Introduction

 

A collection of security best practices to monitor, detect, and prevent unauthorized attempts to use networks and the devices connected to them, including Internet of Things (IoT) devices (also called smart things or smart objects) in two parts:

Part 1: Best Practices for IPv6 Computer Security, Network Security and Cybersecurity, and

Part 2: Best Practices for Secure IoT Devices Deployment and Use.

(Note: A best practices document describes actions or practices that are known to produce good outcomes when followed.)

The focus of this article differs from the focus of the Network Management Recommendations article in the Network Management section. That article focuses on practices that are of interest to administrators and managers of IPv6 networks, while this article focuses on practices that are of interest to security personnel and people deploying and using IoT.

Network security and deployment and the subsequent use of IoT devices have been the subject of numerous Internet Engineering Task Force (IETF) Request For Comments (RFC) documents, including:

  • RFC 4057 IPv6 Enterprise Network Scenarios,
  • RFC 4301 Security Architecture for the Internet Protocol,
  • RFC 4942 IPv6 Transition/Coexistence Security Considerations,
  • RFC 6418 Multiple Interfaces and Provisioning Domains Problem Statement
  • RFC 7368 IPv6 Home Networking Architecture Principles,
  • RFC 7381 Enterprise IPv6 Deployment Guidelines, 
  • RFC 7452 Architectural Considerations in Smart Object Networking,
  • RFC 7548 Management of Networks with Constrained Devices,
  • RFC 7556 Multiple Provisioning Domain Architecture
  • RFC 8043 Source-Address-Dependent Routing and Source Address Selection for IPv6 Hosts,
  • RFC 8576 Internet of Things (IoT) Security: State of the Art and Challenges,
  • RFC 8801 Discovering Provisioning Domain Names and Data,
  • RFC 9006 TCF Usage Guidance in the Internet of Things (IoT),
  • IETF draft document Secure IoT Bootstrapping: A Survey,
  • RFC 9019 A Firmware Update Architecture for Internet of Things,
  • RFC 9099 Operational Security Considerations for IPv6 Networks (which complements RFC 4942)
  • RFC 9124 A Manifest Information Model for Firmware Updates to Internet of Things (IoT) devices
  • RFC 9288 Recommendations on the Filtering of IPv6 Packets Containing Extension Headers at Transit Routers, and
  • RFC 9334 Remote ATtestation procedureS (RATS) Architecture.

In addition to the subject of networks that support IPv6 and IoT devices, this article provides a comprehensive overview of best practices to establish and maintain security for other risk management areas of information technology (IT). For more in-depth information on IPv6 security, several books are listed in part 3 of the IPv6 Training Information file referenced in the IPv6 Training and Learning article in the Deployment section. 

Part 1. Best Practices for IPv6 Computer Security, Network Security, and Cybersecurity

There are no easy or quick solutions when changing the security infrastructure of any network that currently supports Internet Protocol version 4 (IPv4)-only to either supporting dual-stack (IPv4 and IPv6 are both supported) or IPv6-only.

Specific examples, general recommendations, and limited product information to deploy IPv6 in an existing network or to transition to an IPv6-only network are provided by the following articles, reports, papers, tutorials, presentations and websites

  1. Cybersecurity and Infrastructure Security Agency (CISA) Alert AA22-137A Weak Security Controls and Practices Routinely Exploited for Initial Access, May, 2022.
  2. The National Security Agency (NSA) Network Infrastructure Security Guidance PP-22-066, Mar 2022, covers many aspects of network security, including IPv6, while IPv6 Security Guidance PP-22-1805, Jan, 2023, only covers IPv6
  3. NSA and CISA Critical Infrastructure Partnership Advisory Council (CIPAC) Enduring Security Framework (ESFIdentify and Access Management: Recommended Best Practices for Administrators PP-23-0248_508C, Mar, 2023
  4. SP800-119 Guidelines for the Secure Deployment of IPv6, Dec, 2010, published by National Institute for Standards and Technology (NIST
  5. Internet Society (ISOC) IPv6 Security Frequently Asked Questions (FAQ)
  6. MITRE Corporation, 11 Strategies of a World-Class Cybersecurity Operations Center, 2022
  7. ERNW Security and Privacy for Multi-Prefix and Provisioning Domains in IPv6 presentation, 2018, and video
  8. IPv6 Vulnerability Scanning and Penetration Testing article in the Security section
  9. Presentations presented annually at various conferences by Cisco Systems, Inc. (for example: APNIC, Apricot, and Cisco Live 365), entitled “IPv6 Security Threats and Mitigations”. (Search the web for Cisco and the title, including the quote marks.)
  10. Canadian Internet Registration Authority (CIRA) internal IPv6 Policy document, July, 2011
  11. Infoblox Best Practices for IPv6 Security webinar
  12. Although written for the home and small office network, the recommendations described in the Security section of the Deploying IPv6 in the Home and Small Office/Home Office article in the Deployment section also apply when administering user systems in the workplace
  13. IoT Acceleration Consortium IoT Security Guidelines Ver. 1.0, Jul, 2016
  14. Cyber Security Division, Commerce and Information Policy Bureau, Ministry of Economy, Trade, and Industry IoT Security Safety Framework, Nov, 2020
  15. IPv6 Deployments, a presentation to the Réseaux IP Européens Network (RIPE), 2010
  16. Federal IPv6 Interagency Working Group presentation, 2013, provides suggestions for mitigating IPv6 security issues.
  17. IPv6 Security Best Practices by Cisco Systems, Inc., 2013
  18. Monolith Software blog entry, 2013, provides some best practice tips for monitoring any network
  19. Grand European Academic NeTwork (Géant) project documented many Network Monitoring recommendations. An example is this Practical IPv6 Monitoring on Campus Best Practice document, 2013, describing a way to monitor a dual-stack network using a combination of SNMP and Netflow
  20. IPv6 Security (2008), IPv6 Security, 2011, and IPv6 Attacks and Countermeasures, 2013, presentations from the Rocky Mountain IPv6 Task Force (RMv6TF).
  21. Master Thesis: IPv6 Security Test Laboratory, 2013, Johannes Weber (see “Countermeasures & Firewall’s Best Practices” sections)
  22. SearchNetworkingTechTarget.com articles describe mitigations for and ways to avoid Neighbor Discovery Protocol Attacks, 2015:
    1. How to avoid IPv6 neighbor discovery threats
    2. How to protect your IPv6 address management
    3. Mitigating IPv6 neighbor discovery attacks
    4. IPv6 attack attempts and how to mitigate them
  23. A collection of guides, best practices, checklists, benchmarks, tools, and other resources describing the steps to harden numerous commercial and opensource operating systems against a wide variety of attacks are available on this github project webpage.

