Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows 7 May Finally Get IPv6 Deployed

Posted by kdawson on from the whatever-it-takes dept.

Esther Schindler writes "According to this article at IT Expert Voice, Windows 7 and IPv6: Useful at Last?, we've had so many predictions that this will be 'the year of IPv6' that most of us have stopped listening. But the network protocol may have new life breathed into it because IPv6 is a requirement for DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn't require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that idea.) The two articles examine the advantages and disadvantages of DirectAccess, with particular attention to the possibility that Microsoft's sponsorship may give IPv6 the deployment push it has lacked."

1 of 283 comments (clear)

  1. Or DirectAccess may just sink it for good... by BobMcD · · Score: 3, Interesting

    From a security point of view, I'm probably going to blackhole all IPv6 into a honeypot now. Think about what this technology does. It allows unsolicited connectivity into your network without audit. And I quote:

    Admin Tom Perrine, chiming in on the LOPSA forum when asked to contribute thoughts for this article, had four major DirectAccess concerns: As an Enterprise customer, he needs to be able to at least:

    . set specific policies (no split tunneling)
    . force specific VPN technology including encryption algorithms (IPSEC, AES, etc.)
    . ensure proper key and credential management, including two-factor or challenge/response
    . audit activities while user is connected to the VPN.

    The article goes on to discuss the first one. Nothing whatsoever on the other three. Not to mention that if the machine fails to get the updated GPO it fails OPEN. Everything here I see says it 'just works' and there is almost no talk of admin control. I'm having trouble coming up with a good enough string of expletives to cover my emotions. Wow. Just wow.

    What exactly is the security mechanism, then? Username/Password? I see comparisons in TFA being drawn to web portals. Well I don't know about your shop, but around here we have planned for the web portal to be compromised at some point, and have limited the data available. We have NOT made that assumption for the heart of our network, and I'm unsure how long I'd keep my job if I made that case.

    As stated in TFA it sounds much easier to just shut the protocol off until there's a pressing and urgent business need to enable it again.