I received a reader email asking if IPv6 is going to change the existing approach to security. He writes:
Do you believe that the transition to IPv6 will change the existing security architectures? I have heard from other professional architects, that there will be a transition from perimeter security to host-based security.
While the paper Darrin Miller and I wrote is the best place for a complete answer to that question, I can provide a quick summary and some clarification. Here’s the section on maintaining host and application security from the bottom of page 23:
Although timely patching and host lockdown are critical elements in IPv4, they are even more critical during the early stages of IPv6 because many host protections (firewalls, IDSs, and so on) do not yet broadly support IPv6. Additionally, it is highly likely (though testing is necessary; refer to Appendix A) that the initial introduction of IPv6 into networks will result in some hosts not being properly secured. It is necessary to focus on maintaining host security to ensure that hosts that are compromised will not become stepping stones to compromise other end hosts.
I actually think the move toward identity-based controls (whether IPv6 or IPv4) will have more of an impact on security architecture than the transition to IPv6 will. The network will remain important as a security control–as will the endpoint–but the shift will be towards more dynamic authorizations based on the the identity of the individual. IPv6 leads to subtle changes in the security architecture and I agree that endpoint controls will increase in importance; I don’t think that network controls will go away though. Security has always been about defense-in-depth and relying only on the host for security puts all your security eggs in one basket.