The following are older but still useful reports and papers:

  1. An IPv6 Security Guide for U.S. Government Agencies, published by Juniper Networks, Inc.
  2. IPv6 and IPv4 Threat Comparison and Best Practice paper from Cisco Systems, Inc.
  3. Secure IPv6 Operation: Lessons learned from 6NET report from the European IPv6 deployment. (The 6NET project completed Jun 2005, followed by the 6DISS project which completed Sept 2007; followed by 6DEPLOY and 6DEPLOY-2 (www.6deploy.eu) which completed Feb 2013. A more recent European IPv6 project was Governments Enabled with IPv6 (GEN6) which completed May 2015. Deliverables and Presentations under the Publications tab of the GEN6 website provide additional material.) The next European IPv6 project is IPv6 Framework for European Governments which completed 2018. Then came the European Union Internet Standards Deployment Monitoring project.

The following websites contain articles discussing procedures and practices that can monitor, detect, or prevent attempts to use networks in unauthorized ways:

  1. Many older publications specific to IPv6, such as Fundamental Filtering of IPv6 Network Traffic and Malware Tunneling in IPv6, are no longer available on the US_CERT site, but are available on the Homeland Security Digital Library.
  2. While specific to the Department of Defense (DoD), the publicly available Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGS) include guidance for IPv6. They are available on the DISA website.
  3. The NSA Cybersecurity Advisory and Guidance documents are available here.

Part 2. Best Practices for Secure IoT Devices Deployment and Use

There are no easy or quick solutions when deploying and subsequently using IoT devices on any network,

Best practices for establishing and maintaining network security when deploying IoT device(s) on a network and subsequently using them have been the subject of documents by many different organizations and individuals.

Organizations provided recommendations and limited amounts of product and support services, information about deploying and subsequently using IoT devices in the following articles, reports, papers, presentations and websites:

  1. CISA Cybersecurity Best Practices For Industrial Control Systems, 2020, and ICS Recommended Practices, a growing list of additional recommended practices,
  2. Institute of Electrical and Electronic Engineers (IEEE) Internet of Things (IOT) Security Best Practices, 2017
  3. Réseaux IP Européens (RIPE) Network Coordination Centre (NCC) Architectural Considerations for IoT Device Security in the Home
  4. United Kingdom GOV.UK (Government Digital Service) Department for Digital, Culture, Media & Sport "Smart Devices", secure by design, a collection ongoing since 2018
  5. Internet of Things Security Foundation (IoTSF) Best Practice Guidelines, ongoing since 2017
  6. ISOC Online Trust Alliance (OTA) Best Practices: Enterprise IoT Security Checklist, 2018
  7. NIST Cybersecurity for IoT Program, ongoing since 2020
  8. This Microsoft Security Best Practices for Internet of Things article provides profiles of the companies to involve in the deployment of IoT devices
  9. Amazon Web Services Internet of Things (IOT) Security Best Practices article, 2019
  10. Hong Kong Computer Emergency Response Team (HKCERT) Coordination Center IOT Security Best Practices Guidelines, Jan, 2020
  11. IoT Acceleration Consortium IoT Security Guidelines Ver. 1.0, Jul, 2016
  12. Cyber Security Division, Commerce and Information Policy Bureau, Ministry of Economy, Trade, and Industry IoT Security Safety Framework, Nov, 2020
  13. SDxCentral What are Internet of Things (IoT) Security Best Practices?, 2020
  14. IoT Security Foundation website articles, ongoing since 2015
  15. IoT Security Initiative website articles, ongoing since 2018
  16. Industry IoT Consortium website articles, ongoing since 2014.

Individuals provided recommendations about deploying and subsequently using IoT devices in the following articles:

  1. Two articles IoT for System Tests:Checking for Failure and Internet of Things security challenges and best practices describe various security measures for use when deploying and subsequently using IoT device(s) on any network, while this article asks Best Practices for IoT Security, What Does That Even Mean? These articles cannot (nor indeed can any article) consider all aspects of such a multi-dimensional question.
  2. The title of this Here are 7 Actionable Tips to Secure Your Smart Home and IoT Devices article describes its contents.
  3. The title of this Ten best practices for securing the Internet of Things in your Organization article describes its contents.
  4. Some security recommendations and best practices for individuals deploying and subsequently using IoT devices are described in the Security section of the IPv6 in the Home and Small Office/Home Office (SOHO) article in the Deployment section.