published by Juniper Networks, Inc.
- IPv6 and IPv4 Threat Comparison and Best Practice paper from Cisco Systems, Inc.
- Secure IPv6 Operation: Lessons learned from 6NET report from the European IPv6 deployment. (The 6NET project completed Jun 2005, followed by the 6DISS project which completed Sept 2007; followed by 6DEPLOY and 6DEPLOY-2 (www.6deploy.eu) which completed Feb 2013. A more recent European IPv6 project was Governments Enabled with IPv6 (GEN6) which completed May 2015. Deliverables and Presentations under the Publications tab of the GEN6 website provide additional material.) The next European IPv6 project is IPv6 Framework for European Governments which completed 2018. Then came the European Union Internet Standards Deployment Monitoring project.
The following websites contain articles discussing procedures and practices that can monitor, detect, or prevent attempts to use networks in unauthorized ways:
- Many older publications specific to IPv6, such as Fundamental Filtering of IPv6 Network Traffic and Malware Tunneling in IPv6, are no longer available on the US_CERT site, but are available in the Homeland Security Digital Library. (Caution: The Digital Library contains millions of documents. Finding a specific document in the Digital Library requires patience.)
- While specific to the Department of Defense (DoD), the publicly available Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGS) include guidance for IPv6. They are available on this DISA website.
- An NSA Cybersecurity Advisory and Guidance ongoing document series is available on this website.
Part 2. Best Practices for Secure IoT Devices Deployment and Use
There are no easy or quick solutions when deploying and subsequently using IoT devices on any network,
Best practices for establishing and maintaining network security when deploying IoT device(s) on a network and subsequently using them have been the subject of documents by many different organizations and individuals.
Organizations provided recommendations and limited amounts of product and support services, information about deploying and subsequently using IoT devices in the following articles, reports, papers, presentations and websites:
- CISA Cybersecurity Best Practices For Industrial Control Systems (ICS), and ICS Recommended Practices, are growing lists of recommended best practices,
- Institute of Electrical and Electronic Engineers (IEEE) Internet of Things (IOT) Security Best Practices, 2017
- Réseaux IP Européens (RIPE) Network Coordination Centre (NCC) Architectural Considerations for IoT Device Security in the Home
- United Kingdom GOV.UK (Government Digital Service) Department for Digital, Culture, Media & Sport "Smart Devices", secure by design, a collection ongoing since 2018
- Internet of Things Security Foundation (IoTSF) Best Practice Guidelines, ongoing since 2017
- ISOC Online Trust Alliance (OTA) Best Practices: Enterprise IoT Security Checklist, 2018
- NIST Cybersecurity for IoT Program, ongoing since 2020
- This Microsoft Security Best Practices for Internet of Things article provides profiles of the companies to involve in the deployment of IoT devices
- Amazon Web Services Internet of Things (IOT) Security Best Practices article, 2019
- Hong Kong Computer Emergency Response Team (HKCERT) Coordination Center IOT Security Best Practices Guidelines, Jan, 2020
- IoT Acceleration Consortium IoT Security Guidelines Ver. 1.0, Jul, 2016
- Cyber Security Division, Commerce and Information Policy Bureau, Ministry of Economy, Trade, and Industry IoT Security Safety Framework, Nov, 2020
- SDxCentral What are Internet of Things (IoT) Security Best Practices?, 2020
- IoT Security Foundation website articles, ongoing since 2015
- IoT Security Initiative website articles, ongoing since 2018
- Industry IoT Consortium website articles, ongoing since 2014.
Individuals provided recommendations about deploying and subsequently using IoT devices in the following articles:
- Two articles IoT for System Tests:Checking for Failure and Internet of Things security challenges and best practices describe various security measures for use when deploying and subsequently using IoT device(s) on any network, while this article asks Best Practices for IoT Security, What Does That Even Mean? These articles cannot (nor indeed can any article) consider all aspects of such a multi-dimensional question.
- The title of this Here are 7 Actionable Tips to Secure Your Smart Home and IoT Devices article describes its contents.
- The title of this Ten best practices for securing the Internet of Things in your Organization article describes its contents.
- Some security recommendations and best practices for individuals deploying and subsequently using IoT devices are described in the Security section of the IPv6 in the Home and Small Office/Home Office (SOHO) article in the Deployment section.