Several years ago, I wrote an article explaining how there is plenty of address space with IPv4 and that the IPv6 hype had some merit, but most of it was being used as another push to scare organizations into buying a bunch of equipment they may not need.
It turns out that I was mostly correct.
How do I know this? We are regularly inside customer networks doing upgrades and support. Yes, we do see a smattering of IPv6 traffic in their logs, but it generally does not originate from their users, and at most it is a fraction of a percent. Basically, this means that their old IPv4 equipment probably would still suffice without upgrades had they gone that route.
Back in 2012 the sky was falling, everything needed to be converted over to IPv6 to save the Internet from locking up due to lack of address space. There may be elements of the Internet where that was true but such dire predictions did not pan out in the Enterprise. Why?
Lack of control over their private address space with IPv6.
For example, one of the supposed benefits of IPv6 addressing schemes is that they are assigned to a device in the factory, as there are so many addresses available they are practically infinite. The problem for an IT professional managing a network is that you can’t change that IPv6 address (as far as I know) and that is where the breakdown begins.
In private organizations, the IT department wants to manage bandwidth and security permissions. Although managing security and permissions are possible with IPv6, you lose the orderliness of an IPv4 address space.
For example, there is no easy shorthand notation with IPv6 to do something like:
“Block the address range 192.168.1.100/24 from accessing a data base server”.
With IPv4, the admin typically assigns IP addresses to different groups of people within the enterprise and then they can go back and make a general rule for all those users with one stroke of the pen (keyboard).
With IPv6 the admin has no control over the ip addresses, and would need to look them up, or come up with some other validation scheme to set such permissions.
I suppose the issues stated above could have been overcome by a more modern set of tools, but that did not happen either. Again, I wonder why?
I love answering my own questions. I believe that the reason is that the embedded NAT/PAT addressing schemes that had been used prior to the IPv6 push, were well established and working just fine. Although I am not tasked with administering a large network, I did sleep at a Holiday Inn (once), and enterprise admins do not want public IP’s on the private side of their firewall for security purposes. Private IP addresses to the end in itself is likely more of security headache than the Ip4 NAT/PAT address schemes.
The devil’s advocate in me says that the flat address space across the world of an IPv6 scheme is elegant and simple on face value, not to mention infinite in terms of addresses. IPv6 promises 2,250,000,000 Ip addresses, for every living person on earth. It just was not compelling enough to supplant the embedded IPv4 solutions with their NAT/PAT addressing schemes.
Out of the Box Ideas for SecurityFebruary 19, 2021 — netequalizer
I woke up this morning thinking about the IT industry and its shift from building infrastructure to an industry where everybody is tasked with security, a necessary evil that sucks the life out of companies that could be using their resources for revenue-generating projects. Every new grad I meet is getting their 1st job at one of many companies that provide various security services. From bank fraud investigation, white-night hacking, to security auditing, there must be 10’s if not 100’s of billions dollars being spent on these endeavors. Talk about a tax burden on society! The amount of money being spent on security and equipment is the real extortion, and there is no end in site.
The good news is , I have a few ideas that might help slow down this plague.
Immerse Your Real Data in Fake Data
Ever hear of the bank that keeps an exploding dye bag that they give to people who rob them? Why not apply the same concept to data. Create large fictitious databases and embed them within your real data. Obviously you will need a way internally to ignore the fake data and separate it from real data. Assume for a minute that this issue is easily differentiated by your internal systems. The fictitious financial data could then be traced when unscrupulous hacks try to use it. Worst case, it would create a waste of time for them.
Assuming the stolen data is sold on the dark web, their dark web customers are not going to be happy when they find out the data does not yield any nefarious benefits. The best case is this would also leave a trail for the good guys to figure out who stole the data just by monitoring these fictitious accounts. For example, John James Macintosh, Age 27, of Colby, Kansas does not exist, but his bank account does, and if somebody tried to access it you would instantly know to set a trap of some kind to locate the person accessing the account (if possible).
The same techniques are used in counter intelligence to root out traitors and spies. Carefully planted fake information is dispersed as classified, and by careful forensics security agencies can find the leaker (spy).
Keep the Scammers on the Phone
For spam and phone scams you can also put an end to those, with perhaps a few AI agents working on your behalf. Train these AI entities to respond to all spam and phone scams like an actual human. Have them respond to every obnoxious spam email, and engage any phone scammer with the appropriate responses to keep them on the phone.
These scams only persist because there are just enough little old ladies and just enough people who wishfully open spyware etc. The phone scammers that call me operate in a world where only their actual target people press “1” to hear about their auto warranty options. My guess is 99.9 percent of the people who get these calls hang up instantly or don’t pick up at all. This behavior actually is a benefit to the scammer, as it makes their operation more efficient. Think about it, they only want to spend their phone time & energy on potential victims.
There is an old saying in the sales world that a quick “no” from a contact is far better than spending an hour of your time on a dead end sale. But suppose the AI agents picked up every time and strung the scammer out. This would quickly become a very inefficient business for the scammer. Not to mention computing time is very inexpensive and AI technology is becoming standard. If everybody’s computer/iPhone in the world came with an AI application that would respond to all your nefarious emails and phone scams on your behalf, the scammers would give up at some point.
Those are my favorite two ideas security ideas for now. Let me know if you like either of these, or if you have any of your own out-of-the-box security ideas.